A recent report from 60 Minutes has spotlighted a new shift in the dynamics of cybercrime, with hackers from the West collaborating with seasoned Russian ransomware groups. One of the alliances highlighted was the case of the Scattered Spider group and their alliance with the infamous BlackCat syndicate.
The Emergence of Scattered Spider
Identified as a loose-knit group of predominantly young, native-English-speaking hackers, Scattered Spider has gained notoriety for its sophisticated social engineering tactics and its ability to infiltrate high-profile companies and organizations.
According to Allison Nixon, Chief Research Officer at cybersecurity firm Unit 221B, Scattered Spider’s success is rooted in its members’ understanding of cultural nuance and their ability to exploit human vulnerabilities. As Nixon explained, “Part of their success is because they are fluent in Western culture. They know how our society works. They know what to say to get someone to do something.”
Scattered Spider is just one of many illicit hacking groups that make up a sprawling online criminal network known as “the Community” or “the Com.” Cybersecurity researchers have witnessed explosive growth in the number of individuals involved in these activities, from a few hundred in 2018 to thousands today.
“It’s a problem for the global economy, for the U.S. economy, and the security of the United States.”
Bryan Vorndran – Assistant Director, Cyber Division, U.S. Federal Bureau of Investigation
“They connect over the internet. Social spaces where people hang out. Gaming servers,” Nixon said. “It’s almost analogous to the back alley where the bad kids hang out but on the internet.” The members of this community, predominantly young males under the age of 25, engage in an environment where they celebrate and glorify cybercriminal activity.
Alliance with BlackCat
Scattered Spider’s expertise in social engineering and English language skills has made it an attractive partner for one of the most notorious Russian ransomware gangs, BlackCat (also known as ALPHV). With their extensive experience, resources, and malware, these Russian groups have allied with the young Western hackers, creating a potent and dangerous combination.
As Nixon explained, “Historically speaking, Russian cyber criminals did not like working with Western cyber criminals. There was not only a language barrier, but they also looked down on them and viewed them as unprofessional.”
However, the Russian groups now see the native-English-speaking Scattered Spider members as a “force multiplier” for their ransomware attacks.
It’s Just Beginning
One of the most high-profile examples of this partnership in action is the September 2023 ransomware attack on MGM Resorts, which cost the hotel and casino giant more than $100 million. The attack, claimed by both Scattered Spider and BlackCat, disrupted operations at several of the most renowned hotels and casinos on the Las Vegas Strip.
The hackers gained access to MGM’s network through a social engineering attack, impersonating an employee and convincing the tech support to reset their password. This allowed them to unleash destructive malware that crippled the company’s operations.
Ransomware attacks such as these have grown more costly and disruptive every year, and cybersecurity researchers fear they will only worsen. The threat is exacerbated by the safe havens created by foreign nation-states that will not take legal action on these criminals so long as they don’t target organizations within that particular country.
As FBI’s top cyber official, Bryan Vorndran, stated, “Any way you look at the numbers, it’s a problem for the global economy, for the U.S. economy, and the security of the United States.”
The Wrap
Overcoming previous barriers such as language and mutual distrust, the newfound synergy between diverse criminal groups such as Scattered Spider and BlackCat, has transformed them into more formidable adversaries than ever before. The international nature of these alliances complicates efforts to combat them, as they operate across borders and within jurisdictions that often provide safe harbor for their activities.
Looking forward, it is clear that the international community must enhance its cooperative efforts to address these threats. Strengthening cybersecurity measures, increasing international legal collaboration, and developing more rigorous monitoring of cybercriminal networks are essential steps in this ongoing battle. As these alliances continue to evolve and adapt, so too must the strategies employed to thwart their increasingly audacious and harmful activities.