Scattered Spider

The group's most common name as used in press releases and by journalists is Scattered Spider, though many other names have been attributed to the group. Star Fraud, Octo Tempest, Scatter Swine, and Muddled Libra have all been names used to refer to the group previously.{{Cite web |last1=Whitaker |first1=Bill |last2=Chasan |first2=Aliza |last3=Messick |first3=Graham |last4=Weingart |first4=Jack |date=2024-04-14 |title=Criminal exploits of Scattered Spider earn respect of Russian ransomware hackers - CBS News |url=https://www.cbsnews.com/news/scattered-spider-blackcat-hackers-ransomware-team-up-60-minutes/ |access-date=2024-04-23 |website=www.cbsnews.com |language=en-US}}

Scattered Spider is a component of a larger global hacking community, known as "the Community" or "the Com", itself having members who have hacked major American technology companies.

Scattered Spider is believed to have been founded in May 2022, when the group was focused on attacks on telecommunications firms. The group utilized SIM swap scams, multi-factor authentication fatigue attacks, and phishing by SMS and Telegram. The group typically exploited the security bug CVE-2015-2291, a cybersecurity issue in Windows' anti-DoS software,{{Cite web |title=CVE-2015-2291 : (1) IQVW32.sys before 1.3.1.0 and (2) IQVW64.sys before 1.3.1.0 in the Intel Ethernet diagnostics driver for Windows all |url=https://www.cvedetails.com/cve/CVE-2015-2291/ |access-date=2023-09-14 |website=www.cvedetails.com |language=en}} to terminate security software, allowing the group to evade detection. The group is believed to have a deep understanding of Microsoft Azure, the ability to conduct reconnaissance in cloud computing platforms powered by Google Workspace and AWS, and utilizes legitimately-developed remote-access tools.

The group later became known for targeting critical infrastructure prior to moving on to its 2023 casino hacks.{{Cite web |title=MGM Resorts breached by 'Scattered Spider' hackers: Sources |url=https://www.businessinsurance.com/article/20230914/NEWS06/912359825/MGM-Resorts-breached-by-%E2%80%98Scattered-Spider%E2%80%99-hackers-Sources |access-date=2023-09-14 |website=Business Insurance}}

Scattered Spider gained access to both Caesars' and MGM's internal systems through the use of social engineering. The group was able to bypass multi-factor authentication technologies by attaining login credentials and one-time passwords.{{Cite news |last1=Siddiqui |first1=Zeba |last2=Bing |first2=Christopher |last3=Bing |first3=Christopher |date=2023-09-13 |title=MGM Resorts breached by 'Scattered Spider' hackers: sources |language=en |work=Reuters |url=https://www.reuters.com/technology/moodys-says-breach-mgm-is-credit-negative-disruption-lingers-2023-09-13/ |access-date=2023-09-14}}{{Cite web |date=2023-09-14 |title=Young hackers are sticking up Las Vegas casinos for hefty ransoms |url=https://qz.com/young-hackers-are-sticking-up-las-vegas-casinos-for-hef-1850837238 |access-date=2023-09-14 |website=Quartz |language=en}} The group claims that it targeted MGM due to them catching the group attempting to rig slot machines in their favor.{{Cite news |last=Srivastava |first=Mehul |date=2023-09-14 |title=MGM hack followed failed bid to rig slot machines, 'Scattered Spider' group claims |work=Financial Times |url=https://www.ft.com/content/a25d2897-b0ce-4ba7-92ed-ff5df09d1b47 |access-date=2023-09-15}}

Caesars Entertainment paid a ransom of $15 million to Scattered Spider, half their original demand of $30 million. Scattered Spider, using similar tactics to its attack on MGM, was able to access driver's license numbers and possibly Social Security numbers, for a "significant number" of Caesars customers. Statements made by Caesars noted that while the company cannot guarantee the deletion of the information attained by Scattered Spider, the casino operator will take all necessary actions to attain such result.

Sources dispute on whether Scattered Spider was the group which targeted Caesars, with some believing it was the British-American group while others say the perpetrators were not the group or unknown.{{Cite web |last=Murphy |first=Aislinn |date=2023-09-13 |title=Caesars Entertainment reportedly paid ransomware demand |url=https://www.foxbusiness.com/markets/caesars-entertainment-reportedly-paid-ransomware-demand |access-date=2023-09-15 |website=FOXBusiness |language=en-US}}{{Cite web |last=Gendron |first=Will |title=MGM Resorts is still suffering from a massive outage after a notorious group of young hackers apparently tricked workers into handing over access to the company's network |url=https://www.businessinsider.com/mgm-caesars-las-vegas-casinos-targeted-scattered-spider-hacking-group-2023-9 |access-date=2023-09-15 |website=Business Insider |language=en-US}}

Scattered Spider collaborated with ALPHV, a software development team which provides ransomware as a service. Scattered Spider called MGM's help desk posing as an employee it found on LinkedIn to gain internal access. The group gained access on September 11, 2023.

MGM Resorts first disclosed the cyberattack on September 12, 2023, in a Form 8-K report with the SEC the next day.{{Cite web |title=Investors - Financial Info - SEC Filings - SEC Filings Details |url=https://investors.mgmresorts.com/investors/financial-info/sec-filings/sec-filings-details/default.aspx?FilingId=16927190 |website=investors.mgmresorts.com}}https://d18rn0p25nwr6d.cloudfront.net/CIK-0000789570/a390c443-0c40-4025-aba2-74505ab3c9e3.pdf The company stated that though it has "dealt" with the cyberattack, many of the computer systems at its resorts remain offline, which include but are not limited to credits for food, beverages, and free credits. The attack further disabled on-site ATMs as well as remote room keys, and prevented MGM from charging patrons for parking.

In July 2024, a 17-year old hacker from the United Kingdom was arrested in connection with the hack and attempted ransom. He has been released on bail pending trial.{{Cite web |last=Encinas |first=Amaris |title=U.K. police arrest 17-year-old in connection with last year's MGM cyberattack |url=https://www.usatoday.com/story/tech/news/2024/07/19/uk-police-arrest-teen-for-mgm-cyberattack/74477012007/ |access-date=2024-07-22 |website=USA TODAY |language=en-US}} The arrest was coordinated by local and international law enforcement.

MGM and the US FTC and FBI are at present investigating the cyberattack, and the casino operator temporarily took down its website. Moody's Corporation has stated that due to MGM's heavy reliance on computers for much of its operations, its credit rating could go down as a result of the cyberattack. Upon the announcement of both companies' attacks, the stock prices for both Caesars and MGM dropped. MGM's CEO William Hornbuckle went on to note at an industry conference that the hack caused the company to be "completely in the dark" about its properties.

Both MGM and Caesars were sued in class action lawsuits following the hacks, with all stating that the failure for both of the casino operators to adequately secure their data constituted breach of contract. The law firms' clients also all demanded jury trials.{{Cite web |date=2023-09-26 |title=Complaints filed say MGM Resorts, Caesars Entertainment failed to protect information from cyberattack |url=https://www.ktnv.com/news/complaints-filed-say-mgm-resorts-caesars-entertainment-failed-to-protect-information-from-cyberattack |access-date=2023-09-26 |website=Channel 13 Las Vegas News KTNV |language=en}}{{Cite web |last=Croft |first=Daniel |date=2023-09-26 |title=5 class actions launched against MGM, Caesars |url=https://www.cybersecurityconnect.com.au/commercial/9607-5-class-actions-launched-against-mgm-caesars |access-date=2023-09-26 |website=www.cybersecurityconnect.com.au |language=en}} In January 2025, MGM agreed to pay a $45 million dollar settlement to the victims of the breach.{{Cite web |last=Weatherbed |first=Jess |date=2025-01-29 |title=MGM will pay $45 million to settle data breach lawsuit |url=https://www.theverge.com/news/601733/mgm-resorts-45-million-settlement-data-breaches |access-date=2025-03-14 |website=The Verge |language=en-US}}{{Cite web |title=Owens v. MGM Resorts International |url=https://storage.courtlistener.com/recap/gov.uscourts.nvd.164564/gov.uscourts.nvd.164564.63.0.pdf |access-date=2025-03-14 |website=CourtListener}}

Two members of the group have been connected with hacks against customers of Snowflake's cloud computing. The hackers accessed and stole customer data, demanding millions of dollars in extortion to not publicly release the data. Nearly a hundred victims were targeted, including: AT&T, Ticketmaster, Advance Auto Parts, Lending Tree and Neiman Marcus.{{Cite news |date=2024-09-20 |title=Snowflake Hacker Still Active, Finding New Victims, Expert Says |url=https://www.bloomberg.com/news/articles/2024-09-20/snowflake-hacker-still-active-finding-new-victims-expert-says |access-date=2025-01-15 |work=Bloomberg.com |language=en}}{{Cite magazine |last=Burgess |first=Matt |title=The Snowflake Attack May Be Turning Into One of the Largest Data Breaches Ever |url=https://www.wired.com/story/snowflake-breach-advanced-auto-parts-lendingtree/ |access-date=2025-01-15 |magazine=Wired |language=en-US |issn=1059-1028}}

In January 2024, Noah Michael Urban, a member of the group{{Cite web |date=2024-01-30 |title=Fla. Man Charged in SIM-Swapping Spree is Key Suspect in Hacker Groups Oktapus, Scattered Spider – Krebs on Security |url=https://krebsonsecurity.com/2024/01/fla-man-charged-in-sim-swapping-spree-is-key-suspect-in-hacker-groups-oktapus-scattered-spider/ |access-date=2024-07-22 |language=en-US}} and known as "Sosa", "King Bob", "Elijah", and other aliases, was arrested in Florida for the cumulative theft of about $800,000 in cryptocurrency.{{Cite web |last=Fernandez |first=Frank |title=Palm Coast teen accused in cryptocurrency scheme seeks jail release as he awaits trial |url=https://www.news-journalonline.com/story/news/courts/2024/04/03/palm-coast-teen-in-cryptocurrency-scam-seeks-release-from-jail/73148333007/ |access-date=2024-07-22 |website=Daytona Beach News-Journal Online |language=en-US}} Sosa used SIM-swapping techniques in order to compromise victims' email and financial account details.

In June 2024, the alleged leader of the group, Tyler Buchanan (aka TylerB), was arrested in Spain when attempting to board a flight to Italy.{{Cite web |date=2024-06-16 |title=Alleged Boss of 'Scattered Spider' Hacking Group Arrested – Krebs on Security |url=https://krebsonsecurity.com/2024/06/alleged-boss-of-scattered-spider-hacking-group-arrested/ |access-date=2024-07-22 |language=en-US}}{{Cite web |title=U.K. Hacker Linked to Notorious Scattered Spider Group Arrested in Spain |url=https://thehackernews.com/2024/06/uk-hacker-linked-to-notorious-scattered.html |access-date=2024-07-22 |website=The Hacker News |language=en}} At the time of his arrest, Spanish police allege that Buchanan possessed Bitcoins worth $27 million.

In July 2024, the West Midlands Police with the help of the FBI arrested a 17-year old juvenile in connection with the MGM cyberattacks. The suspect, who lives in Walsall and whose name was not published, was released on bail while law enforcement examined his devices.{{Cite web |last=Roth |first=Emma |date=2024-07-19 |title=UK teen arrested in connection to MGM hack |url=https://www.theverge.com/2024/7/19/24202142/uk-teen-mgm-hack-arrested-fbi |access-date=2024-07-22 |website=The Verge |language=en}}

19-year-old Remington Ogletree was arrested in November 2024 on charges related to his alleged involvement with the group.{{Cite news |date=2024-12-03 |title=California Teen Suspected of Being a Member of Scattered Spider Hacking Gang |url=https://www.bloomberg.com/news/articles/2024-12-03/scattered-spider-hacking-gang-arrests-mount-with-california-teen |access-date=2024-12-04 |work=Bloomberg.com |language=en}}

{{Reflist}}

• Scattered Spider's [https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a page] on the Cybersecurity and Infrastructure Security Agency's website

{{Authority control}}

Category:Hacker groups

Category:Cyberattack gangs

Category:Cybercrime in the United States