Scattered Spider: What You Need to Know

If you follow cybersecurity news, you’ve likely already heard of Scattered Spider.  But who are they, really — and what do they want? 

What is Scattered Spider?

Scattered Spider is a financially motivated threat actor group founded in May 2022. The group is thought to comprise operatives based in the United States and the United Kingdom. They are believed to be primarily between the ages of 19 and 22.

How they hack

The group is considered expert in social engineering and uses multiple techniques — including phishing, push bombing, and subscriber identity module (SIM) swap attacks — in order to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA).

According to the Cybersecurity & Infrastructure Security Agency (CISA), Scattered Spider uses tools like:

• Fleetdeck.io and Level.io to enable remote monitoring and management of systems

• Screenconnect and Splashtop to enable remote connections to network devices

• Tailscale to provide virtual private networks (VPN) to secure network communications

They also use malware like AveMaria, Raccoon Stealer, and VIDAR Stealer. To begin their phishing attempts, the group creates victim-specific domains, such as victimname-sso[.]com, victimname-servicedesk[.]com, and victimname-okta[.]com. 

Known aliases

Scattered Spider is also referred to as Starfraud, UNC3944, Scatter Swine, and Muddled Libra.

Known attacks

The group, whose name was first tagged by cybersecurity researchers, gained notoriety for hacking Caesars Entertainment and MGM Resorts International, two of the largest casino and gambling companies in the United States, in September 2023. It’s possible that Scattered Spider was assisted by the group ALPHV/BlackCat.

MGM shut down systems across all of its 31 resorts, while Caesars tried avoiding a shutdown by paying the group $15 million.  Reuters reported that Scattered Spider obtained six terabytes (6TB) of stolen data from the hotels and casinos, including sensitive information about the millions of guests who have stayed there. 

Their way in? Posing as an MGM employee and calling an IT help desk to “recover their password.”

Scattered Spider has also attacked other organizations by posing as company IT and/or helpdesk staff using phone calls or SMS messages to:

• Obtain credentials from employees and gain access to the network

• Direct employees to run commercial remote access tools enabling initial access

• Convince employees to share their one-time password (OTP)

• Send repeated MFA notification prompts leading to employees pressing the “Accept” button (also known as MFA fatigue)

They’ve even successfully convinced cellular carriers to transfer control of a targeted user’s phone number to a SIM card, gaining control over the phone and access to MFA prompts.

Worse, they’ve monetized access to victim networks in numerous ways including extortion enabled by ransomware and data theft.

(Knowledge is power: Get to know how the worst cyberattacks happen.)

Is your data at risk?

Scattered Spider typically targets large organizations, especially technology and telecommunications companies. 

If that describes your organization, the FBI and CISA recommend organizations implement mitigations to improve your organization’s cybersecurity to reduce the risk of compromise by Scattered Spider threat actors. The mitigations include:

• Implementing application controls.

• Implementing FIDO/WebAuth authentication or Public Key Infrastructure (PKI)-based MFA.

• Strictly limiting the use of Remote Desktop Protocol (RDP) and other remote desktop services.

For more ways to mitigate this risk, look at CISA’s recommendations.