Full Report
A British man, believed to be the leader of the Scattered Spider cybercrime collective, has pleaded guilty in the United States to charges of wire fraud and aggravated identity theft. [...]
Analysis Summary
# Threat Actor: Scattered Spider
## Attribution & Identity
* **Identification:** A loose-knit, English-speaking cybercrime collective primarily composed of young threat actors based in the UK and US.
* **Key Individuals:**
* **Tyler Robert Buchanan:** Believed leader/organizer (recently pleaded guilty).
* **Noah Michael Urban:** (Known as "Sosa" and "Elijah") Key member, currently sentenced.
* **Other members:** Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, Joel Martin Evans, and an unnamed 17-year-old linked to the MGM attack.
* **Aliases:** 0ktapus, Scatter Swine, Octo Tempest, Starfraud, Muddled Libra.
* **Affiliations:** Associated with "The Com" (a hacking subculture). Frequently partners as affiliates for Russian ransomware-as-a-service (RaaS) operations including **BlackCat/ALPHV**, **Qilin**, and **RansomHub**.
## Activity Summary
* **Historical Campaigns:** Active since at least September 2021. Recent operations (2021–2023) focused on the theft of approximately $8 million in cryptocurrency via high-volume SMS phishing and SIM swapping.
* **Significant Operations:** Notable for the 2023 high-profile ransomware attacks on major hospitality and gaming giants, as well as widespread targeting of IT and cloud service providers.
## Tactics, Techniques & Procedures
* **Social Engineering:** Aggressive use of SMS phishing (smishing) targeting employees.
* **MFA Fatigue:** Multi-factor authentication (MFA) "bombing" to coerce users into approving malicious login attempts.
* **Account Takeover:** SIM swapping to bypass SMS-based MFA and gain control of phone numbers.
* **Identity Theft:** Creation of look-alike phishing domains mimicking internal IT or BPO supplier portals to harvest PII and credentials.
* **Lateral Movement:** Hijacking corporate email accounts and moving across cloud environments.
* **Communication:** Coordination of attacks via Telegram channels, Discord servers, and underground hacker forums.
## Targeting
* **Sectors:** Entertainment, Telecommunications, Technology, Business Process Outsourcing (BPO), IT Suppliers, Cloud Communication Providers, and Virtual Currency Providers.
* **Geography:** Global reach, with significant focus on US-based corporations and UK-based infrastructure.
* **Victims:** MGM Resorts, Caesars Entertainment, Riot Games, MailChimp, Twilio, DoorDash, and Reddit.
## Tools & Infrastructure
* **Malware Families:** BlackCat/ALPHV, Qilin, and RansomHub ransomware.
* **Infrastructure:**
* Phishing domains designed to look like legitimate corporate login portals.
* Telegram and Discord for Command & Control (C2) and internal collaboration.
* *Note:* Specific IPs/URLs were not mentioned in the text, but the actor utilizes look-alike domains (e.g., [company-it-support][.]com).
## Implications
Scattered Spider represents a shift in the threat landscape where high-energy, socially adept Western hackers collaborate with established Eastern European ransomware syndicates. Their proficiency in bypassing modern security controls (like MFA) through social engineering rather than pure technical exploits makes them exceptionally dangerous to traditional enterprise defense models.
## Mitigations
* **Phishing Resistance:** Shift from SMS/Push-based MFA to FIDO2-compliant hardware security keys to mitigate phishing and SIM swapping.
* **Employee Training:** Specific awareness programs regarding "MFA Fatigue" and social engineering tactics via SMS/phone calls.
* **Service Provider Monitoring:** Increased scrutiny of BPO and IT supplier access to corporate environments, as these are frequent pivot points for the group.
* **SIM Swap Protections:** Coordinate with telecommunications providers to implement "Account Locks" or "Port-Out Protection" on high-value administrative accounts.