Breaking News
Get 40% Off 0
👀 Reveal Warren Buffett's stock picks that are beating the S&P 500 by +174.3% Get 40% Off

FBI struggled to disrupt dangerous casino hacking gang, cyber responders say

Published Nov 14, 2023 05:03AM ET Updated Nov 15, 2023 04:36AM ET
Saved. See Saved Items.
This article has already been saved in your Saved Items
 
© Reuters. An exterior view of MGM Grand hotel and casino, after MGM Resorts shut down some computer systems due to a cyber attack in Las Vegas, Nevada, U.S., September 13, 2023. REUTERS/Bridget Bennett/File Photo
 
MSFT
+0.45%
Add to/Remove from Watchlist
Add to Watchlist
Add Position

Position added successfully to:

Please name your holdings portfolio
 
GOOGL
-0.95%
Add to/Remove from Watchlist
Add to Watchlist
Add Position

Position added successfully to:

Please name your holdings portfolio
 
MGM
-0.74%
Add to/Remove from Watchlist
Add to Watchlist
Add Position

Position added successfully to:

Please name your holdings portfolio
 
CZR
-1.17%
Add to/Remove from Watchlist
Add to Watchlist
Add Position

Position added successfully to:

Please name your holdings portfolio
 
PANW
-2.62%
Add to/Remove from Watchlist
Add to Watchlist
Add Position

Position added successfully to:

Please name your holdings portfolio
 
CRWD
-2.95%
Add to/Remove from Watchlist
Add to Watchlist
Add Position

Position added successfully to:

Please name your holdings portfolio
 

By Zeba Siddiqui, Christopher Bing and Raphael Satter

SAN FRANCISCO/WASHINGTON (Reuters) - The U.S. Federal Bureau of Investigation (FBI) has struggled to stop a hyper-aggressive cybercrime gang that's been tormenting corporate America over the last two years, according to nine cybersecurity responders, digital crime experts and victims.

For more than six months, the FBI has known the identities of at least a dozen members tied to the hacking group responsible for the devastating September break-ins at casino operators MGM Resorts (NYSE:MGM) International and Caesars (NASDAQ:CZR) Entertainment, according to four people familiar with the investigation.

Industry executives have told Reuters they were baffled by an apparent lack of arrests despite many of the hackers being based in America.

"I would love for somebody to explain it to me," said Michael Sentonas, president of CrowdStrike (NASDAQ:CRWD), one of the firms leading the response effort to the hacks.

"For such a small group, they are absolutely causing havoc," Sentonas told Reuters in an interview last month.

Sentonas said the hackers were "known" but didn't provide specifics. He did say, "I think there is a failure here." Asked who was responsible for the failure, Sentonas said, "law enforcement."

The FBI has said it is investigating the gaming company hacks but a spokesperson for the agency declined to comment on the larger group responsible or where the investigation stands. A spokesman for the Department of Justice also declined to comment.

Dubbed by some security professionals as "Scattered Spider," the hacking group has been active since 2021 but it grabbed headlines following a series of intrusions at several high profile American companies.

The MGM breach disrupted operations at its casinos and hotels for days and cost the company roughly $100 million in damages, it said in a regulatory filing last month. Caesars paid around $15 million in ransom to regain access to its systems from the hackers, according to reporting by the Wall Street Journal.

Neither company responded to a request for comment.

CrowdStrike, Alphabet (NASDAQ:GOOGL)'s Mandiant, Palo Alto Networks (NASDAQ:PANW), and Microsoft (NASDAQ:MSFT) are among the main American cybersecurity firms responding to private company breaches by the hackers. Some have been collecting evidence leading to the hackers' identities and are assisting law enforcement, according to the five insiders.

The sources say that, following the September casino hacks, the FBI's investigation took on new urgency. FBI officials first began looking at the hackers' operations more than a year ago.

Security analysts tracking the breaches, meanwhile, have found a range of victims across nearly every industry – starting with telecoms and outsourcing firms to healthcare and financial service companies.

In total, roughly 230 organizations have been hit since the beginning of last year, according to a tally by the Baltimore, Maryland-based cybersecurity firm ZeroFox, which has helped Caesars contain the fallout.

ZeroFox's Chief Executive James Foster attributed law enforcement's sluggish response to a lack of manpower. Over the last several years, numerous press reports have suggested the bureau is losing many of its best cyber agents to the private sector, who offer them higher salaries.

"Law enforcement, certainly at the federal level, has all the tools and resources they need to be successful in going after cyber criminals," Foster said. "They just don't have enough people."

Another challenge has been the hesitancy of many victims to cooperate with the FBI. One of the sources, an executive involved with defending against the hackers, who declined to be named citing client confidentiality, said "several" victim companies never informed the bureau they were compromised – meaning prosecutors lost the chance to acquire potentially important evidence.

This instinct to hide an intrusion isn't unusual, an ex-FBI official who requested anonymity and previously worked on ransomware investigations told Reuters.

"What I encountered working on the ransomware stuff is basically nine out of 10 times the company did not want to cooperate," the ex-official said.

A third challenge has been the loose-knit nature of the group, which is made up of small clusters of individuals who collaborate on-and-off on specific jobs. The gang's murky structure helped earn it the "Scattered" nickname, as well as another industry moniker, "Muddled Libra," among researchers.

For example, the crew behind the casino job calls itself "Star Fraud," according to two analysts. It is part of a larger hacker collective made up of mostly young cybercriminals who use the name "The Com" as a slang for their community.

Most of the group's members are based in Western countries, including the United States, cybersecurity companies say. They typically discuss hacking projects in shared chat channels on social messaging apps, namely Telegram and Discord, which is popular with gamers.

A Telegram spokesperson did not respond to a request for comment on the hackers. A Discord spokesman declined to comment on them, but said the platform bars illegal activity and takes steps including banning or shutting down groups or users that engage in such practices.

Historically, the group's amorphous shape made it difficult for the FBI to coordinate internally across its many field offices around the country, said three people familiar with the matter. For months, numerous field offices were each independently investigating individual hacks launched by the same group but were not immediately aware of their connection, delaying the process.

Recently, the FBI's Newark, New Jersey field office has been handling an investigation into the hacking group and is making progress, according to those three people, who did not provide details. They added that a new special agent have been assigned to the case.

In recent months, meanwhile, alarming details of The Com's aggressive tactics have come into public view. Its members are engaged in a range of illicit schemes, from sextortion and ransomware to phone-based scams and paying people to commit physical violence - also known as 'violence-as-a-service.'

In a report published by Microsoft late last month, the tech firm quoted Scattered Spider-linked hackers as threatening to kill employees of a victim organization unless they coughed up passwords.

"If we don't get ur…login in the next 20 minutes were sending a shooter to your house (sic)," one of the messages read. Another followed saying: "ur wife is gona get shot if you dont fold it."

Reuters' attempts to contact the hackers for this story were not successful.

"I think they are pathological," Kevin Mandia, the founder of Mandiant, said in an interview in September. "We have seen how they interact with victim companies. They are ruthless."

Mandia didn't respond directly when asked whether Scattered Spider's identities were known to law enforcement. But he did say that there was no excuse for not arresting hackers who operated from the West.

"If they're in democratized nations that work with the international community, you've got to catch them," he said.

(This story has been refiled to remove the repetition in paragraph 8)

FBI struggled to disrupt dangerous casino hacking gang, cyber responders say
 

Related Articles

Add a Comment

Comment Guidelines

We encourage you to use comments to engage with other users, share your perspective and ask questions of authors and each other. However, in order to maintain the high level of discourse we’ve all come to value and expect, please keep the following criteria in mind:  

  •            Enrich the conversation, don’t trash it.

  •           Stay focused and on track. Only post material that’s relevant to the topic being discussed. 

  •           Be respectful. Even negative opinions can be framed positively and diplomatically. Avoid profanity, slander or personal attacks directed at an author or another user. Racism, sexism and other forms of discrimination will not be tolerated.

  • Use standard writing style. Include punctuation and upper and lower cases. Comments that are written in all caps and contain excessive use of symbols will be removed.
  • NOTE: Spam and/or promotional messages and comments containing links will be removed. Phone numbers, email addresses, links to personal or business websites, Skype/Telegram/WhatsApp etc. addresses (including links to groups) will also be removed; self-promotional material or business-related solicitations or PR (ie, contact me for signals/advice etc.), and/or any other comment that contains personal contact specifcs or advertising will be removed as well. In addition, any of the above-mentioned violations may result in suspension of your account.
  • Doxxing. We do not allow any sharing of private or personal contact or other information about any individual or organization. This will result in immediate suspension of the commentor and his or her account.
  • Don’t monopolize the conversation. We appreciate passion and conviction, but we also strongly believe in giving everyone a chance to air their point of view. Therefore, in addition to civil interaction, we expect commenters to offer their opinions succinctly and thoughtfully, but not so repeatedly that others are annoyed or offended. If we receive complaints about individuals who take over a thread or forum, we reserve the right to ban them from the site, without recourse.
  • Only English comments will be allowed.
  • Any comment you publish, together with your investing.com profile, will be public on investing.com and may be indexed and available through third party search engines, such as Google.

Perpetrators of spam or abuse will be deleted from the site and prohibited from future registration at Investing.com’s discretion.

Write your thoughts here
 
Are you sure you want to delete this chart?
 
Post
Post also to:
 
Replace the attached chart with a new chart ?
1000
Your ability to comment is currently suspended due to negative user reports. Your status will be reviewed by our moderators.
Please wait a minute before you try to comment again.
Thanks for your comment. Please note that all comments are pending until approved by our moderators. It may therefore take some time before it appears on our website.
 
Are you sure you want to delete this chart?
 
Post
 
Replace the attached chart with a new chart ?
1000
Your ability to comment is currently suspended due to negative user reports. Your status will be reviewed by our moderators.
Please wait a minute before you try to comment again.
Add Chart to Comment
Confirm Block

Are you sure you want to block %USER_NAME%?

By doing so, you and %USER_NAME% will not be able to see any of each other's Investing.com's posts.

%USER_NAME% was successfully added to your Block List

Since you’ve just unblocked this person, you must wait 48 hours before renewing the block.

Report this comment

I feel that this comment is:

Comment flagged

Thank You!

Your report has been sent to our moderators for review
Continue with Google
or
Sign up with Email