Full Report
Scattered Spider isn't one group — it's an identity-first threat model evolving fast. From vishing to AiTM phishing, they're exploiting MFA gaps to hijack the cloud. Watch the Push Security webinar to learn how their identity-based tactics work — and how to stop them. [...]
Analysis Summary
# Threat Actor: Scattered Spider (Community/Collective)
## Attribution & Identity
* **Primary Identification:** Scattered Spider. The article strongly cautions that this is a community-assigned name, not one used by the actors themselves.
* **Known Aliases/Related Names:** UNC3944 (Mandiant), Octo Tempest (Microsoft), 0ktapus (Group-IB), Muddled Libra (Unit 42), Scatter Swine (Okta).
* **Associated Groups (Overlap/Clients):** The pattern of activity touches on self-named criminal groups such as Lapsus$, Yanluowang, Karakurt, and ShinyHunters.
* **Operational Model:** Described as a broad community or collective of criminals using similar techniques. They often utilize Ransomware-as-a-Service (RaaS) tooling, specifically mentioning DragonForce in the context of recent attacks (though DragonForce provides the ransomware service, Scattered Spider executes the intrusion).
* **Demographics/Location:** Primarily English native speakers located mainly in English-speaking countries (UK, US, Canada, Australia), with activity also traced to mainland Europe, Russia, and India.
## Activity Summary
* **Recent Activities:** Involved in recent high-profile attacks targeting UK retailers, specifically Marks & Spencer and Co-op, resulting in significant financial disruption.
* **Overall Focus:** Making money, typically through data theft, ransomware execution (via RaaS affiliates/services), and extortion.
* **Defining Approach:** Identified as a "post-MFA" threat actor focused heavily on bypassing established security controls by targeting identity and account takeover (ATO).
## Tactics, Techniques & Procedures
* **Primary TTP Set:** Predominantly identity-based tactics, specializing in **account takeover (ATO)**.
* **Specific Techniques Mentioned:**
* Phishing
* Credential attacks
* Help desk scams/vishing (impersonating users to support staff)
* SIM swapping
* Smishing
* Abusing cloud identity providers (Okta, Microsoft Entra) via cloud-native techniques.
* Using Attack-Middle-of-the-Thing (AiTM) phishing kits to bypass MFA.
* Targeting privileged accounts.
* **MITRE ATT&CK Coverage Implied:** Focus on Initial Access (Phishing, Valid Accounts) and perhaps Persistence/Defense Evasion via identity manipulation. (Specific MITRE IDs were not explicitly cited in the text).
## Targeting
* **Sectors:** Retail (specifically UK retailers cited: Marks & Spencer, Co-op).
* **Geography:** Activity traced to the UK, US, Canada, Australia, mainland Europe, Russia, and India (based on actor presence, not necessarily victim location).
* **Victims:** Marks & Spencer, Co-op.
## Tools & Infrastructure
* **Malware Families Used:** Implied use of ransomware encryptors provided by RaaS affiliates like DragonForce.
* **Infrastructure:** No specific C2 domains or IPs were listed for the actor group itself, only references to the services (like DragonForce) they might utilize.
## Implications
* Represents a significant evolution in threat actors, being "cloud-native" and focusing on identity rather than traditional network exploitation.
* Their flexible, identity-first approach allows them to bypass traditional endpoint and network security controls until late in the attack chain.
* Attacks are highly disruptive, exemplified by the massive potential profit loss reported for M&S.
## Mitigations
* Do not over-index solely on help desk scams; consider the **broader identity attack surface**.
* Address **MFA gaps** across all applications and accounts.
* Review accounts with MFA gaps or those accessed via local accounts that provide backdoors to SSO/SSO-protected accounts.
* Implement defenses against AiTM phishing kits (session hijacking).
* Focus on **identity attack detection and response** capabilities (e.g., detection for AiTM phishing, credential stuffing, session hijacking, and fixing identity vulnerabilities like ghost logins and weak passwords).