SCOTTSDALE, Ariz. — Over the past two years, a string of prominent cybersecurity breaches all have one thing in common: the involvement of a small online community of primarily young people dedicated to carrying out brash incursions.
Speaking on the sidelines of the SentinelOne’s second annual LABScon cyber threat intelligence conference, a team of researchers who have studied these online communities described to CyberScoop how an online community calling itself “the Com” has carved out a key role for itself in the broader online criminal ecosystem — including by participating in recent attacks on Las Vegas resorts that crippled several prominent hotels and casinos.
Speaking on condition of anonymity to describe the actions of a hacking group with a history of violence against its perceived enemies, the researchers say the emergence of the Com illustrates the need for policymakers and the cybersecurity community to take a much harder line against the youth-led cybercrime ecosystem.
Teenagers and culprits in their early 20s are increasingly pulling off high-profile hacks using advanced skills and loudly bragging about their exploits in language filled with racism and misogyny, with the Com serving as a radicalizing environment for some of these cybercriminals.
“If you take out all the stupid stuff and just look purely at the capabilities,” the researcher said, “this is incredibly powerful.”
Policymakers and network defenders at some of the world’s biggest companies tend to dismiss this cybercriminal ecosystem as a rung below the threat posed by state-backed hackers, but recent breaches are making clear that this new generation of hackers are highly capable.
Individuals within one of the Com’s subgroups, known as “Star Fraud,” were likely involved in the recent high-profile Caesars Entertainment and MGM Resorts extortion attacks, the researchers said, demonstrating the seriousness and danger and danger posed by the larger ecosystem.
ALPHV, an established ransomware-as-a-service operation thought to be based in Russia and linked to attacks on dozens of entities, claimed responsibility for Caesars and MGM attacks in a note posted to its website earlier this month. Experts had said the attacks were the work of a group tracked variously as UNC 3944 or Scattered Spider, which has been described as an affiliate working with ALPHV made up of people in the United States and Britain who excel at social engineering.
But the term Scattered Spider isn’t accurate, the researchers at LABScon said, as it lumps the activities of multiple disparate and sometimes rival groups from within the Com ecosystem into one entity. The groups mimic and learn tactics from each other and may appear as the same thing, the researcher said, but they’re different. A person claiming to be a member of Scattered Spider spoke with multiple news outlets, including CyberScoop, and claimed responsibility for the MGM hack but not Caesars, in what was an example of the fractious Com ecosystem.
The attacks emanating from the Com ecosystem go far beyond the Las Vegas resorts recently hit. Earlier this week, an executive at Okta, the identity management company, told Reuters that beyond Caesars and MGM, three additional clients of the firm had been hit by the same cluster of activity. In the last two years, major corporations ranging from Nvidia to Samsung to Microsoft have all been targeted by a group known as Lapsus$, some of whose members emerged from the Com ecosystem, the researcher said.
An August 2023 Cyber Safety Review Board report on Lapsus$ recommended that Congress explore funding juvenile cybercrime prevention programs as part of a “whole-of-society” approach to address youth cybercrime.
The FBI has been involved in multiple investigations involving people associated with the Com for alleged violent activity, Vice reported in May. In a May 2023 affidavit, an FBI agent described the Com as a “group of cyber-criminal actors” that is “geographically diverse” and organizes in various subgroups to “engage in various types of criminal activity to include cyber intrusions, SIM swapping, cryptocurrency theft, commissioning real life violence, and Swatting,” the practice of sending armed emergency response teams to a victim’s location under false pretenses.
Cybersecurity firms have described this grouping of online cybercriminals as highly skilled in social engineering, particularly because they count among their members a large number of native English speakers who are adept at calling IT help desks and convincing technicians to hand over corporate credentials.
The researchers who presented at LabsCON cautioned that these young cybercriminals are now working together with global ransomware syndicates, with track records of extortions around the world and tens of millions of dollars in ransoms paid.
The role of the Com in inducting these young hackers into a life of crime is akin to the well-documented issue of how toxic online communities can radicalize children, one of the researchers said. “The radicalization is cybercrime and being the worst human being you possibly be,” the researcher said.