Evolution of the ‘Scattered Spider’ Group: From Data Theft to Ransomware Attacks

In the ever-evolving landscape of cyber threats, one group has caught the attention of security professionals and law enforcement agencies alike. Known by various names such as “Scattered Spider,” “0ktapus,” and UNC3944, this group of threat operators has transitioned from targeting telecommunication and tech firms to launching sophisticated ransomware attacks on a broader range of industries, including hospitality, retail, media, and financial services. Their recent claim to infamy came with a ransomware attack on MGM Resorts, causing widespread chaos in Las Vegas hotels and garnering the White House’s attention. A recent report from a cybersecurity firm under Google’s umbrella sheds light on the group’s evolution and tactics.

The Attack Tactics of Scattered Spider

Initially known for high-profile but relatively aimless data theft incidents in major tech companies, Scattered Spider started gaining notoriety in 2022 for its phone-based social engineering and SMS phishing campaigns. These campaigns aimed to obtain credentials to gain unauthorized access to victim organizations. Their focus initially revolved around SIM-swapping attacks, likely supporting secondary criminal operations.

However, the group’s modus operandi shifted in the middle of 2023 when they began deploying ransomware in victim environments, indicating a shift in their monetization strategies. As researchers note, “These changes in their end goals signal that the industries targeted by Scattered Spider will continue to expand.” Scattered Spider doesn’t work in isolation; some of its threat actors operate within underground communities like Telegram and confidential forums, where they may acquire tools, services, or support to enhance their operations.

The group first gained attention for its adept social engineering techniques, particularly in targeting users of Okta’s identity and access management services. They would send victims to fraudulent pages to steal Okta credentials. One head of a cyber threat research team at Group-IB Europe commented, “0ktapus shows how vulnerable modern organizations are to some basic social engineering attacks.”

Scattered Spider’s primary focus has been stealing large volumes of sensitive data for extortion, displaying a deep understanding of U.S. and European business practices. They rely heavily on publicly available tools, legitimate software, and malware purchased from underground forums. Their tactics involve SMS phishing campaigns and calls to IT help desks to reset passwords or bypass security measures. Once inside a victim’s system, they meticulously search internal documentation, resources, and chat logs to escalate their privileges. Scattered Spider often targets password managers or privileged access management systems for privilege escalation.

During ransomware attacks, the group strategically targets specific virtual machines and systems to maximize the impact on victims and compel them to pay ransom. They have been known to contact company executives and employees with threatening messages, sometimes infiltrating communication channels victims use to respond to incidents.

Most access points for Scattered Spider involve smishing attacks, where they obtain credentials. They then impersonate employees during calls to help desk officials, tricking them into providing multi-factor authentication codes or password resets. Sometimes, they gather personal information about the impersonated employee to answer security questions from help desk officials.

The threat operators also create phishing pages within internal systems that mimic legitimate single sign-on or service pages, duping other employees into divulging more credentials. Additionally, the cybersecurity company identified three phishing kits used by the threat operators to send stolen credentials to a Telegram channel controlled by the threat operators and deploy remote management software on victim devices.

Scattered Spider’s tactics include using credential theft tools, info stealers, and data miners to move laterally within victim networks. Their hallmark has effectively targeted victims’ cloud resources, allowing them to establish a foothold, perform surveillance, and access sensitive systems and data stores with minimal interaction within the corporate network.

Cybersecurity company warns that Scattered Spider continues to evolve its skills and exploit internal system tools for attacks. Defenders should anticipate further improvement in their tradecraft and possible collaborations with other groups for support. The group’s initial success likely encouraged them to expand into more disruptive and profitable attacks. This expansion into ransomware and extortion may lead to using other strains and monetization methods to maximize their profits.

In a recent phishing campaign, Scattered Spider compromised thousands of accounts from numerous organizations, including Riot Games, Reddit, and Twilio. Although initially associated with data theft, they have recently collaborated with the BlackCat/AlphV ransomware gang, causing confusion and disputes within the hacking community.

Scattered Spider’s evolution from scattered data theft to targeted ransomware attacks underscores the persistent and evolving threat landscape that organizations and cybersecurity professionals must contend with. As the group continues to adapt and expand its tactics, defending against their attacks becomes increasingly complex and critical for businesses and security professionals.

At SpearTip, our certified engineers are working 24/7/365 at our Security Operations Center, monitoring companies’ data networks for potential cyber threats and ready to respond to incidents immediately. Our IR planning engages a three-phase approach, which includes pre-incident, active incident, and post-incident planning processes. SpearTip identifies key stakeholders and decision-makers, critical data, and potential access points in the pre-incident aspect. Then, it engages in a live test, after which we offer remediation guidance. To benefit companies’ teams during an incident, we assist in developing a communications plan designed to detect and isolate the precise threat with a customized strategy map. The post-incident planning process development includes root cause and investigative audit, improvement analysis, and backup recovery.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.