In a highly unusual marriage in the cybercrime underground, English-speaking members of “the Comm,” a wide spanning entity that includes SIM swappers and physically violent criminals, are working with the Eastern European ransomware group called ALPHV, two cybersecurity industry sources told 404 Media. 404 Media granted the sources anonymity to speak more candidly about developments in the cybercrime ecosystem. ALPHV is connected to the recent hack of MGM casinos.
The unlikely bedfellows make powerful partners in crime. Members of the Comm can be highly adept at social engineering, using their native English language skills to take over targets’ phone numbers or sweet talk their way into corporate systems. But they are also unusually audacious in their hacks, showing off their wealth or using threats of violence against targets that other, more stealthy hackers may avoid. Combine that brazenness with the highly professionalized world of Eastern European ransomware-as-a-service, and you have a new alliance that is wreaking havoc across all sorts of industries.
Multiple cybersecurity firms have published research on a loosely defined entity known as “Scattered Spider,” with researchers also using the terms “UNC3994” and “0ktapus” to label similar clusters of activity. On Wednesday, Microsoft published its own blog post which laid out some of the techniques used by what the company calls “Octo Tempest,” which Microsoft says “overlaps” with research into Scattered Spider. Scattered Spider has been widely reported as an entity involved in the hack and subsequent ransom of MGM casinos last month, which led to over $100 million in damages. The ransomware side of the operation—that is, the software used to lock down MGM computers—was from ALPHV, an Eastern European ransomware group.
Scattered Spider’s relationship with ALPHV has been reported by multiple cybersecurity firms and media outlets. Cyberscoop also reported the connection to the Comm. One of 404 Media’s cybersecurity sources said parts of the Comm are working with ALPHV; the second source said many of the people working as part of an affiliate group for ALPHV are in the Comm. They stressed that the activity overlaps and shifts over time, as do personal relationships, however. Both sources have directly tracked the groups involved.
The link to the Comm is important because it puts some of the hackers’ activity into both a cultural and security context. As I’ve reported multiple times, the Comm is a nebulous network of hackers, gamers, people who hang out on Discord, and young girls who are sometimes groomed by other participants. The Comm is large, with hundreds or thousands of participants in various Telegram channels and Discord servers, with many different subsections and subgroups focusing on their own priorities.
In many cases, members of the Comm are not limited to just performing SIM swaps, which is when a hacker takes over a phone number to then break into the target’s online accounts. Members also participate in and commission physical violence. Comm members, for example, have kidnapped one another to gain access to a rival’s cryptocurrency. Gunmen fire weapons at targets’ houses or throw bricks through their windows. Violence only makes up a slice of Comm, but it carries significant cultural weight throughout the group: Discord and Telegram channels often quickly share videos of the latest robbery or attack. Members have also performed swattings against schools and universities.
SIM swappers’ connection to ALPHV also shows how the world of SIM swapping continues to escalate. Starting years ago, swappers got insiders at telecoms to port phone numbers, or they tricked employees to do the same. Then, as I reported, some SIM swappers deployed remote access software inside telecoms to access internal SIM swap tools themselves. Along with the physical violence, SIM swappers have now branched out into direct collaboration with professional ransomware groups.
In its blog post, Microsoft included two screenshots of text messages that showed an attacker trying to gain access to a target system through direct threats.
“Send your login rn [right now]. Or I’m getting a corp [corporate] account and getting u fired. Send ur login. Right now. 10 minutes. I’m gonna send someone over there at a random time so. When ur sleeping. U won’t know when,” one series of messages read.
“Send ur login G and everything goes away,” it continued. “Or u can get ur house shot. U pick one.”
“Text the [redacted] password in the next 30 minutes or else ur door is getting kicked down,” the second screenshot reads. “Ur wife is gonna get shot if u dont fold it.”
In mid-2023, Octo Tempest became an affiliate of ALPHV, Microsoft writes. An affiliate is a group or individual that will deploy the ransomware on behalf of ALPHV, with both parties splitting the profits. “This is notable in that, historically, Eastern European ransomware groups refused to do business with native English-speaking criminals,” Microsoft writes. Octo Tempest targeted a spectrum of different industries for extortion, including gaming, hospitality, consumer products, retails, technology, and financial services, Microsoft adds.
Update: this piece has updated to mention a Cyberscoop report which also linked the activity to the Comm.