Comment on this storyComment
The recent hacks of Caesars Entertainment and MGM-owned casinos were likely carried out by teenagers and young adults aligned with one of the world’s most notorious ransomware gangs – part of a trend that has alarmed security experts and defenders of corporate computer networks.
The group, known to security firms by various names including Scattered Spider, is linked to a Telegram account that bragged last week about the MGM hack that was still keeping many services offline as of Thursday.
Security researchers were vague about the group’s makeup, mostly agreeing that members are generally English-speaking, financially motivated, and have been very active over the past two years targeting large companies with stolen employee credentials and tricks like that Targeted tech support staff by convincing them that they were accidentally locked out of their computers and needed a new password.
They moved from cryptocurrency thefts to attacks on companies that provide third-party business functions such as help desks and call center staff, allowing them to penetrate many customers’ networks. And they blackmailed Western Digital and other technology companies after stealing internal data before heading to the Las Vegas jackpots.
But their willingness to deploy crippling ransomware and demand money in the process is a big step up, as is their choice of company Partner: APLHV, a hacking group whose members include members of former Russian conglomerates BlackMatter and DarkSide, the groups responsible for the Colonial Pipeline hack that alerted Washington to the national security risk of ransomware. APLHV provided the young hackers with the BlackCat ransomware installed in the casino systems.
New research to be presented Friday at the LABScon security conference outside Phoenix sheds light on the origins of the hackers who experts say call themselves “Star Fraud.” They say the group consists of a few dozen hackers who have connected online and are part of a much larger association known internally as Com, short for community.
Star Fraud has left clues through public cheering on employees and other uncultured behavior. Like others in the Com, they came together through crimes made possible by SIM swapping. This typically involves convincing phone company employees to give up control of someone else’s phone number.
Due to inadequate security controls around these numbers, criminals have amassed millions of dollars through such schemes by outsmarting text-based two-factor authentication on cryptocurrency accounts.
The extra money has enabled alliances with criminals with different skills, including some who had hacked police servers and could send emails from supposed officers demanding the disclosure of information about phone and Internet customers in an emergency.
Worse, the researchers said, they had now attracted recruiters for the Russian gangs who wanted to combine their business skills with the techniques and local knowledge of native English speakers.
“Before big money, they would sextort girls and try to make them kill themselves. “There’s something really sociopathic going on with these people,” the lead researcher told The Washington Post on condition that they not be named to avoid being targeted by gangs.
Through the MGM hack, the group gained control of the Okta authentication servers, giving them broad authority over internal services.
The Star Fraud group somewhat followed the path of the Lapsus$ gang, which used similar techniques to steal source code from major companies and prompted a federal review of the root causes of the group’s rise.
Only Star Fraud has gone further, the researchers said, and now such groups can draw on many thousands of online volunteers.
The FBI, which managed to dismantle some of the ransomware groups after the Colonial Pipeline hack, said it would continue to pursue foreign criminals and their teenage associates.
“Criminals can rest assured that the FBI will pursue all illegal activities with the same vigor and determination,” it said in a written statement to The Post. “We work closely with our federal and international partners to ensure that bad actors face the consequences of their actions.”