Full Report
The cybercrime ring has infiltrated more than 100 businesses since 2022, including more than a dozen since it regrouped earlier this year. The post Scattered Spider weaves web of social-engineered destruction appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Scattered Spider
## Attribution & Identity
- **Identification:** Unbound collective, often active in the cybercrime underworld.
- **Known Aliases/Associations:** Tracked by Mandiant as **UNC3944**. Considered an offshoot of **The Com**, a larger grassroots network involved in various crimes.
- **Characteristics:** Young, native English-speaking members. Lacks cohesion and has infighting. Does not use a data leak site. Described as a "decentralized but tightly aligned group" with clear role divisions (senior operators, newcomers/juniors).
## Activity Summary
- **Recent Campaigns:** Suspected of attacking Marks & Spencer (UK), United Natural Foods, and Hawaiian Airlines this year.
- **Historical Campaigns:** Gained notoriety for attacks on MGM Resorts and Caesars Entertainment in 2023.
- **Overall Activity:** Infiltrated over 100 businesses since 2022. Showed a pattern of high activity, a brief hiatus starting last summer, and a resurgence earlier this year.
## Tactics, Techniques & Procedures
- **Primary Intrusion Method:** Social engineering and phishing.
- **Recent TTP Shift:** Transitioned from primarily domain-based phishing in much of 2024 back to relying **exclusively on social engineering** for initial access vectors upon resurgence this year.
- **Social Engineering Execution:** Primarily targets help-desk employees, requesting actions like password resets, removing phone numbers from MFA solutions for enrolling new devices, or adding a phone number to an account to enable self-service password resets. Uses specific slang/lingo ("voice of trust") to bypass security.
- **Post-Intrusion:** If data/systems are encrypted, multiple ransomware variants have been used, including Akira, AlphV, Play, Qilin, RansomHub, and DragonForce.
- **Speed:** Extremely fast; once access is gained, remediation is often required in under 24-48 hours before encryption can occur.
- **Attribution Difficulty:** Lacks typical forensic "fingerprints," making attribution difficult and leading to industry uncertainty.
## Targeting
- **Sectors:** Retail, insurance, aviation, hospitality and gaming, manufacturing, technology and cloud services, telecommunications, food production, financial services, media, apparel, business process outsourcing (BPO), health care, and transportation.
- **Geography:** Targeted organizations in the United Kingdom (e.g., Marks & Spencer) mentioned, but specific global geography is inferred from victim list (e.g., WestJet, Hawaiian Airlines).
- **Victims:** Marks & Spencer, United Natural Foods, WestJet, Hawaiian Airlines, MGM Resorts, Caesars Entertainment.
## Tools & Infrastructure
- **Malware Families Used:** Akira, AlphV, Play, Qilin, RansomHub, DragonForce (Ransomware variants).
- **Infrastructure:** The article mentions the "re-use of the infrastructure" as a differentiating pattern, but specific C2 addresses or domains were not listed (and should be defanged).
## Implications
- Scattered Spider is financially highly successful, reportedly extracting over $66 million in extortion demands (with some payments exceeding eight figures).
- Their specialization in targeting the **human element (cloud and identity weakest links)** allows their tactics to remain effective across numerous sectors.
- Despite internal fragmentation, they exhibit tight operational coordination concerning initial access and ransomware deployment.
- Uncertainty exists regarding attribution, as other groups (like UNC6040, also linked to The Com) use similar social engineering tactics against the same sectors.
## Mitigations
- Focus defense strongly on the help desk and internal support staff to combat social engineering attempts (e.g., suspicious password reset or MFA change requests).
- Implement strict verification protocols for identity changes, especially when voice confirmation is used to bypass MFA.
- Maintain robust detection and eradication capabilities to minimize dwell time, as the group can encrypt systems rapidly (under 24-48 hours) post-compromise.