Insights into the controversial cybercriminal collective, Scattered Spider

Insights into the controversial cybercriminal collective, Scattered Spider

The cybercriminal group Scattered Spider, also known by various aliases such as Muddled Libra, Octo Tempest, Scatter Swine, and UNC3944, is currently employing new and evolving techniques to launch attacks against multiple industries.

The group debuted on the scene in September 2023 with a ransomware attack against hotel and casino giant MGM Resorts, costing the company over $100 million. Since then, Scattered Spider has expanded its targets, moving beyond hospitality and retail to critical infrastructure, insurers, airlines, and other sectors internationally.

Scattered Spider consists largely of English-speaking young men, including many teenagers, from the U.S. and the U.K. Authorities estimate that the group may have as many as 1,000 members, operating not as a consolidated, centralized unit, but rather in multiple subsets, each with its own set of targets and collection of preferred techniques.

The group's tactics show a high level of agility and sophistication in social engineering, MFA bypass, credential theft, and rapid data exfiltration. They employ sophisticated social engineering methods, impersonating company employees or IT/helpdesk staff, but have shifted tactics to also impersonate third-party IT workers specifically.

They deploy phishing, spearphishing, and vishing, often multilayered and targeted, using information gathered from business-to-business websites to identify roles and key personnel in organizations. They also use push bombing, flooding targets with multifactor authentication (MFA) push notifications until the target approves one, bypassing MFA security.

Scattered Spider has been linked to SIM swap attacks to hijack phone numbers and intercept MFA messages, aiding credential theft and account takeover. They use remote access tools for maintaining persistent access after gaining credentials. Recently, they have started targeting Snowflake cloud environments, executing thousands of queries rapidly to export large volumes of data in a short time.

The group also focuses on gathering intelligence from collaboration tools and email platforms such as Slack, Microsoft Teams, and Microsoft Exchange to inform spearphishing campaigns against employees. They exploit weak helpdesk procedures by repeatedly calling help desk personnel to learn password reset protocols, then conducting spearphishing calls convincing help desk staff to reset passwords or transfer MFA tokens, resulting in unauthorized access.

In April, British authorities arrested four people in connection with Scattered Spider's attacks and seized a large trove of computer equipment for analysis. The cost of Scattered Spider's latest attack spree, which began in April, is estimated to be 440 million British pounds, according to the U.K.-based Cyber Monitoring Centre.

The group represents a serious and ongoing threat to U.S. organizations, using sophisticated social engineering and intrusion tactics to disrupt operations and extort victims. For instance, UNFI warned that its breach could cost it up to $400 million in lost sales. In May, Scattered Spider targeted major retailers in the U.S., including Victoria's Secret, North Carolina-based Belk, and Whole Foods distributor United Natural Foods.

Since June, Scattered Spider has shifted to new industries, targeting major insurance companies, airlines, and other transportation companies. Recent victims include Aflac, Allianz Life, Philadelphia Indemnity Insurance, Hawaiian Airlines, and Qantas.

In April, Scattered Spider launched social-engineering attacks against three major British retail companies: Marks & Spencer, Harrods, and Co-op. Two other major British companies may have also been hacked but have yet to admit it. Scattered Spider historically focuses on the hospitality, telecommunications, and retail sectors, targeting multiple organizations within each sector before moving on to the next one.

The U.S. Department of Justice charged five individuals for stealing millions of dollars through phishing texts, which security researchers linked to Scattered Spider's initial crime spree from September 2021 to April 2023. The group is affiliated with an underground collective known as The Com, which experts have linked to a variety of crimes including extortion, money laundering, predatory behavior involving minors, cryptocurrency theft, and SIM swapping.

In a $380 million lawsuit filed earlier this month, Clorox alleged that its IT vendor, Cognizant, failed to uphold its duties by handing over credentials to the hackers without authenticating them.

[1] https://www.cisa.gov/uscert/ncas/alerts/aa21-312a [2] https://www.cisa.gov/uscert/ncas/alerts/aa22-242a [3] https://www.cisa.gov/uscert/ncas/alerts/aa22-243a [4] https://www.cisa.gov/uscert/ncas/alerts/aa22-244a [5] https://www.cisa.gov/uscert/ncas/alerts/aa22-245a

1. The cyber attack by Scattered Spider, also known as Muddled Libra and UNC3944, resulted in a data breach that cost MGM Resorts over $100 million, prompting concerns about the group's expanding focus on critical infrastructure and finance sectors.
2. In addition to ransomware attacks, Scattered Spider employs tampering tactics such as phishing, spearphishing, vishing, push bombing, SIM swap attacks, and exploiting weak helpdesk procedures to gather intelligence and facilitate account takeovers.
3. To combat these evolving threats, cybersecurity professionals are urging organizations to strengthen their cybersecurity measures, including implementing firewalls, multi-factor authentication, and educating employees on the signs of social engineering and phishing attempts.
4. Authorities are working to disrupt Scattered Spider's operations, resulting in arrests and the seizure of computer equipment, but the group's decentralized structure and large member base continue to pose challenges in containing their malicious activities.

Read also: