The United States’ Department of Justice (DoJ) yesterday unsealed criminal charges against five individuals, including a 22 year-old British national named as Tyler Robert Buchanan, over their alleged involvement in the Scattered Spider cyber attacks.
During their criminal rampage, the gang used social engineering techniques to game their victims into giving up vital credentials, often relating to IT helpdesks. Most famously, they attacked two mainstays of the Las Vegas entertainment industry, Caesars Entertainment and MGM Resorts.
Buchanan, who was arrested in June 2024 in Spain, faces charges of conspiracy to commit wire fraud, conspiracy, wire fraud, and aggravated identity theft. He was already on the authorities’ radar following a raid on his home in Scotland in 2023, in which police recovered evidence implicating him as a key player in the gang.
The four US nationals named are: Ahmed Hossam Edin Elbadaway, aka AD, aged 23; Noah Michael Urban, aka Sosa and Elijah, aged 20; Evans Onyeaka Osiebo, aged 20; and Joel Martin Evans, aka joeleoli, aged 25.
Evans was arrested on Tuesday 19 November in North Carolina, while Urban, who was arrested in a separate case earlier this year, is also in custody.
Collectively, the men are charged with one count of conspiracy to commit wire fraud, one count of conspiracy, and one count of aggravated identity theft.
“We allege that this group of cyber criminals perpetrated a sophisticated scheme to steal intellectual property and proprietary information worth tens of millions of dollars and steal personal information belonging to hundreds of thousands of individuals,” said US attorney Martin Estrada.
“As this case shows, phishing and hacking has become increasingly sophisticated and can result in enormous losses. If something about the text or email you received or website you’re viewing seems off, it probably is.”
Akil Davis, assistant director in charge of the FBI’s Los Angeles Field Office, added: “The defendants allegedly preyed on unsuspecting victims in this phishing scheme and used their personal information as a gateway to steal millions in their cryptocurrency accounts.
“These types of fraudulent solicitations are ubiquitous and rob American victims of their hard-earned money with the click of a mouse. I’m proud of our stellar cyber agents whose work led to the identification of the alleged schemers who are facing significant prison time if convicted.”
Each defendant faces a statutory maximum prison sentences of 27 years if convicted, while Buchanan faces an additional 20-year sentence for the wire fraud count.
Inside Scattered Spider
The documents unsealed this week reveal an extensive campaign of malicious activity beginning in late 2021 and running through 2023, although the gang continued to operate with a revised playbook until recently.
The defendants are accused of conducting widespread phishing attacks using mass SMS messages to employees of targeted victims, purporting to come from the victim company or a contracted IT services supplier – often Okta, which the gang also relentlessly victimised, and for a time, it was also branded as 0ktapus.
Frequently, these SMS messages stated that the employee’s account was about to be locked or deactivated, and “conveniently” provided a link to help them address this. Naturally, this link led in reality to a spoofed website in which the unwitting victims readily entered their login credentials, with many of them also authenticating their identities using multifactor authentication (MFA).
These credentials obtained, Scattered Spider was able to access the accounts of victim companies’ employees and from there obtain deeper access into their victims’ IT systems, stealing confidential data and personally identifiable information (PII).
At times, the gang also used ransomware on its victims, acting as an affiliate of the ALPHV/BlackCat operation.
The authorities believe that Scattered Spider often used the data it obtained to gain unauthorised access to numerous cryptocurrency accounts and wallets, and may have stolen millions of dollars’ worth of virtual currency.
Scattered Spider was able to be particularly effective against victims in the UK and US because its core members were native English speakers. This enabled them to appear more convincing in their messaging and interactions – compared with Russian speakers, who can frequently be unmasked thanks to various linguistic quirks, prominently the misuse or omission of the definite article when speaking English.
The gang was also somewhat renowned for making threats of real-world retaliation against non-compliant victims, with people reporting that they were told they would lose their jobs, or face physically violent retribution against themselves and their families.
“Rather than using basic email phishing, the attackers took things a step further to make their attack look more convincing,” said William Wright, CEO of Scotland-based Closed Door Security.
“They tracked an employee on LinkedIn and then contacted an IT helpdesk worker requesting a password reset. Once the new password was secured, they then conducted an MFA fatigue attack which was enough to grant them with system access. The single attack was highly targeted, but its returns were immense.
“The attack highlighted that when it comes to social engineering, criminals have many tricks up their sleeves. To counter these threats, organisations must run security tests across their networks to identify weaknesses either among employees or digital architecture,” he said.
Consequences
“These individuals, and other actors who they have collaborated with, have caused so much pain and financial harm to organisations … through their disruptive intrusions,” said Charles Carmakal, chief technology officer at Google Cloud-owned Mandiant.
“This is a nice win for law enforcement that over time has significantly hampered the group’s fast-paced tempo this year. We hope this sends a message to the other actors they collaborate with that they aren’t immune to consequences.”