FBI urges companies to come forward after cyberattacks amid MGM hack investigation
The Federal Bureau of Investigation is asking companies to share more details about the cyberattacks they're facing as the bureau continues to investigate the Scattered Spider hacking group, an official told reporters Thursday.
- However, the FBI has struggled to arrest group members — even though they're seemingly based in the U.S. and other Western countries — because victims don't come forward and share details about their incidents, according to a Reuters report published Tuesday.
Driving the news: The FBI confirmed during a press call on Thursday that it is actively investigating Scattered Spider and that the hacking group has attacked even more companies since the September attacks on MGM and Caesars.
- While the FBI could not comment on an ongoing investigation, the official told reporters that, overall, the bureau always needs more companies to come forward to help move these investigations along.
What they're saying: "If we don't get detailed, timely and accurate information as to these intrusions, we are not able to take actions on those," the FBI official told reporters on the call.
- "They make mistakes just like we do, so the more data that we have coming in, the better able we're able to make those connections and execute actions against those actions," the official added.
Of note: The Cybersecurity and Infrastructure Security Agency and FBI released an advisory Thursday detailing how Scattered Spider launches attacks and how companies can defend their networks against Scattered Spider.
The big picture: The FBI has long struggled to get companies to come forward as they're battling a cyberattack.
- Victims fear what will happen if they give the FBI broad access to their networks — and whether litigation could follow the incident response. (In the past, the FBI has said it won't share a company's information.)
- During the bureau's takedown of the Hive ransomware gang earlier this year, the FBI noted that only 20% of victims had called the bureau for help.
Threat level: Scattered Spider relies heavily on social engineering to break into company networks.
- The group will often begin their attacks using some form of phishing to get employees at a targeted company to reset their passwords or accidentally share their login credentials, per the advisory.
- Then Scattered Spider will conduct a SIM swapping attack that allows them to access someone's multi-factor authentication code — bypassing a basic and popular security checkpoint.
- Once they've done that, Scattered Spider will use social engineering to convince the company's IT help desk to reset the victim employee's password and use seemingly normal remote work tools to exfiltrate data without raising suspicions.
Be smart: The FBI and CISA recommend organizations implement controls that limit what apps and software employees can download, as well as limit which remote desktop services employees use.