In an advisory released last weekend, the FBI and the Cybersecurity and Infrastructure Security Agency revealed further details regarding the cybercrime outfit Scattered Spider and its link with the notorious ALPHV/BlackCat ransomware operation.
Scattered Spider, who goes by multiple aliases including 0ktapus, Starfraud, and Octo Tempest, has reportedly been behind some of the most renowned ransomware attacks in recent memory, according to a Bleeping Computer report. The agile group of 16-year-old English-speaking hackers has broken into networks belonging to Twilio, Reddit, MailChimp, and other companies using devious social engineering techniques.
The FBI now reveals that some members of Scattered Spider have teamed up with ALPHV/BlackCat, the ransomware cartel based in Russia that is responsible for significant attacks on the government of Costa Rica and oil giant Shell. Thanks to this partnership, the actors known as Scattered Spider can use BlackCat to lock down and encrypt systems before extorting money from victims.
Experts claim that Scattered Spider is hard to follow because of its disorganised, loose structure. At least twelve people are known to the FBI, but no one has been charged with a crime as of yet. A subset of them are thought to be affiliated with "The Comm," a hacker collective implicated in recent violent crimes.
The access strategies used by Scattered Spider prey on human weaknesses. They use phone calls, fake domain names that resemble corporate services, and SMS phishing to trick workers into giving up credentials while posing as IT personnel.
Once inside, they sneakily set up surveillance software and RAT malware in order to steal information and find out about incident response activities in email or Slack. This enables Scattered Spider to avoid detection, create fake accounts to move laterally, and figure out how victims are attempting to kick them out.
Experts advise fortifying multi-factor authentication, email security, network segmentation, and patching against the FBI's list of MITRE techniques. In order to facilitate recovery following an attack, they also suggest putting in place reliable data recovery plans and offline backups.
The disclosure of Scattered Spider's internal functioning sheds light on the human infrastructure that powers sophisticated cybercriminal networks to carry out ransomware attacks. It also exemplifies the evolving cyber threat landscape, in which threat actors pool their resources to maximise extortion profits.