How a gang of dangerous casino hackers outplayed the FBI
San Francisco/Washington — The US Federal Bureau of Investigation (FBI) has struggled to stop a hyper-aggressive cybercrime gang that has been tormenting corporate America over the past two years, according to nine cybersecurity responders, digital crime experts and victims.
For more than six months, the FBI has known the identities of at least a dozen members tied to the hacking group responsible for the devastating September break-ins at casino operators MGM Resorts International and Caesars Entertainment, according to four people familiar with the investigation.
Industry executives say they are baffled by an apparent lack of arrests despite many of the hackers being based in the US.
“I would love for somebody to explain it to me,” says Michael Sentonas, president of CrowdStrike, one of the firms leading the response effort to the hacks. “For such a small group, they are absolutely causing havoc,” Sentonas says.
Sentonas says the hackers are “known” but did not provide specifics. “I think there is a failure here.” Asked who was responsible for the failure, he says “law enforcement”.
The FBI has said it is investigating the gaming company hacks but a spokesperson for the agency declined to comment on the larger group responsible or where the investigation stands. A spokesperson for the justice department also declined to comment.
Dubbed by some security professionals as Scattered Spider, the hacking group has been active since 2021 but it grabbed headlines after a series of intrusions at several high-profile US companies.
The MGM breach disrupted operations at its casinos and hotels for days and cost the company about $100m in damages, it said in a regulatory filing in October. Caesars paid about $15m in ransom to regain access to its systems from the hackers, according to reporting by the Wall Street Journal.
Neither company responded to a request for comment.
CrowdStrike, Alphabet’s Mandiant, Palo Alto Networks and Microsoft are among the main US cybersecurity firms responding to private company breaches by the hackers. Some have been collecting evidence leading to the hackers’ identities and are assisting law enforcement, according to the five insiders.
The sources say that, after the September casino hacks, the FBI’s investigation took on new urgency. FBI officials first began looking at the hackers’ operations more than a year ago.
Security analysts tracking the breaches, meanwhile, have found a range of victims across nearly every industry — telecom and outsourcing firms to healthcare and financial service companies.
In total, about 230 organisations have been hit since the beginning of 2022, according to a tally by the Baltimore, Maryland-based cybersecurity firm ZeroFox, which has helped Caesars contain the fallout.
ZeroFox CEO James Foster attributes law enforcement’s sluggish response to a lack of manpower. Over the past several years, numerous press reports have suggested the bureau is losing many of its best cyber agents to the private sector, who offer them higher salaries.
“Law enforcement, certainly at the federal level, has all the tools and resources they need to be successful in going after cyber criminals,” Foster says. “They just don’t have enough people.”
Another challenge has been the hesitancy of many victims to co-operate with the FBI. One of the sources, an executive involved with defending against the hackers, who declined to be named citing client confidentiality, says “several” victim companies never informed the bureau they were compromised — meaning prosecutors lost the chance to acquire potentially important evidence.
This instinct to hide an intrusion is not unusual, a former FBI official who requested anonymity and previously worked on ransomware investigations says. “What I encountered working on the ransomware stuff is basically nine out of 10 times the company did not want to co-operate.”
A third challenge has been the loose-knit nature of the group, which is made up of small clusters of individuals who collaborate on-and-off on specific jobs. The gang’s murky structure helped earn it the Scattered nickname, as well as another industry moniker, Muddled Libra, among researchers.
For example, the crew behind the casino job calls itself Star Fraud, according to two analysts. It is part of a larger hacker collective made up of mostly young cybercriminals who use the name The Com as a slang for their community.
Most of the group’s members are based in Western countries, including the US, cybersecurity companies say. They typically discuss hacking projects in shared chat channels on social messaging apps Telegram and Discord, which is popular with gamers.
A Telegram spokesperson did not respond to a request for comment on the hackers. A Discord spokesperson declined to comment on them, but says the platform bars illegal activity and takes steps, including banning or shutting down groups or users that engage in such practices.
Historically, the group’s amorphous shape made it difficult for the FBI to co-ordinate internally across its many field offices around the country, say three people familiar with the matter. For months, numerous field offices were each independently investigating individual hacks launched by the same group but were not immediately aware of their connection, delaying the process.
Recently, the FBI’s Newark, New Jersey, field office has been handling an investigation into the hacking group and is making progress, according to those three people, who did not provide details. They say a new special agent has been assigned to the case.
In recent months, meanwhile, alarming details of The Com’s aggressive tactics have come into public view. Its members are engaged in a range of illicit schemes, from sextortion and ransomware to phone-based scams and paying people to commit physical violence — also known as violence-as-a-service.
In a report published by Microsoft in late October, the tech firm quoted Scattered Spider-linked hackers as threatening to kill employees of a victim organisation unless they coughed up passwords.
“If we don’t get ur ... login in the next 20 minutes were sending a shooter to your house (sic),” one of the messages read. Another followed saying: “ur wife is gona get shot if you don't fold it.”
Reuters’ attempts to contact the hackers for this story were not successful.
“I think they are pathological,” Kevin Mandia, the founder of Mandiant, says. “We have seen how they interact with victim companies. They are ruthless.”
Mandia did not respond directly when asked whether Scattered Spider’s identities were known to law enforcement. But he did say that there was no excuse for not arresting hackers who operated from the West.
“If they’re in democratised nations that work with the international community, you’ve got to catch them,” he says.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.