Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker
Federal prosecutors identified alleged Scattered Spider hacker Peter Stokes by linking a persistent Windows Global Device Identifier (g:6755467234350028) to the ngrok account used in a luxury jewelry retailer breach. The attackers utilized social engineering against IT help desks to bypass multi-factor authentication, installing tunneling tools like ngrok and Teleport to exfiltrate 77GB of data and attempt ransomware deployment. Investigators correlated the device’s IP address history with Stoke
Analysis
TL;DR
- Federal prosecutors identified alleged Scattered Spider hacker Peter Stokes by linking a persistent Windows Global Device Identifier (g:6755467234350028) to the ngrok account used in a luxury jewelry retailer breach.
- The attackers utilized social engineering against IT help desks to bypass multi-factor authentication, installing tunneling tools like ngrok and Teleport to exfiltrate 77GB of data and attempt ransomware deployment.
- Investigators correlated the device’s IP address history with Stokes’ social media activity and international travel records, leading to his extradition from Finland and charges of conspiracy and fraud.
- Security experts argue Scattered Spider is a decentralized collective of independent cells rather than a single hierarchical organization, meaning individual arrests may not significantly disrupt the broader threat landscape.
Why It Matters
This case highlights the critical vulnerability of human-centric security processes, specifically IT help desk protocols, which remain a primary entry point for sophisticated cybercriminals despite advanced technical defenses. It demonstrates how persistent hardware identifiers and cross-platform data correlation can effectively dismantle anonymity for threat actors, providing a blueprint for law enforcement and security teams to trace operations beyond traditional IP logging. Furthermore, it underscores the need for organizations to implement strict identity verification procedures, such as callback validation or video checks, to mitigate social engineering risks.
Technical Details
- Attribution via Persistent ID: Microsoft provided the FBI with a Global Device Identifier (g:6755467234350028) tied to a specific Windows installation, which survived OS updates and was used to link the attacker’s machine to the ngrok signup and subsequent proxy connections.
- Attack Vector: The intrusion relied on social engineering where attackers posed as locked-out employees to trick IT staff into resetting passwords and MFA devices, gaining control over three accounts, including two IT administrator accounts.
- Tooling and Exfiltration: Once inside, the attackers deployed ngrok and Teleport for tunneling, moved approximately 77GB of data to Amazon cloud storage, and attempted to deploy ransomware, which was blocked by the victim’s security team.
- Correlation Methodology: Investigators mapped the device’s IP usage across multiple services (ngrok, Snapchat, Apple, Facebook) and matched timestamps and locations (Tallinn, New York, Thailand) with Stokes’ travel records and social media posts.
Industry Insight
Organizations must immediately audit and strengthen IT help desk verification processes, moving beyond simple knowledge-based questions to include out-of-band verification methods like callback to registered numbers or manager approval for privileged resets. Security teams should recognize that technical controls like phishing-resistant MFA are ineffective if the underlying identity verification process is compromised via social engineering. Finally, threat intelligence efforts should treat groups like Scattered Spider as decentralized ecosystems; defensive strategies must focus on disrupting shared tooling and communication channels rather than expecting leadership decapitation to end the threat.
Disclaimer: The above content is generated by AI and is for reference only.