US authorities arrest five alleged members of Scattered Spider collective

American prosecutors have charged five people accused of being part of the Scattered Spider hacking collective.

The four Americans and one Scot are accused of a litany of cybercrimes including conducting phishing attacks and stealing $11 million in cryptocurrency from at least 29 victims, according to court documents.

A spokesperson from the US Department of Justice (DOJ) confirmed the case was related to the Scattered Spider group, responsible for a number of high profile breaches in recent years — including a major attack on MGM resorts in 2023.

The court indictment described the group as being members of a “loosely organized financially-motivated cybercriminal group whose members primarily target large companies and their contracted telecommunications, information technology, and business process outsourcing suppliers”.

“We allege that this group of cybercriminals perpetrated a sophisticated scheme to steal intellectual property and proprietary information worth tens of millions of dollars and steal personal information belonging to hundreds of thousands of individuals,” said Martin Estrada, US Attorney.

The defendants are accused of orchestrating phishing attacks by sending waves of SMS messages to mobile phones of individuals, claiming to be from their employer or a related IT or business service partner.

Four of the five individuals named in the indictment were based in the US, with one of the accused, Tyler Robert Buchanan, from the UK. If convicted, each defendant could be sentenced to up to 24 years in federal prison, for a combination of charges including conspiracy to commit wire fraud and aggravated identity theft.

Personalized attacks

William Wright, CEO at Closed Door Security, said the group’s tactics were notable because they extensively stalked targets via LinkedIn to personalize attacks and increase the likelihood of success.

“Rather than using basic email phishing, the attackers took things a step further to make their attack look more convincing,” he said. “They tracked an employee on LinkedIn and then contacted an IT helpdesk worker requesting a password reset. Once the new password was secured, they then conducted an MFA fatigue attack which was enough to grant them system access.”

“The single attack was highly targeted, but its returns were immense,” he added. “The attack should also act as a warning to other businesses — one stolen password can be enough to cause millions of pounds in damages.”

Big blow to Scattered Spider

Scattered Spider was responsible for a major cyber attack on MGM resorts in September 2023, which brought the operations at numerous hotels including the Bellagio, the Cosmopolitan, and Mandalay Bay to a standstill. Guests reported slot machines, ATMs, digital key cars, electronic payment systems, and online reservations portals were all out of action as a result of the disruption.

Following the attack, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) announced it would be cracking down on the group. In January 2024, one of the accused, Michael Noah Urban, was arrested in Florida, showing the joint effort was starting to bear fruit, but security experts warned in May that attacks were still “pretty heavy right now”.

The agencies issued a joint advisory on 17 November 2023 requesting any victims of the Scattered Spider group come forward with ransom notes, crypto wallet information linked to the group and decryptor files, to assist their investigations.

Wright described the recent arrests as a “big blow” to the operation, while Erich Kron, security awareness advocate at KnowBe4, noted law enforcement agencies have previously struggled with the distributed nature of many hacking groups.

“It is always refreshing to see cybercriminals held accountable for their actions, as it happens so rarely,” he said. “In many cases, law enforcement may even know the identities of the bad actors, but they are hidden away in countries from which we cannot extradite them, making prosecution almost impossible, even if we have charged them with a crime.”