After evading capture for more than two years following a hacking spree that targeted some of the world’s biggest tech companies, U.S. authorities say they have finally caught at least some of the hackers responsible.
In August 2022, security researchers went public with a warning that a group of hackers had targeted over 130 organizations as part of a sophisticated phishing campaign that stole the credentials of almost 10,000 employees. The hackers were specifically targeting companies that used Okta, a single sign-on provider used by thousands of companies worldwide to let their employees log in from home.
Because of its focus on Okta, the hacking group was dubbed “0ktapus.” To date, the group hacked Caesars Entertainment, Coinbase, DoorDash, Mailchimp, Riot Games, Twilio (twice), and dozens more.
The hackers’ most notable sizable cyberattack by way of downtime and impact was the hack against MGM Resorts in September 2023, which reportedly cost the casino and hotel giant at least $100 million. In that case, the hackers worked with the Russian-speaking ransomware gang ALPHV, and demanded a ransom from MGM for the company to get its files back. The hack was so disruptive that the casinos owned by MGM had trouble providing services for days.
For the last two years, as law enforcement has been closing in on the hackers, people in the cybersecurity industry tried to figure out exactly how to categorize the hackers and whether to put them in one group or another.
The hackers’ techniques, such as social engineering, email and text message phishing, and SIM swapping, are common and widespread. Some of the individual hackers were part of several groups responsible for different data breaches. These circumstances have made it difficult to understand exactly who belongs in what group. Cybersecurity giant CrowdStrike dubbed this umbrella group of hackers “Scattered Spider,” and researchers believe there is some overlap with 0ktapus.
The group was so active — and successful — that U.S. cybersecurity agency CISA and the FBI issued an advisory in late 2023 with details on the group’s activities and techniques, in an attempt to help organizations prepare for and defend against anticipated attacks.
Scattered Spider is “a cybercriminal group that targets large companies and their contracted IT help desks,” CISA wrote in its advisory. The agency warned that the group “have typically engaged in data theft for extortion,” and noted their known links to ransomware gangs.
One thing that’s relatively certain is that the hackers are mostly English-speaking, and widely believed to be in their teens and early-20s — and sometimes referred to as “advanced persistent teenagers.”
“There is a disproportionate number of minors involved, and tha …