ExNSA listened to Scattered Spiders calls Theyre good The Register

pINTERVIEW The call came into the help desk at a large US retailer An employee had been locked out of their corporate accounts ppBut the caller wasnt actually a company employee He was a Scattered Spider criminal trying to break into the retailers systems and he was really good according to Jon DiMaggio a former NSA analyst who now works as a chief security strategist at Analyst1ppScattered Spider is a cyber gang linked to SIM swapping fake IT calls and ransomware crews like ALPHV Theyve breached big names like MGM and Caesars and despite arrests keep evolving Theyre tracked by Mandiant as UNC3944 also known as Octo TempestppDiMaggio listened in on this call which was one of the groups recent attempts to infiltrate American retail organizations after hitting multiple UKbased shops He wont name the company other than to say its a big US retail organization This attempt did not end with a successful ransomware infection or stolen datappBut I got to listen to the phone calls and those guys are good DiMaggio told The Register It sounded legit and they had information to make them sound like real employeesppScattered Spider gave the help desk the employees ID and email address DiMaggio said he suspected the caller first socialengineered the employee to obtain this data but that is an assumptionppThe caller had all of their information employee ID numbers when they started working there where they worked and resided DiMaggio said They were calling from a number that was in the right demographic they were wellspoken in English they looked and felt real They knew a lot about the company so its very difficult to flag these things When these guys do it theyre good at what they doppLuckily the target was a big company with a big security budget and it employs several former government and law enforcement infosec officials including criminalbehavior experts on its team But not every organization has this type of staffing or resources to ward off these types of attacks where the wouldbe intruders are trying to break in from every access pointppThey are resourceful theyre smart theyre fastppThey are resourceful theyre smart theyre fast Mandiant CTO Charles Carmakal told The RegisterppOne of the challenges that defenders have is its not the shortage of network alerts he added You know when Scattered Spider is targeting a company because people are calling the help desk and trying to reset passwords They are running tools across an enterprise that will fire off on antivirus signatures and EDR alerts tons and tons and tons of alerts They operate at a speed that can be hard to defend againstppIn this case sometimes the best option albeit a painful one is for the organization to break its own IT systems before the criminals doppThis appears to have been the case with British retailer Coop which pulled its systems offline before Scattered Spider could encrypt its files and move throughout its networksppFollowing the malicious thirdparty cyberattack we took early and decisive action to restrict access to our systems in order to protect our Coop a spokesperson told The Register We are now in the recovery phase and are taking steps to bring our systems gradually back online in a safe and controlled mannerppThe outfit said customers will see improved stock availability in our food stores and online beginning this weekend and added it is working closely with suppliers to restock its brickandmortar storesppAll payment forms and systems are now up and running across the business were told ppSend us newsppThe Register Biting the hand that feeds ITpp
Copyright All rights reserved 19982025

p