In the murky world of cybersecurity, recent breaches of Caesars Entertainment and MGM-owned casinos have been attributed to young hackers affiliating themselves with one of the globe’s most infamous ransomware syndicates. This alarming trend sends ripples of concern through security experts and guardians of corporate digital domains.
Known under various monikers like ‘Scattered Spider’, this collective is linked with a Telegram account where they reveled in their success of compromising MGM, affecting numerous services, still offline on Thursday. Security analysts maintain some agreement about the group’s constitution, arguing that the members primarily speak English, driven by financial temptation. In the past two years, these digital marauders have been particularly proactive, targeting large corporations through a variety of tactics like posing as employees locked out of systems or using pilfered staff credentials.
Insidiously, they shifted their focus from cryptocurrency heists to targeting businesses that outsourced services like help desk and call center functions. This allowed them to penetrate networks across a wide customer base. Their audacious breaches have even led them to extort tech firms like Western Digital after pilfering sensitive information, with their eyes now fixated on the digital treasure chests of Las Vegas.
Their audacious use of paralyzing ransomware in their extortion schemes displays a significant escalation in their actions, with ALPHV – a hacking accomplice with roots in the former Russian cybercriminal groups BlackMatter and DarkSide – providing the destructive BlackCat ransomware implanted in the casino systems.
Unveiling at Friday’s LABScon security conference near Phoenix is fresh research that traces this hacker collective, known as ‘Star Fraud’. Experts assert this group comprises a few dozen individuals who met online and are part of a larger internal network, referred to as ‘the Com’ or community.
Star Fraud’s less professional antics, such as public acknowledgments to associates, have left breadcrumbs for researchers to follow. Much like their peers in ‘the Com’, their coalescing was propelled by crimes facilitated by SIM-swapping – a technique involving the manipulation of phone company employees into transferring control of a victim’s phone number.
This strategic ploy, also a result of lax security controls, has netted criminals millions by circumventing SMS-based two-factor authentication on cryptocurrency accounts. The financial windfall has fostered alliances with other criminals brandishing an array of cyber skills. Some even boasted the ability to hack police servers and impersonate officers in emails demanding immediate dossier submissions on telecommunications customers.
Perhaps most concerning, this group has now lured recruiters from Russian syndicates who are seeking to harness their business acumen, techniques, and intimate local knowledge — benefits only native English speakers could offer.
The group’s sinister activities haven’t merely been contained to fiscal pursuits. The fraudsters have sunk to new lows, manipulating women into compromising situations and driving them towards self-destructive behavior.
In the case of the MGM hack, Star Fraud commandeered the Okta authentication servers, thereby securing an overarching authority over internal services. They’ve emulated the trajectory of Lapsus$, a cyber-gang infamous for stealing the source code from major companies through similar methods.
However, Star Fraud’s operations extend even further, now having the ability to mobilize thousands of online volunteers, according to researchers. As a response, the FBI is capitalizing on its recent success in dismantling ransomware collectives post the Colonial Pipeline hack, reaffirming their commitment to pursuing these criminals and their associates, regardless of their location.