The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency revealed new details about the Scattered Spider cybercrime group and its collaboration with the notorious ALPHV/BlackCat ransomware operation in an advisory released Friday.
According to a sleeping computer report, Scattered Spider – followed by several aliases, including 0ktapus, Starfraud and Octo Tempest – is responsible for some of the most high-profile ransomware attacks in recent years. The fluid collective of English-speaking hackers as young as 16 relied on clever social engineering tactics to break into the networks of companies like MailChimp, Reddit and Twilio.
Today, the FBI reveals that some Scattered Spider members have joined forces with ALPHV/BlackCat, the Russia-based ransomware cartel behind major attacks against oil giant Shell and the Costa Rican government. This alliance allows Scattered Spider actors to encrypt and lock systems using BlackCat, then extort ransom payments from victims.
Experts say Scattered Spider’s loose, decentralized structure makes the group difficult to track. The FBI knows the identities of at least 12 people, but has not yet prosecuted any of its members. Some are also believed to be part of “The Comm”, a network of hackers involved in recent violent crimes.
Scattered Spider access tactics exploit human vulnerabilities. Posing as IT staff, they trick employees into handing over their credentials via SMS. Phishing, phone calls and fake domain names impersonating business services. Once inside, they secretly install RAT malware and monitoring tools to steal data and learn about incident response efforts in Slack or via email. This allows Scattered Spider to evade detection, create fake accounts to move laterally, and determine how victims attempt to kick them out.
The advisory warns that they are interested in source code, certificates, and credential repositories.
Experts recommend strengthening multi-factor authentication, email security, network segmentation, and patching MITER techniques listed by the FBI. They also advise implementing robust data recovery plans and offline backups to enable recovery after an attack.
Exposing the inner workings of Scattered Spider sheds light on the human infrastructure behind the sophisticated cybercriminal networks executing ransomware attacks. It also illustrates the evolving cyber threat landscape, in which threat actors share capabilities to maximize profits from extortion.
photo by Pixabay.