The FBI has faced criticism before following a major cyber incident, but a new report Tuesday by Reuters calls out law enforcement for not making arrests for the September attacks on MGM Resorts International and Caesars Entertainment.
Reuters quoted executives from leading security companies such as CrowdStrike and ZeroFox saying the FBI has known the identities of at least a dozen members of the hacking group Scattered Spider for more than six months, but not much has happened.
"I would love for somebody to explain it to me," Michael Sentonas, president of CrowdStrike told Reuters. "For such a small group, they are absolutely causing havoc.”
The MGM hack disrupted operations at its casinos and hotels for days and cost the company roughly $100 million in damages, MGM said in a regulatory filing last month. Caesars reportedly paid $15 million in ransom to regain access to its systems from the hackers.
According to Reuters, ZeroFox's Chief Executive Officer James Foster attributed law enforcement's sluggish response to a lack of manpower.
This has become an issue for the FBI, as numerous press reports over the past two years have described how the FBI has lost many of its best cyber agents to the private sector for better paying jobs. And it’s not just the FBI that loses cyber talent, the issue afflicts all agencies across the federal government.
Callie Guenther, senior manager, cyber threat research at Critical Start, added that issues such as limited manpower and the lure of lucrative private sector jobs for skilled cyber agents present significant hurdles. Additionally, Guenther said the hesitancy of victim companies to cooperate with investigations, fearing reputational damage or other consequences, further complicates the efforts of law enforcement agencies.
Mixed response for FBI's handling of Kaseya attack
In terms of other cases where the FBI faced criticism, Guenther said the Kaseya ransomware attack in 2021 is a notable example. Similar to the "Scattered Spider" case, Guenther said the Kaseya incident showcased the difficulties in responding to and mitigating fast-spreading, highly damaging cyberattacks.
“The FBI's approach in the Kaseya case, particularly their decision to withhold a decryption key for a period, was met with mixed responses, underscoring the complex ethical and strategic decisions involved in cybercrime responses,” said Guenther. “The case of Scattered Spider is indicative of a new era of cyber threats where criminal groups employ aggressive tactics, including threats of physical violence. This escalation in criminal strategies requires an equally robust and innovative response from law enforcement and cybersecurity experts.”
Krishna Vishnubhotla, vice president of product strategy at Zimperium, said there's clearly a shortage of manpower and a reluctance among victim companies to report breaches that make it difficult for FBI agents to solve cases.
“And while companies, such as CrowdStrike, Mandiant, Palo Alto Networks and Microsoft, will continue to play a critical role in assisting the FBI, ransomware will only worsen as it becomes more prevalent on mobile devices, making it easier to target and compromise specific individuals,” said Vishnubhotla.
“This scenario highlights the rapid evolution of cyber threats, the importance of cross-sector cooperation, and the difficulties posed by so many hacker groups that have specialized manpower, sophisticated tools and operate in a decentralized manner globally,” said Vishnubhotla.
The FBI did not respond to attempts for comment by SC Media.