There’s a new generation of hackers in town. Brought up with digital currency, skilled at social engineering, and aided by online resources their predecessors could only dream of, young internet raiders—some still teenagers—are finding creative ways to rob some of the world’s largest firms and making off with eye-popping sums.
Since late last year, more than 100 organizations, from Comcast to Clorox to Grubhub, have been targeted by a hacking group known as Scattered Spider, also known as Muddled Libra or UNC3944, whose members authorities believe are between just 17 and 22 years old. The group grabbed headlines last month after breaching the systems of MGM Resorts and Caesars Entertainment, snarling some of Las Vegas’ biggest hotels for days and extracting a reported $15 million ransom from Caesars. MGM, which refused to pay the ransom, reported a $100 million loss from the attack.
The attackers, said to be native English speakers, reportedly used details from MGM employees’ social media profiles to impersonate them in carefully planned phone calls, tricking the company’s help desk into bypassing multifactor authentication and granting access to company applications and websites. Once inside, they stole more data and credentials before immobilizing MGM’s systems unless the gambling giant paid up.
Cybersecurity experts say the attack was notable because it didn’t rely on malware to make the initial intrusion. “The majority of this attack was done using legitimate remote access tools, legitimate software that’s already on the endpoints, and logging in with the regular credentials of a user who was supposed to be there,” says Andy Thompson, an offensive tech researcher at CyberArk. Only in the final steps of the attack did the group deploy ransomware, which was created by another affiliated hacking gang called AlphV/BlackCat.
That division of labor has become increasingly common in the hacking world. Unlike previous generations of hackers who had to mastermind their own attacks from start to finish, experts say the different components of a hack are now sold as services. “Newer hacking operations are run like a business,” says Michael Sikorski, CTO of Palo Alto Networks’ Unit 42 threat research firm. Ransomware can be acquired “almost like a McDonald’s,” he says, “where they come in, sign a contract as a franchise, and then they get access.” In other words, an attacker can focus its skills in one area—in Scattered Spider’s case, social engineering—and then hand off the attack to another team.
Gen Z hackers are the first generation to learn their skills in an age where transaction-filled online games are the norm. Thompson says he’s seen hackers as young as 12 years old, “rolling straight out of Roblox,” where they got started by robbing other players’ virtual currencies. “They’re cutting their teeth learning [the cyberattack technique] SQL injections to steal credentials of users to drain their accounts. These same concepts are just as applicable in large commercial enterprises.”
After online games, young hackers start experimenting with cryptocurrency—“literally the enabler for digital extortion,” says Thompson. “If it wasn’t for [Bitcoin inventor] Satoshi Nakamoto, we wouldn’t have this situation.” Crypto isn’t just a medium for ransom, it also gives hackers a way to steal companies’ computing resources. “As an attacker, they’re no longer going after the data center as much as they’re going for the root account to your AWS panel,” says Thompson. “They want to get access to your Jenkins stacks so they can create crypto miners in your cloud platform.”
Shifts in tech education make it likelier that young hackers know their way around a company’s tech infrastructure, even if they’ve never worked a corporate job. “If you look at what they’re teaching students, they’re doing all their development in the cloud,” says Palo Alto Network’s Sikorski. Hackers are also taking advantage of a boom in companies adopting open-source software. “Gen Z grew up doing their school projects contributing to open source,” says Aviv Mussinger, the CEO of Kodem, a Tel Aviv-based application security team. “They know how it works, but they also know the vulnerabilities in how it works.”
Mussinger says companies need to be alert to the dangers lurking in some of the most common open source frameworks. In 2021, organizations around the world scrambled to patch the ubiquitous open source library Log4j after Minecraft players discovered a vulnerability in the library that could allow attackers to control someone else’s computer with a single line of code. And that’s just a more well-known example. “In open source security, you hear about another huge vulnerability every week,” he says.
But Scattered Spider demonstrates that the most damaging hacks don’t necessarily require cutting-edge, zero-day exploits; they center around tricking people into doing the wrong thing. And with AI making it easier to generate convincing-sounding language, “I think we’re going to see a trend back toward social engineering being the most popular attack out there,” Sikorski says.
So how should organizations stay safe? It remains ever-critical to keep software up to date—especially keeping tabs on open source libraries and their sub-dependencies, Mussinger says. Another safeguard is good old-fashioned user awareness, says Thompson. “If people are aware of how to prevent phishing and impersonation, these are the things that will really be that front line of defense.”
Recognize your brand’s excellence by applying to this year’s Brands That Matter Awards before the final deadline, June 7.
Sign up for Brands That Matter notifications here.
