Scattered Spider, a group of young English-speaking hackers, has inflicted over $807 million in market value losses at Marks & Spencer while bringing Las Vegas casinos to their knees—all by tricking employees into giving up their credentials.
Key Takeaways
- Scattered Spider is a group of young hackers from the U.S., U.K., and Canada who combine social engineering tactics with Russian ransomware technology
- The group caused up to $403 million in operating losses at Marks & Spencer and over $100 million in damages at MGM Resorts
- Unlike traditional hackers, Scattered Spider is motivated by both financial gain and media attention, targeting multiple companies in the same sector before moving on
- Their preferred method is social engineering—analyzing organizations and impersonating staff to manipulate employees into providing access credentials
- Basic security measures like least privilege access, separation of duties, and behavioral monitoring can help protect against such attacks
Las Vegas Goes Dark: The MGM Attack
In September 2023, Las Vegas visitors experienced an unprecedented disruption when MGM Resorts fell victim to a devastating cyberattack. Slot machines went dark, elevators stopped working, and digital systems crashed across multiple properties. The attack, later attributed to Scattered Spider, cost MGM over $100 million in damages after the company refused to pay a $30 million ransom demand. The attack crippled operations at some of the world’s most famous casino resorts and revealed alarming vulnerabilities in corporate cybersecurity systems.
“Incredibly, when it happened, I was in an MGM property, and it happened while we were having dinner and there just began to be a rumbling that something was going on. When I went down into the casino, I could see then that slot machines were sitting dark, people were scrambling around. The shutdown was starting to take effect,” said Anthony Curtis, Las Vegas advisor
While MGM stood firm against the extortion attempt, Caesars Entertainment took a different approach when targeted by the same group. Facing a similar threat, Caesars paid a $15 million ransom to avoid the operational chaos that MGM experienced. This contrasting response highlights the difficult decisions companies face when confronted with ransomware attacks—pay quickly and quietly or resist and potentially suffer greater financial damage. The FBI typically advises against paying ransoms, but acknowledges that during a crisis, it becomes a business decision that each company must evaluate individually.
The Human Vulnerability: Social Engineering Tactics
What makes Scattered Spider particularly dangerous is their sophisticated social engineering approach. Rather than relying solely on technical exploits, the group meticulously researches organizational structures and employee information. Armed with this intelligence, they impersonate IT staff or other trusted individuals to manipulate employees into providing access credentials. This human-centered approach bypasses many traditional security measures that focus primarily on technological defenses, exposing a fundamental weakness in corporate security frameworks.
“They’re not exclusively financially motivated — they like the clout, they like the mainstream media attention,” said Charles Carmakal, Mandiant Chief Technology Officer
In the case of MGM, investigators discovered that the breach occurred after hackers convinced an employee to provide access to internal systems. This tactic has proven consistently effective across multiple high-profile attacks. Security experts have noted that Scattered Spider meticulously studies their targets, gathering information from corporate websites, social media profiles, and other publicly available sources to make their impersonation attempts more convincing. This preparation allows them to speak with authority and familiarity that disarms potential suspicion from employees.
The Russian Connection: A Dangerous Partnership
Scattered Spider represents a troubling evolution in cybercrime—the collaboration between Western hackers and Russian ransomware groups. Operating under the “ransomware as a service” model, Russian gangs like BlackCat provide the infrastructure and malware while Western affiliates like Scattered Spider handle the initial breaches. This partnership combines the technical resources of Russian cybercriminals with the social engineering skills and cultural fluency of English-speaking hackers, creating a particularly potent threat to Western businesses.
“They tend to hit a bunch of companies in the same sector for a few weeks before they move on,” said Charles Carmakal, Mandiant Chief Technology Officer
The Russian gangs operate with virtual impunity from their home country, so long as they avoid targeting Russian entities. This protection has allowed them to develop sophisticated ransomware platforms that they can then share with Western partners. The relationship is mutually beneficial—Russian groups extend their reach into Western companies through their English-speaking affiliates, while groups like Scattered Spider gain access to advanced ransomware technologies and infrastructure that might otherwise be beyond their capabilities.
Protecting Against Social Engineering Attacks
As Scattered Spider and similar groups continue to evolve their tactics, organizations must implement comprehensive security measures that address both technical and human vulnerabilities. Multi-factor authentication alone is no longer sufficient, as social engineers have developed methods to circumvent even these additional security layers. Companies must adopt a more holistic approach to security that includes regular employee training, strict verification protocols for system access requests, and careful monitoring of unusual account activities.
“There are standard approaches to addressing such threats, including least privilege access, separation of duties, and monitoring and alerting on suspicious activities. Behavioral monitoring is another key area, and we will likely hear more about its role in future security solutions and controls,” said Randolph Barr, Chief Information Security Officer
Law enforcement has made some progress, including the arrest of a 19-year-old hacker linked to Scattered Spider, but the group remains active and dangerous. The collaboration between the FBI, NSA, and private security firms has intensified following high-profile attacks like the Colonial Pipeline incident, which prompted President Trump’s administration to dedicate increased resources to combating foreign cyber threats. Despite these efforts, the ransomware industry continues to thrive, with estimated global losses exceeding $1 billion annually—a number that continues to grow as attacks become more sophisticated and widespread.
