Scattered Spider, a group of young hackers suspected to be from the US, UK, and Canada, has gained global notoriety since a series of major ransomware attacks on casinos, hotels, hospitals, and pharmaceutical companies. This group of predominantly English-speaking threat actors—which is a distinguishing feature in itself—has reportedly teamed up with ALPHV, one of Russia’s most prolific cybercriminal groups, to conduct formidable ransomware attacks. Scattered Spider is particularly known for its advanced social engineering attacks, typically used as a method of facilitating initial access at targeted organizations. What makes Scattered Spider excel at social engineering and how can you protect your organization?

What Is Scattered Spider?

Scattered Spider (also known as Scattered Swine, Muddled Libra, UNC3944, or Octo Tempest) is a group of financially motivated cybercriminals that conducts targeted social engineering campaigns, primarily against telecommunications and technology companies. The group has been active since early 2022 and gained notoriety after its September 2023 attacks on multiple casinos.

Scattered Spider members are believed to be who communicate on messaging apps such as Telegram. While their internal communications are said to be amateurish at first glance, the group’s affiliation with ALPHV demonstrates the respect Scattered Spider has gained in the cybercriminal world. ALPHV operates in the shadowy industry of ransomware-as-a-service, selling its BlackCat ransomware to affiliates on dark web forums.

What makes the group so successful? Scattered Spider conducts highly impactful social engineering attacks, thanks in part to its members’ English skills and understanding of Western culture. While many cybercriminal gangs speak English as a second language and operate out of countries such as Russia and China, Scattered Spider members’ profiles allow them to effectively manipulate victims ranging from help desk employees to new hires: Security professionals are less likely to be suspicious of someone who seemingly has a native English background.

How Does Scattered Spider Operate?

Scattered Spider specializes in social engineering attacks on major telecommunications, technology, and leisure and entertainment companies. The group is known for using a wide range of techniques and for the sophistication of its offenses. Scattered Spider’s earlier campaigns targeted telecommunications companies to facilitate SIM-swapping attacks (MITRE TTP T1451), a technique used to bypass multi-factor authentication (MFA) by compromising the SIM-card provider.  In mid-2023, the group started conducting double-extortion attacks, in which target companies’ data is exfiltrated, as well as encrypted, using BlackCat ransomware.

One of the hallmarks of Scattered Spider’s social engineering campaigns is its targeting of help desks, by abusing users’ credentials to impersonate employees to obtain MFA codes or password resets. The group has even been known to impersonate new hires to blend into onboarding processes.  In some instances, the group has reportedly aggressively targeted individuals via phone and text, leveraging personal information purchased online and making physical threats. MFA fatigue, where a user is relentlessly sent MFA notifications until they accept, has also been frequently used by the group.

Once inside a target system, Scattered Spider secures a successful foothold by carrying out reconnaissance of the environment and escalating privileges. In the past, it has compromised security accounts to impair the functionality of security products and evade detection. To establish command-and-control, the group uses legitimate remote access software, such as ScreenConnect and TeamViewer. Its use of legitimate remote access tools, which are ubiquitous in companies with a hybrid or remote workforce, allows it to further evade detection and establish persistence.

Since mid-2023, Scattered Spider has been delivering its fatal blow by deploying BlackCat malware  to target Microsoft and Linux systems. Initially, the group exfiltrates data from a network and then encrypts it for impact. This form of double extortion reportedly cost a US casino $15 million, although law enforcement agencies recommend victims refrain from paying ransoms to cybercriminal groups.

If Scattered Spider’s intrusions are detected, the group is known to establish backdoors to re-access targeted networks and roll back security measures put in place by the targeted organization. If the group loses access to the network completely, it simply moves on to the next target.

To read a detailed overview of Scattered Spider’s techniques, read our Scattered Spider Attack Analysis report.

What Are Scattered Spider’s Targets of Choice?

Scattered Spider predominantly targets large organizations based in the US. However, the group’s victimology has changed as its techniques have developed. When the group was first detected around May 2022, it primarily targeted telecommunications and technology companies.  The group has since diversified its targeting to include arts, entertainment, and recreation chains; health care and social assistance companies; and finance and insurance, retail trade, and professional, scientific, and technical services organizations. While the majority of ransomware activity is opportunistic, in targeting the endemic security failings across business, the types of organizations impacted by Scattered Spider suggest a more targeted approach. These organizations routinely process large financial payments, making them an attractive target to financially motivated cybercriminals.

What Can Organizations Do to Defend Against Scattered Spider Attacks?

First and foremost, it’s important to get the basics right.

Protect your people:

  • Ensure employees at all levels of your organization receive frequent training on the most up-to-date phishing and social engineering techniques. Help desk and security employees should be particularly well-versed in social engineering techniques.
  • Enforce strong password policies, such as locking out users after multiple failed login attempts, disabling password “hints,” and using industry-recognized password managers.
  • Require phishing-resistant multifactor authentication (MFA) for all services to the extent possible.

Protect your network: 

  • Disable unused ports and protocols. Audit remote access tools to prevent adversaries from abusing legitimate
  • Install, regularly update, and enable real time detection for antivirus software.
  • Segment networks to prevent the spread of malware.
  • Use endpoint, detection, and response (EDR) tools to detect and respond to abnormal activity.
  • Implement application controls to manage and control execution of software to prevent malware execution.

Protect your data: 

  • Implement a data recovery plan to maintain multiple copies of sensitive and proprietary data and servers in a physically separate, segmented, and secure location. Ensure all data is backed up regularly (daily or weekly at minimum).
  • Ensure all back-up data is encrypted and cannot be altered or deleted.

How Can ReliaQuest Help?

Our threat research team builds profiles of prominent and emerging threat actors, including their known tactics, techniques, and procedures, so our customers are well armed against would-be attackers. To discover how GreyMatter, our security operations platform, can enhance your organization’s protection against potential threats, request a demo today.