4 hours ago
5
If there is one noticeable difference between some members of the Scattered Spider hacking community and their ransomware peers, it will be the accent.
Scattered Spider has been linked to a cyber-attack on UK retailer Marks & Spencer. But unlike other ransomware assailants, its constituents appear to be native English speakers and are not from Russia or former Soviet states.
This helps with one of the techniques in their armoury that a Russian hack might struggle to replicate: ringing up company IT desks and gaining entry to systems by pretending to be employees, or pretending to be from company IT desks and calling employees.
“Native English authenticity can sometimes lead to an automatic sense of trust. There is a level of perceived familiarity that might cause personnel or even IT teams to lower their guard slightly,” says Nathaniel Jones, the vice-president of threat research at the cybersecurity firm Darktrace.
In November last year, the US Department of Justice gave an insight into Scattered Spider’s alleged personnel by charging five individuals over the targeting of unnamed American companies with “phishing” text messages.
The DoJ alleged that the accused sent fake texts to employees that tricked them into providing confidential information including their company logins. As a result sensitive data was then stolen – including intellectual property – as well as millions of dollars’ worth of cryptocurrency from people’s digital wallets.
All of the accused were in their 20s at the time they were charged. It charged four people in the US, their ages ranging from 20 to 25, as well as the Scottish 23-year-old Tyler Buchanan, who was deported to the US from Spain last week. He is due to appear in court in Los Angeles on 12 May.
The US cybersecurity agency revealed Scattered Spider’s IT desk gambit in a notice published in 2023.
Ransomware victims attributed to other Scattered Spider attacks include casino operators MGM Resorts and Caesars Entertainment who were hit in 2023. After that attack, West Midlands police announced last year it had arrested a 17-year-old in Walsall. West Midlands police has been contacted for an update on the case.
Scattered Spider was named as the alleged perpetrator of the M&S attack by BleepingComputer, a tech news site. BleepingComputer reported that the attackers then deployed a piece of malicious software-for-hire known as DragonForce to disable parts of the retailer’s IT network.
These attacks are known as ransomware attacks because the assailant then demands a substantial payment, typically in cryptocurrency, to restore access to affected computers. Using another gang’s ransomware is a common practice, known as a ransomware-as-a-service model, where the two entities involved share any proceeds.
Analysts at Recorded Future, a cybersecurity firm, said that Scattered Spider was more of an “umbrella term” than a centralised group of financially motivated cybercriminals – hence the “scattered” moniker. The analysts said it is not a “monolithic entity” and it originated in “The Com”, another loosely connected online community engaged in an array of criminal acts from sextortion to cyberstalking and payment card fraud.
“Members and affiliates of Scattered Spider gathered on platforms like Discord and Telegram, most often in closed, invite-only channels and groups,” Recorded Future analysts said.
Ciaran Martin, the ex-chief executive of the UK’s National Cyber Security Centre, said that Scattered Spider was a “rarity” given its non-Russian background.
“An overwhelming majority of ransomware groups are based in Russia. [Scattered Spider] are clearly not, though they seem to have hired Russian code for this attack in DragonForce. But it seems they’re based here and in the US. Hopefully that makes them arrestable. This is unusual,” said Martin, who is a professor at the Blavatnik school of government at the University of Oxford.
Martin added that Scattered Spider’s youthful notoriety should not detract from the threat. “They are a very unusual but potently threatening bunch,” he said.
