As The FBI Closes In, Scattered Spider Attacks Finance, Insurance Orgs

Republished By Plato

Followers: 0

Scattered Spider hackers have been tearing through the finance and insurance sectors, all while authorities are preparing legal actions to stop them.

A game of cops and robbers is playing out between the FBI and Scattered Spider (aka UNC3944, 0ktapus, Roasted Oktapus, Scatter Swine, Octo Tempest, Muddled Libra), the cybercrime outfit a la mode, ever since its high-profile attacks against MGM Resorts and Caesars Entertainment. If recent rumblings are to be believed, the future of the group might well be determined in short course.

On one side, Brett Leatherman, the FBI’s cyber deputy assistant director, told reporters in various interviews at RSAC 2024 about the agency’s plans to bring charges against members of Scattered Spider, primarily under the well-worn Computer Fraud and Abuse Act.

And yet, clearly, Scattered Spider hasn’t felt that pressure coming. In recent months it has only expanded its scope, with attacks targeting industries as broad as retail, food services, and video games.

In just the past few weeks, the group compromised at least 29 companies in the finance and insurance industries, according to research from Resilience. An anonymous researcher told Bloomberg that among those targeted were household names like Visa, PNC, Transamerica, and New York Life Insurance Co., though they didn’t reveal which of those organizations in particular had failed to stop their attackers.

This latest campaign has had some of the usual hallmarks of Scattered Spider attacks: lookalike domains mimicking organizations’ Okta and content management system (CMS) sign-on pages, with the potential for follow-on SIM swap attacks that leak sensitive corporate data. There was a notable efficiency to the attacks as well, with Scattered Spider swiftly deploying its infrastructure and conducting its attacks in only a few hours’ time.

Can Authorities Take Down Scattered Spider?

The effects of law enforcement interventions into cybercrime often are found in the finer details: the confidence that affiliates lose in brand-name groups, the power vacuums that result, and the looming threat to anyone who dares take their place.

There’s little evidence that major takedowns of infrastructure, or even arrests here and there, take significant numbers of criminals off the web. The keyboard warrior is a shifty species that’s tough to find and pin down, and tends to reconstitute in new forms after brief periods of disruption. Worse is when they reside in parts of the world where law enforcement isn’t equipped or inclined to help out Western authorities.

The rub with Scattered Spider is that it’s distinctly not foreign. Its members are thought to be primarily young people in the US and the UK. If ever there were a hacking operation the FBI could wipe out, full stop, it would be this one.

But taking out a major hacking operation is not a simple job, says former FBI cyber special agent Adam Marrè, now chief information security officer (CISO) at Arctic Wolf. “It’s about making sure you can prove all the elements of a crime, and prove it to such a degree that you can get good penalties that will be punitive and discourage others from doing the same thing. It takes a while to build a case like that,” he explains.

To achieve that, he continues, “They’re going to be doing everything from getting informants, or possibly undercovers, into online forums where they can talk to perpetrators whose guard might be down. It’s also going to be important for them to collect evidence from victim companies that can be then used to attribute the actions of these actors. The most difficult part is always attribution, so being able to show who was behind the keyboard when that happened takes all the investigative techniques that they have at their disposal.”

Because ironclad attribution is so crucial, and because it’s so elusive, the openness and cooperation of targeted organizations may prove the difference in bringing bad guys to justice.

“I’m always an advocate that, during peacetime, when you’re not attacked, you should still go talk to your local authorities,” Marrè emphasizes. “Find out who they are, find out what numbers you can call, so that you know these folks when bad things happen. And then, possibly, you can have an effect on the whole cybercrime industry, lessening the likelihood that these things will happen to other people.”