“They are much more sophisticated than many cybercriminal actors. They appear to be disciplined and organised in their attacks”, she said. “And that’s something we typically see more frequently with nation-state actors, versus cyber criminals”.

‘Gay furry hackers’ target US for passing anti-trans law

Known in the security industry variously as Scattered Spider, Muddled Libra, and UNC3944, these hackers were thrust into the limelight earlier this month for breaching the systems of two of the world’s largest gambling companies – MGM Resorts and Caesars Entertainment.

Behind the scenes, it has hit many more companies, according to analysts tracking the intrusions – and cybersecurity specialists expect the attacks to continue.

The FBI is investigating the MGM and Caesars breaches, and the companies did not comment on who may be behind them.

From Canada to Japan, the security firm CrowdStrike has tracked 52 attacks globally by the group since March 2022, most of them in the United States, said Adam Meyers, senior vice-president of threat intelligence at the company. Google-owned intelligence firm Mandiant, has logged more than 100 intrusions by it in the last two years.

Nearly every industry, from telecommunications to finance, hospitality, and media, has been hit. It’s not known how much money the hackers may have extorted.

But it’s not just the scale or the breadth of attacks that make this group stand out. They’re extremely good at what they do and “ruthless” in their interactions with victims, said Kevin Mandia, Mandiant’s founder.

The speed at which they breach and exfiltrate data from company systems can overwhelm security response teams, and they have left threatening notes for staff of victim organisations on their systems, and contacted them by text and email in the past, Mandiant found.

In some cases – Mandia did not say which ones – hackers tied to Scattered Spider placed bogus emergency calls to summon heavily armed police units to the homes of executives of targeted companies.

The technique, called SWATing, “is something that’s utterly dreadful to live through as a victim”, he said. “I don’t even think these intrusions are about money. I think they’re about power, influence and notoriety. That makes it harder to respond to”.

The hacking group couldn’t immediately be reached for comment.

There’s little detail on Scattered Spider’s location or identity. Based on the criminals’ chats with victims and clues gleaned from breach investigations, CrowdStrike’s Meyers said they are largely 17-22 years-olds. Mandiant estimates they’re mainly from Western countries, but it’s unclear how many people are involved.

02:44

US, Britain and EU accuse China of sponsoring massive Microsoft email server hack

US, Britain and EU accuse China of sponsoring massive Microsoft email server hack

Before calling help desks, the hackers acquire employee information including passwords by social engineering, especially ‘SIM swapping’ – a technique where they trick a telecoms company’s customer service representative to reassign a specific phone number from one device to another, analysts say.

They also appear to make the effort to study how large organisations work, including their vendors and contractors, to find individuals with privileged access they can target, according to analysts.

That’s something David Bradbury, chief security officer of the identity management firm Okta, saw first-hand last month, when he discovered multiple Okta customers – including MGM – breached by Scattered Spider. Okta provides identity services such as multifactorial authentication used to help users securely access online applications and websites.

“The threat actors have clearly taken our courses that we provide online, they’ve clearly studied our product and how it works”, Bradbury said. “This is stuff we haven’t seen before”.

A larger group named ALPHV said last week it was behind the MGM hack, and analysts believe it provided the software and attack tools for the operation to be carried out by Scattered Spider.

Chinese hackers breached US government email accounts, Microsoft says

Such collaborations are typical for cybercriminals, said Okta’s Bradbury. ALPHV, which according to Mandiant is a “ransomware-as-a-service”, would provide services such as a help desk, webpage and branding, and in turn get a cut of whatever Scattered Spider would make from the hack.

While many ransomware attacks go unpublicised, the MGM hack was a vivid example of the real-world impact of such incidents. It caused chaos in Las Vegas, as gaming machines stalled and hotel systems were disrupted.

Ransomware gangs often function like large organisations, and continue to evolve their methods to adapt to the latest security measures organisations use.

“In some ways this is just like the age-old game of cat and mouse,” said Whitmore, who compared Scattered Spider to Lapsus$, another group behind previous hacks into Okta and the technology giant Microsoft.

The British police last year arrested seven people between the ages of 16 and 21 following those hacks.