Full Report
Identity is the new battleground—and Scattered Spider exploits it. Join Push Security to unpack how identity-based attacks are reshaping the threat landscape, and how to defend against MFA bypass, help desk scams, and more. Watch the webinar now. [...]
Analysis Summary
# Threat Actor: Scattered Spider
## Attribution & Identity
**Threat Actor:** Scattered Spider
**Known Aliases/Associations:** Criminal collective tracked by analysts. Associated with DragonForce ransomware claims in some subsequent attacks (e.g., Co-op).
## Activity Summary
Scattered Spider has been active since 2022 and is known for a series of high-profile intrusions, often focusing on identity-based compromise.
**Recent Insurance Sector Attacks (2025 context):** Attacks targeting the U.S. insurance industry, including **Aflac**, **Philadelphia Insurance Companies**, and **Erie Insurance**, resulting in sensitive customer data theft and operational disruption.
**Historical High-Profile Campaigns:**
* **Caesars (2023):** Compromised customer loyalty database after resetting credentials via help desk impersonation, resulting in a $15M ransom payment.
* **MGM Resorts (2023):** Stole 6TB of data after resetting employee credentials via social engineering; attack led to a 36-hour outage and $100M financial hit.
* **Transport for London (2024):** Exposed 5,000 users' bank details and caused significant operational disruption.
* **UK Retailers (2025):** Breaches at **Marks and Spencer (M&S)** and **Co-op**, leading to data loss, service disruption, customer lawsuits, and significant financial losses (M&S lost £300M in profits).
* **Global Retailers (May-June 2025):** A concerted effort targeting retailers including **Dior**, **The North Face**, **Cartier**, **Victoria’s Secret**, **Adidas**, **Coca-Cola** (bottling partner), and **United Natural Foods**.
## Tactics, Techniques & Procedures
Scattered Spider heavily relies on exploiting identity-based weaknesses rather than traditional software exploits.
- **Help Desk Impersonation/Social Engineering:** The primary tactic involves impersonating an employee to call the IT help desk.
- **Credential/MFA Reset Abuse:** Manipulating help desk staff to reset user credentials and/or configure MFA factors for a new device (e.g., sending an MFA enrollment link).
- **Self-Service Password Reset Abuse:** Utilizing access gained via social engineering to leverage self-service password reset functionality to take full account control.
- **Identity-Based Initial Access:** Consistently exploits identity-based weaknesses.
- **Other Mentioned Techniques (Targeted for Combatting):** AiTM phishing, credential stuffing, password spraying, and session hijacking using stolen session tokens.
## Targeting
**Sectors:** Insurance, Hospitality/Gaming, Transportation, Retail, Grocery Wholesale.
**Geography:** Primarily U.S. and UK organizations mentioned, with recent retail attacks being worldwide.
**Victims:** Aflac, Philadelphia Insurance Companies, Erie Insurance, Caesars, MGM Resorts, Transport for London, Marks and Spencer, Co-op, Dior, The North Face, Cartier, Victoria’s Secret, Adidas, Coca-Cola (bottling partner), United Natural Foods.
## Tools & Infrastructure
- **Malware Families Used:** The article mentions the Co-op breach was claimed by **DragonForce ransomware**, suggesting potential collaboration or use of this toolset in conjunction with their identity access methods.
- **Infrastructure:** No specific C2 domains or IPs were provided in the summary context.
## Implications
Scattered Spider represents a significant and persistent threat due to their consistent evolution toward identity-based attacks, which are often "scarily simple" and bypass more traditional technical security controls. Their focus on highly visible, large-scale victims (retail, insurance, hospitality) results in massive financial and operational damage, often leading to significant stock value hits and class-action lawsuits. Their success indicates widespread vulnerabilities in help desk verification processes.
## Mitigations
- Implement robust identity-based verification processes for help desk operations.
- Employee Identity Verification Codes (as suggested by Push Security) can be used as a browser-based identity check during help desk interactions to confirm caller identity.
- Enhance defenses against AiTM phishing, credential stuffing, password spraying, and session hijacking.
- Address identity vulnerabilities such as ghost logins, SSO coverage gaps, MFA gaps, weak/breached passwords, and risky OAuth integrations.