May 30 Webinar | SOC Talk: Automating Threat Response
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
May 14, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Scattered Spider, a group of young hackers suspected to be from the US, UK, and Canada, has gained global notoriety since a series of major ransomware attacks on casinos, hotels, hospitals, and pharmaceutical companies. This group of predominantly English-speaking threat actors—which is a distinguishing feature in itself—has reportedly teamed up with ALPHV, one of Russia’s most prolific cybercriminal groups, to conduct formidable ransomware attacks. Scattered Spider is particularly known for its advanced social engineering attacks, typically used as a method of facilitating initial access at targeted organizations. What makes Scattered Spider excel at social engineering and how can you protect your organization?
Scattered Spider (also known as Scattered Swine, Muddled Libra, UNC3944, or Octo Tempest) is a group of financially motivated cybercriminals that conducts targeted social engineering campaigns, primarily against telecommunications and technology companies. The group has been active since early 2022 and gained notoriety after its September 2023 attacks on multiple casinos.
Scattered Spider members are believed to be who communicate on messaging apps such as Telegram. While their internal communications are said to be amateurish at first glance, the group’s affiliation with ALPHV demonstrates the respect Scattered Spider has gained in the cybercriminal world. ALPHV operates in the shadowy industry of ransomware-as-a-service, selling its BlackCat ransomware to affiliates on dark web forums.
What makes the group so successful? Scattered Spider conducts highly impactful social engineering attacks, thanks in part to its members’ English skills and understanding of Western culture. While many cybercriminal gangs speak English as a second language and operate out of countries such as Russia and China, Scattered Spider members’ profiles allow them to effectively manipulate victims ranging from help desk employees to new hires: Security professionals are less likely to be suspicious of someone who seemingly has a native English background.
Scattered Spider specializes in social engineering attacks on major telecommunications, technology, and leisure and entertainment companies. The group is known for using a wide range of techniques and for the sophistication of its offenses. Scattered Spider’s earlier campaigns targeted telecommunications companies to facilitate SIM-swapping attacks (MITRE TTP T1451), a technique used to bypass multi-factor authentication (MFA) by compromising the SIM-card provider. In mid-2023, the group started conducting double-extortion attacks, in which target companies’ data is exfiltrated, as well as encrypted, using BlackCat ransomware.
One of the hallmarks of Scattered Spider’s social engineering campaigns is its targeting of help desks, by abusing users’ credentials to impersonate employees to obtain MFA codes or password resets. The group has even been known to impersonate new hires to blend into onboarding processes. In some instances, the group has reportedly aggressively targeted individuals via phone and text, leveraging personal information purchased online and making physical threats. MFA fatigue, where a user is relentlessly sent MFA notifications until they accept, has also been frequently used by the group.
Once inside a target system, Scattered Spider secures a successful foothold by carrying out reconnaissance of the environment and escalating privileges. In the past, it has compromised security accounts to impair the functionality of security products and evade detection. To establish command-and-control, the group uses legitimate remote access software, such as ScreenConnect and TeamViewer. Its use of legitimate remote access tools, which are ubiquitous in companies with a hybrid or remote workforce, allows it to further evade detection and establish persistence.
Since mid-2023, Scattered Spider has been delivering its fatal blow by deploying BlackCat malware to target Microsoft and Linux systems. Initially, the group exfiltrates data from a network and then encrypts it for impact. This form of double extortion reportedly cost a US casino $15 million, although law enforcement agencies recommend victims refrain from paying ransoms to cybercriminal groups.
If Scattered Spider’s intrusions are detected, the group is known to establish backdoors to re-access targeted networks and roll back security measures put in place by the targeted organization. If the group loses access to the network completely, it simply moves on to the next target.
To read a detailed overview of Scattered Spider’s techniques, read our Scattered Spider Attack Analysis report.
Scattered Spider predominantly targets large organizations based in the US. However, the group’s victimology has changed as its techniques have developed. When the group was first detected around May 2022, it primarily targeted telecommunications and technology companies. The group has since diversified its targeting to include arts, entertainment, and recreation chains; health care and social assistance companies; and finance and insurance, retail trade, and professional, scientific, and technical services organizations. While the majority of ransomware activity is opportunistic, in targeting the endemic security failings across business, the types of organizations impacted by Scattered Spider suggest a more targeted approach. These organizations routinely process large financial payments, making them an attractive target to financially motivated cybercriminals.
First and foremost, it’s important to get the basics right.
Protect your people:
Protect your network:
Protect your data:
Our threat research team builds profiles of prominent and emerging threat actors, including their known tactics, techniques, and procedures, so our customers are well armed against would-be attackers. To discover how GreyMatter, our security operations platform, can enhance your organization’s protection against potential threats, request a demo today.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.