Group in Casino Hacks Skilled at Duping Workers for Access

(Bloomberg) -- The hacking group suspected of cyberattacks against two giant casino operators has quickly made a name for itself for its skills in social engineering, such as tricking someone to gain access to a computer system or another storehouse of sensitive information.

Most Read from Bloomberg

• Vegas’ Newest Resort Is a $3.7 Billion Palace, 23 Years in the Making

• Fed Set to Pause Rate Hikes, But Don’t Count Out Another Increase

• Trudeau’s Murder Claim Risks Upending US Courtship of India

• Dollar Rally Is Crushing One of the Most Popular Trades of 2023

Known as Scattered Spider and UNC3944, the group spun a web of chaos this week after launching a cyberattack at MGM Resorts International, according to five people familiar with the incident. The cyberattack resulted in downed websites and slot machines and staffers to check people into hotel rooms manually. The group has been causing havoc across North American companies in 2023, according to Adam Meyers, senior vice president of intelligence at Crowdstrike Holdings Inc., who said in an interview last month that the attacks had escalated to “a couple a week.”

The same group was behind an earlier attack on Caesars Entertainment Inc., according to the people. Caesars paid tens of millions of dollars to the hackers, who broke into the company’s systems and threatened to release data, according to two of the people.

On Thursday, Caesars said in a regulatory filing that it discovered suspicious activity in its information technology network “resulting from a social engineering attack on an outsourced IT support vendor used by the company.” The identity of the vendor wasn’t immediately known. “We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” Caesars said in the filing.

It’s still not clear how the attackers broke into MGM, which has declined to comment on specifics of the incident.

Read more: MGM, Caesars Hacked by ‘Scattered Spider’ in Span of Weeks

They are “incredibly effective social engineers,” said Charles Carmakal, chief technology officer for Mandiant Inc., which has investigated the group in depth. He described the hacking group, which Mandiant first came across in May 2022, as “one of the most prevalent and aggressive threat actors impacting organizations in the United States today.”

Members of Scattered Spider are based in the US and UK, some as young as 19 years old, according to four cybersecurity researchers familiar with the group. One of the group had a “mid-Atlantic” accent, according to Meyers, who listened into one of the first calls one of the hackers made to try to steal passwords, which was automatically recorded by the victim.

The hackers are renowned for calling or texting IT help desk workers and impersonating employees to trick them into sharing credentials. This has included cloud computing accounts like Microsoft Azure and hypervisor tools such as AnyDesk and FleetDeck – which allow information technology employees to take over a computer remotely when someone has a technical problem, according to Meyers. To stay undetected, the hackers use a virtual private network that makes it appear as if they are based in the same area as the victim account holder, so logging in won’t raise alarm bells with the IT team.

Mandiant, a cybersecurity company owned by Alphabet Inc.’s Google, released more details Thursday about the group, which they refer to as UNC3944. In one incident that Mandiant’s ransomware experts dealt with, the gang took over a Human Resources department worker’s Microsoft Teams video-conferencing software to contact their colleagues and lead them to a Microsoft-themed phishing page to steal more credentials. Mandiant said when its incident response team communicated with the hackers on behalf of its clients, they “engaged in aggressive communications with victims, such as leaving threatening notes within a text file on a system, contacting executives via text messages and emails.”

According to Mandiant and Meyers, the attackers appear to have graduated from sim-swapping circles, in which a hacker bribes or convinces a telecommunications employee to port a victim’s number onto a new phone so the hacker can bypass two-factor authentication to gain access to software such as Gmail and Microsoft Outlook, as well as cryptocurrency and personal bank accounts.

Reached via the social media app Telegram, a person who identified as a member of Scattered Spider said the group numbers fewer than 10 people, mostly friends, and has been involved in hacking since they were 11 years old.

The person said the group picks targets carefully, focusing on companies valued from $15 billion to $45 billion, and that they don’t attack hospitals, oil refineries and power plants. The group’s motive is to get rich quickly and get away with it, the person said.

Bloomberg News couldn’t independently verify the person’s identity or affiliation with the hacking group. However, three cybersecurity experts assessed that the Telegram user was linked to the hacking group.

Read more: Useless Slots, Cash Bars Annoy Casino Goers After MGM Hack

Scattered Spider has previously deployed a type of ransomware known as ALPHV to extort victims, according to Carmakal. Ransomware is a type of malware that locks up a victim’s files, and the hackers then demand payment to unlock them.

ALPHV is also the name of a hacking group that developed the ransomware, which it leases out to others — known as affiliates — for a fee. ALPHV was first detected in November 2021. ALPHV uses a programming language named Rust, which helps it evade conventional cybersecurity detection measures and makes it harder for incident responders to reverse engineer the attackers’ malware code, according to Microsoft Threat Intelligence.

The FBI said in April 2022 that ALPHV ransomware had been used in at least 60 attacks worldwide.

ALPHV is likely Russia-based, said Brett Callow, a threat analyst at the cybersecurity company Emsisoft. He is among experts who believe the group evolved from earlier Russian hacking outfits that disbanded following a spate of high-profile ransomware attacks, including the 2021 ransomware attack on Colonial Pipeline Co.

In a statement posted on the group’s dark web page on Thursday, ALPHV said that it deployed ransomware on MGM servers after representatives from the company didn’t respond to its ransom request. The group deployed ransomware on Sept. 11, the statement said, adding that they still have access to some of MGM’s infrastructure. Claims that teenagers from the US and UK broke into MGM were just rumors, according to the statement.

A MGM spokesperson didn’t immediately respond to a request for comment on ALPHV’s claims.

Alex Waintraub, an incident responder at the cybersecurity company Cygnvs Inc. said he has directly negotiated about 25 times with ALPHV since 2021 on behalf of hacked companies that call in cyber insurance to help.

The group’s ransom demands are all over the map, he said. “There is no pattern,” Waintraub said, adding that he has been able to talk down ransom demands by 70%.

The exact nature of the relationship between Scattered Spider and ALPHV isn’t known.

However, the representative of Scattered Spider said the groups have worked together multiple times and that Scattered Spider was grateful for ALPHV’s help in attacks on some companies. The person boasted that Scattered Spider and ALPHV were just getting started.

--With assistance from Jamie Tarabay.

(Updates with comments from cybersecurity investigators beginning in the second paragraph.)

Most Read from Bloomberg Businessweek

• Starbucks Has 383 Billion Different Lattes and That’s a Problem

• MBAs Are Spurning McKinsey to Buy Small Companies

• Why Dollar General Might Just Be the Worst Retail Job in America

• Ambani’s Plan to Upend Indian Finance Lands With a Thud

• TikTok Shop Is a Real E-Commerce Threat

©2023 Bloomberg L.P.