The U.S. Federal Bureau of Investigation has struggled to stop a hyper-aggressive cybercrime gang that’s been tormenting corporate America over the last two years, according to nine cybersecurity responders, digital crime experts and victims.
For more than six months, the FBI has known the identities of at least a dozen members tied to the hacking group responsible for the devastating September break-ins at casino operators MGM Resorts International and Caesars Entertainment, according to four people familiar with the investigation.
Industry executives have told Reuters they were baffled by an apparent lack of arrests despite many of the hackers being based in America.
‘Absolutely causing havoc’
“I would love for somebody to explain it to me,” said Michael Sentonas, president of CrowdStrike, one of the firms leading the response effort to the hacks.
“For such a small group, they are absolutely causing havoc,” Sentonas told Reuters in an interview last month.
Sentonas said the hackers were “known” but didn’t provide specifics. He did say, “I think there is a failure here.” Asked who was responsible for the failure, Sentonas said, “law enforcement.”
The FBI has said it is investigating the gaming company hacks but a spokesperson for the agency declined to comment on the larger group responsible or where the investigation stands. A spokesman for the Department of Justice also declined to comment.
Dubbed by some security professionals as “Scattered Spider,” the hacking group has been active since 2021 but it grabbed headlines following a series of intrusions at several high-profile American companies.
The MGM breach disrupted operations at its casinos and hotels for days and cost the company roughly $100 million US in damages, it said in a regulatory filing last month. Caesars paid around $15 million in ransom to regain access to its systems from the hackers, according to reporting by the Wall Street Journal.
Neither company responded to a request for comment.
Probe’s new urgency
CrowdStrike, Alphabet’s Mandiant, Palo Alto Networks and Microsoft are among the main American cybersecurity firms responding to private company breaches by the hackers. Some have been collecting evidence leading to the hackers’ identities and are assisting law enforcement, according to the five insiders.
The sources say that, following the September casino hacks, the FBI’s investigation took on new urgency. FBI officials first began looking at the hackers’ operations more than a year ago.
Security analysts tracking the breaches, meanwhile, have found a range of victims across nearly every industry — starting with telecoms and outsourcing firms to health care and financial service companies.
In total, roughly 230 organizations have been hit since the beginning of last year, according to a tally by the Baltimore, Maryland-based cybersecurity firm ZeroFox, which has helped Caesars contain the fallout.
ZeroFox’s chief executive, James Foster, attributed law enforcement’s sluggish response to a lack of manpower. Over the last several years, numerous press reports have suggested the bureau is losing many of its best cyber agents to the private sector, which offers higher salaries.
Not enough people
“Law enforcement, certainly at the federal level, has all the tools and resources they need to be successful in going after cyber criminals,” Foster said. “They just don’t have enough people.”
Another challenge has been the hesitancy of many victims to co-operate with the FBI. One of the sources, an executive involved with defending against the hackers, who declined to be named citing client confidentiality, said “several” victim companies never informed the bureau they were compromised — meaning prosecutors lost the chance to acquire potentially important evidence.
This instinct to hide an intrusion isn’t unusual, an ex-FBI official who requested anonymity and previously worked on ransomware investigations told Reuters.
“What I encountered working on the ransomware stuff is basically nine out of 10 times the company did not want to co-operate,” the ex-official said.
A third challenge has been the loose-knit nature of the group, which is made up of small clusters of individuals who collaborate on and off on specific jobs. The gang’s murky structure helped earn it the “Scattered” nickname, as well as another industry moniker, “Muddled Libra,” among researchers.
For example, the crew behind the casino job calls itself “Star Fraud,” according to two analysts. It is part of a larger hacker collective made up of mostly young cybercriminals who use the name “The Com” as a slang for their community.
Most of the group’s members are based in Western countries, including the United States, cybersecurity companies say. They typically discuss hacking projects in shared chat channels on social messaging apps, namely Telegram and Discord, which is popular with gamers.