Full Report
Scattered Spider didn't need a zero-day to breach Clorox. They just phoned the help desk—convincing agents to reset passwords & MFA without proper checks. The result: $380M in damages. Learn from Specops Software why caller verification and audit trails are critical. [...]
Analysis Summary
# Incident Report: Social Engineering Attack Targeting Third-Party Service Desk Leads to Major Clorox Disruption
## Executive Summary
In August 2023, threat actors associated with the Scattered Spider group successfully breached Clorox by exploiting weak verification processes within Cognizant's outsourced service desk. The attackers used social engineering techniques, impersonating locked-out employees to trick agents into performing credential and MFA resets without proper authentication. This initial access was leveraged for lateral movement, ultimately causing significant operational paralysis, supply chain disruption, and an estimated $380 million in damages to Clorox.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the incident occurred in August 2023.
- **Incident Date:** August 2023
- **Affected Organization:** Clorox (Breach leveraged through service provider Cognizant)
- **Sector:** Manufacturing/Consumer Goods
- **Geography:** Not explicitly stated, assumed US-based operations due to company structure.
## Timeline of Events
### Initial Access
- **Date/Time:** August 2023
- **Vector:** Social Engineering (Vishing) targeting a third-party service desk (Cognizant).
- **Details:** Attackers repeatedly telephoned Cognizant's service desk, impersonating locked-out employees, and successfully requested multiple password and MFA resets without meaningful, out-of-band verification.
### Lateral Movement
- **Details:** A single compromised identity provided a pivot point for the attackers to move quickly toward gaining domain administrator privileges within the network infrastructure.
### Data Exfiltration/Impact
- **Details:** Attributed impact included operational paralysis, manufacturing system shutdowns, paused production, manual order processing, and shipment delays, leading to depressed sales volumes. Estimated damages reach approximately $380 million.
### Detection & Response
- **How it was discovered:** Implied discovery occurred after significant operational impact was noted.
- **Response actions taken:** Not detailed in the summary, beyond the resulting lawsuit filing by Clorox against the circumstances allowing the breach.
## Attack Methodology
- **Initial Access:** Social Engineering (Impersonation) targeting a contracted IT service desk.
- **Persistence:** Not explicitly detailed, but likely involved establishing backdoor access or elevated accounts once admin privileges were secured.
- **Privilege Escalation:** Moving from a single compromised identity to domain-admin footholds.
- **Defense Evasion:** Exploiting human/procedural weaknesses in the third-party vendor's verification process, bypassing existing MFA controls.
- **Credential Access:** Obtaining credentials via successful password/MFA resets coerced from service desk agents.
- **Discovery:** Attackers performed reconnaissance, collecting names, titles, recent hires, and internal ticket references to craft convincing social engineering calls.
- **Lateral Movement:** Utilizing compromised credentials to move across the network toward high-value targets.
- **Collection:** Not explicitly detailed, but implied data related to operations/business processes was targeted given the operational impact.
- **Exfiltration:** Not explicitly detailed, suggested by the large overall damage figure, though operational disruption was the primary reported impact.
- **Impact:** Operational disruption (production shutdown, sales impairment) and associated remediation costs.
## Impact Assessment
- **Financial:** Approximately $380 million in damages, including ~$49 million in remedial costs and "hundreds of millions" in business-interruption losses.
- **Data Breach:** Type and volume of data not specified, but implied sensitive or operational data access.
- **Operational:** Production systems taken offline, manufacturing paused, reliance on manual order processing, and shipment delays.
- **Reputational:** Significant impact due to massive financial disclosure via court filings.
## Indicators of Compromise
- *None listed securely (Defanged)*
## Response Actions
- **Containment measures:** Not specifically listed.
- **Eradication steps:** Not specifically listed.
- **Recovery actions:** Included forensic and remediation costs within the damage assessment.
## Lessons Learned
- Relying on outsourced service desks without rigorously enforced and monitored verification procedures amplifies supply-chain risk.
- Human fallibility remains a primary attack vector, especially when service desk agents are pressured into skipping security protocols.
- A single unauthorized password reset can lead to catastrophic organizational disruption.
## Recommendations
- Establish and enforce strong, mandatory out-of-band verification procedures for all critical actions (like MFA/password resets) performed by third-party vendors.
- Implement robust technology solutions to enforce verification controls at the service desk level, rather than relying solely on agent adherence to policy.
- CISA and other bodies advise specialized defenses against groups like Scattered Spider that specifically target service desk/help desk vulnerabilities.