Full Report
In the wake of high-profile attacks on UK retailers Marks & Spencer and Co-op, Scattered Spider has been all over the media, with coverage spilling over into the mainstream news due to the severity of the disruption caused — currently looking like hundreds of millions in lost profits for M&S alone. This coverage is extremely valuable for the cybersecurity community as it raises
Analysis Summary
# Threat Actor: Scattered Spider
## Attribution & Identity
Attributed to the threat actor known as **Scattered Spider**. The reporting suggests they are native English speakers, leveraging this skill in social engineering attempts. They are sometimes linked to other threat groups, but the focus here is on their independent operations.
## Activity Summary
Scattered Spider has been actively campaigning since at least 2022. Recent high-profile activity includes major attacks on UK retailers **Marks & Spencer** and **Co-op**, causing significant financial disruption. Historically, they were involved in early attacks against major technology and financial companies like **Twilio**, **LastPass**, **Riot Games**, and **Coinbase**, which involved Vishing. More significantly, they were responsible for the initial access vector in the major breaches involving **Caesars** (Aug 2023), **MGM Resorts** (Sep 2023), and **Transport for London** (Sep 2024). These attacks generally aim for account takeover to facilitate data theft or ransomware deployment.
## Tactics, Techniques & Procedures
- **Help Desk Scams:** Impersonating users (often using stolen PII or initial credentials) to trick help desk operators into resetting credentials or Multi-Factor Authentication (MFA).
- **Vishing (Voice Phishing):** Used since early operations to convince users to divulge MFA codes.
- **MFA Reset Manipulation:** Calling help desks to request MFA device changes ("I've got a new phone") to redirect MFA reset links/codes to attacker-controlled channels (email/SMS).
- **Trust Establishment:** Leveraging native English skills to bypass vetting procedures.
- **Leveraging Initial Foothold:** Once access is gained via compromised admin accounts, privilege escalation and lateral movement are often trivial.
- **Self-Service Password Reset Abuse:** Using compromised MFA tokens to bypass MFA when utilizing identity provider self-service functionality (e.g., Okta or Entra).
- **Broader Identity Attacks:** The actor's techniques are increasingly adopted elsewhere, including AiTM phishing kits, credential stuffing, password spraying, and session hijacking.
## Targeting
- **Sectors:** Retail, Hospitality/Casinos, Gaming, Financial Services, Technology/SaaS, Transportation/Public Services.
- **Geography:** The most recent publicized attacks heavily impacted UK-based entities (M&S, Co-op, TfL). Previous targets were US-based (Caesars, MGM).
- **Victims:** Marks & Spencer, Co-op, Caesars, MGM Resorts, Transport for London (TfL), Twilio, LastPass, Riot Games, Coinbase.
## Tools & Infrastructure
- **Malware families used:** Not explicitly detailed, but focused on **identity exploitation**.
- **Infrastructure (C2, domains, IPs):** Not specified in detail beyond the attack vectors used (phone calls, identity providers like Okta/Entra).
## Implications
Scattered Spider demonstrates a consistent, escalating, and highly effective reliance on **identity-based attacks**, specifically targeting the weakest link in enterprise security: the IT help desk. Their success in bypassing MFA directly via social engineering and insider knowledge bypasses traditional perimeter defenses. Their adopted TTPs (identity-first toolkit) are becoming a 'standard' methodology for other threat groups. Attacks have culminated in massive financial losses, multi-day outages, and large-scale data exposure.
## Mitigations
- **Introduce Friction to Help Desk Processes:** Organizations must be prepared to delay or deny requests, especially for high-risk functions.
- **Admin Account Reset Controls:** Implement stricter procedures for high-privileged accounts, such as requiring multi-party approval/escalation for MFA resets or credential changes.
- **In-Person Verification:** Require in-person verification for high-risk changes (where logistically possible).
- **Broad Identity Surface Monitoring:** Do not solely focus on help desk scams; monitor for gaps in SSO coverage, ghost logins, weak/breached passwords, and MFA gaps across all applications.
- **Defend Against AiTM:** Implement defenses against Advanced In-The-Middle (AiTM) phishing kits and session token theft.