An attack on the web? That’s likely a spider, man.
Or maybe it’s Scattered Spider, the cybersecurity industry name for a group of hackers that’s earned attention for its attacks on casinos and financial institutions—and is now on the radar for potentially targeting air travel. Scattered Spider targeted the sector before July 4, getting an FBI write up of the threat that, thankfully, didn’t amount to actual damage. But that doesn’t mean the danger has passed.
Primarily a ransomware group, Scattered Spider is made up mainly of young Western hackers. Cynthia Kaiser, SVP of ransomware research center at Halcyon, told IT Brew that she sees the group “as one of the most disruptive and aggressive cyber criminal groups active today.” Halcyon released research on Scattered Spider on July 2, delving into its operations and behavior, specifically its targeting of third-party vendors.
“What’s really made Scattered Spider stand out technically is their deep focus on social engineering and the speed at which they can compromise victims,” Kaiser said. “Being able to compromise victims up through encryption in a matter of hours is pretty rapid, considering some other ransomware groups can take days.”
Pulling strands. The threat actor group is connected to the online collective known as The Community, or The Com, which also counts notorious troll organization known as 764 as a loose affiliate. Aiden Sinnott, Sophos senior threat researcher, told IT Brew that Scattered Spider is somewhat unique in its makeup.
“They’re predominantly young, mainly males, aged 15 to 25; usually native English speakers,” Sinnott said. “UK- and US-based, which is very unusual because a lot of the ransomware groups and threat groups that we deal with come out of Russia.”
There’s a “broad spread” of criminality within The Com, Sinnott said, and that means that members hack online gaming sites like Roblox, Minecraft, as well as, in the case of Scattered Spider, higher value targets. As a ransomware group, Scattered Spider is focused on making money—but, as Sinnott noted, the relative youth of the group means that there’s an element of braggadocio to their behavior.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Setting traps. Going after the aviation industry is a natural evolution for a group targeting third-party vendors.
“Rather than them waking up one day and thinking, ‘Okay, today we’re going to attack five airlines,’ it’s third-party suppliers,” Sinnott said. “It might be outsourced, help desks, I think certainly Qantas said it was a contact center in the Philippines that was breached.”
Kaiser told IT Brew that people should be aware that Scattered Spider is able to utilize a wide variety of tactics to infiltrate systems, and should be prepared to put in place protections like MFA.
“It’s a little bit more work, but I think Americans might have to accept 30, 60 more seconds in their login processes at work if they want to keep being able to go on vacations and not have things canceled the last minute, or not being able to frequent the businesses they normally frequent,” Kaiser said.
Tactical avoidance. As with most incidents of this kind, the best response is to prioritize basic security hygiene. It can be hard to detect threat actors like Scattered Spider before they’re in the system—or worse. Members can start out with basic hacking, move on, and quickly become real threats, making the process of tracking them like Whac-A-Mole.
“You can arrest three people, but there’ll always be others who come and take their place, or who would even be inspired by it,” Sinnott said. “This group trades on kudos, and to a lot of them, there’ll be a certain martyrdom of these guys who’ve been arrested and their photos plastered everywhere by the FBI.”