Security researchers have been vague about the makeup of the group, agreeing mainly that members are generally English-speaking, financially motivated and have been very active in the past two years, targeting large companies via stolen employee credentials and tricks such as convincing tech support employees that they have been accidentally locked out of their computers and need a new password.
They moved from cryptocurrency thefts to targeting businesses that provide third-party business functions such as help desks and call center staffing, allowing them to infiltrate networks of many customers. And they extorted Western Digital and other technology firms after stealing internal data before heading for the jackpots in Las Vegas.
But their willingness to deploy crippling ransomware while demanding money is a major escalation, as is their choice of a business partner: APLHV, a hacking group whose affiliates include members of the former Russian powerhouses BlackMatter and DarkSide, the groups responsible for the Colonial Pipeline hack that awoke Washington to the national security risk of ransomware. APLHV provided the BlackCat ransomware that the young hackers installed in the casinos’ systems.
New research being presented Friday at the LABScon security conference outside Phoenix gives an origin story to the hackers, who the experts say call themselves Star Fraud. They say the group consists of a few dozen hackers who have connected online and are part of a much larger association known internally as the Com, short for community.
Star Fraud has left clues through giving public shout-outs to associates and other unsophisticated behavior. Like others in the Com, they came together through crimes enabled by SIM-swapping, which usually involves convincing phone company employees to hand over control of someone else’s phone number.
Because of poor security controls around those numbers, such gambits have allowed criminals to amass millions of dollars by beating SMS text-based two-factor authentication on cryptocurrency accounts.
The extra money has made alliances possible with criminals who have different skills to bring to the table, including some who had hacked police servers and could send emails from purported officers demanding emergency disclosures of information on phone and internet customers.
Worse, the researchers said, they have now attracted recruiters for the Russian gangs who want to combine their business savvy with the techniques and local knowledge of the native English speakers.
“Pre-big money, they were sextorting girls and trying to get them to kill themselves. There is something really sociopathic going on with these people,” the lead researcher told The Washington Post on the condition that they not be named to avoid being targeted by the gangs.
In the MGM hack, the group won control of Okta authentication servers that gave them wide authority over internal services.
The Star Fraud group in some ways followed the trajectory of the gang Lapsus$, which stole source code from major companies with similar techniques and prompted a federal review of the root causes of the group’s rise.
Only Star Fraud has gone further, the researchers said, and now such groups have many thousands of online volunteers to draw from.
The FBI, which succeeded in breaking up some of the ransomware groups in the wake of the Colonial Pipeline hack, said that it will continue to chase overseas criminals as well as their youthful affiliates.
“Criminals can be assured that the FBI will pursue all illegal activity with the same vigor and commitment to process,” it said in a written statement to The Post. “We work in close collaboration with our federal and international partners to ensure that bad actors face the consequences of their actions.”