Scattered Spider: A Web of Social Engineering

Overview

Scattered Spider, also known as UNC3944, is a financially motivated cybercriminal group known for its sophisticated social engineering tactics and ability to navigate cloud environments. Active since at least 2022, the group primarily consists of young individuals (ages 19-22 as of September 2023) operating from the US and UK. While affiliated with the ALPHV/BlackCat ransomware group and deploying ransomware in some attacks, Scattered Spider’s operations primarily focus on data theft for extortion, often targeting large organizations across various sectors. Recent arrests of key members have significantly impacted their operations, though their loose structure and potential ties to other groups may allow some activity to continue.

Known Aliases of Scattered Spider

UNC3944, 0ktapus, Muddled Libra, Scatter Swine, Storm-0875, Octo Tempest, LUCR-3, and Star Fraud.

Country of Origin of Scattered Spider

Members of Scattered Spider have been identified and arrested in both the United Kingdom and the United States. The group’s operations, however, are global in scope.

Known High-Profile Attacks Involving Scattered Spider

MGM Resorts International (September 2023)

In September 2023, MGM Resorts International suffered a significant cyberattack attributed to Scattered Spider, in collaboration with the ALPHV/BlackCat ransomware group. The attackers employed social engineering tactics, impersonating employees to gain access to MGM’s systems. Once inside, they deployed ransomware, leading to widespread disruptions across MGM’s properties, including malfunctioning slot machines, inoperative digital room keys, and offline reservation systems. The attack reportedly resulted in losses exceeding $100 million.

• Reuters: MGM Resorts breached by ‘Scattered Spider’ hackers
• AP News: MGM Resorts computers back up after 10 days
• Axios: MGM faces the fallout from nearly week-long cyberattack

Caesars Entertainment (August 2023)

In August 2023, Caesars Entertainment was targeted by Scattered Spider through a social engineering attack on an outsourced IT support vendor. The breach led to unauthorized access to Caesars’ network, resulting in the exfiltration of sensitive customer data, including driver’s license numbers and possibly Social Security numbers. Caesars reportedly paid a ransom of approximately $15 million to prevent the public release of the stolen data.

• Bloomberg: Caesars Entertainment Paid Millions to Hackers in Attack
• Cybersecurity Dive: Caesars Entertainment says social-engineering attack behind breach
• The Register: Caesars breach notification

Twilio (August 2022)

Scattered Spider, operating under the alias 0ktapus, conducted a sophisticated phishing campaign targeting Twilio employees. By sending fraudulent SMS messages that directed employees to fake login portals, the attackers harvested credentials and gained access to internal systems, affecting customer data.

• Twilio Blog: Incident Report – Employee and Customer Account Compromise

Cloudflare (August 2022)

In a campaign similar to the Twilio attack, Scattered Spider attempted to breach Cloudflare’s systems using phishing tactics. However, Cloudflare’s use of physical security keys for multi-factor authentication thwarted the attack, preventing unauthorized access.

• Cloudflare Blog: The mechanics of a sophisticated phishing scam

UK Retail Sector (April 2025)

In April 2025, several British retail companies, including Marks & Spencer and Harrods, experienced significant operational disruptions due to cyberattacks attributed to Scattered Spider. The group employed advanced social engineering techniques to infiltrate systems, leading to outages and service interruptions.

• Cohesity Blog: Scattered Spider – What you need to know about the ransomware gang causing chaos in UK retail
• The Sun: Criminal gang suspected to be behind M&S breach exposed

Other Victims of Scattered Spider

• Coinbase, DoorDash, Revolut: Targeted in similar credential phishing campaigns.

• UnitedHealth/Change Healthcare (2024): Alleged involvement in extortion phase, possibly collaborating with ALPHV/BlackCat.

• British Airways & BBC (2023): Indirectly linked via attacks on Okta-managed credentials.

Common Methods of Infiltration Used by Scattered Spider

Scattered Spider’s primary infiltration vector is sophisticated social engineering:

• SMS Phishing (Smishing): Sending malicious text messages.
• Voice Phishing (Vishing): Impersonating IT staff to obtain sensitive information.
• SIM Swapping: Hijacking phone numbers to intercept MFA codes.
• Email Phishing: Using targeted phishing emails.
• Exploiting Vulnerabilities: Exploiting known vulnerabilities in software and systems.

Scattered Spider MITRE ATT&CK Tactics and Techniques

Scattered Spider utilizes a wide range of MITRE ATT&CK techniques, including:

• Initial Access: T1566 (Phishing), T1078 (Valid Accounts) – Leveraging phishing (email and SMS), smishing, vishing, and SIM swapping to gain initial access and exploit compromised accounts.
• Execution: T1059 (Command and Scripting Interpreter) – Using tools like Mimikatz and PowerShell.
• Persistence: Establishing persistent access through various methods including the installation of multiple RMM tools (Zoho Assist, AnyDesk, Splashtop, TeamViewer, ITarian, FleetDeck, ASG Remote Desktop, RustDesk, ManageEngine RMM).
• Privilege Escalation: Using tools like Mimikatz, secretsdump, and DCSync to escalate privileges.
• Defense Evasion: T1562 (Disable or Modify Security Tools) – Disabling antivirus, firewalls, EDR, and other security tools. Using commercial VPNs (Mullvad VPN, ExpressVPN, NordVPN, Ultrasurf, Easy VPN, ZenMate) to mask their location.
• Credential Access: T1003 (Credential Dumping) – Using tools like Mimikatz, LaZagne, and gosecretsdump.
• Discovery: Using tools like ADRecon, SharpHound, and Hekatomb to map the network.
• Lateral Movement: T1076 (Remote Desktop Protocol) – Using RDP and SSH for lateral movement.
• Exfiltration: Using file transfer services (put.io, transfer.sh, wasabi.com, gofile.io) and tools like Cyberduck.
• Impact: Data theft and ransomware deployment (ALPHV/BlackCat).

Malware Strains Used by Scattered Spider

Scattered Spider is primarily associated with ALPHV/BlackCat ransomware, but their operations extend beyond ransomware deployment. They utilize a wide array of tools, both legitimate and malicious, including:

Although Scattered Spider doesn’t develop proprietary malware, it strategically deploys widely-used commercial and open-source tools to avoid detection and maximize damage. Their tooling includes:

Ransomware

• ALPHV/BlackCat: Used in conjunction with ransomware affiliates. Scattered Spider often handles the initial access and exfiltration, passing off the environment for ransomware deployment.
• Custom Payloads: There is some evidence that they tailor scripts to initiate encryption or sabotage systems once access is established.

Post-Exploitation & Remote Access Tools

• Cobalt Strike: Popular red-teaming tool repurposed for persistence, lateral movement, and privilege escalation.
• Brute Ratel C4: Used to evade endpoint detection and response (EDR) systems.
• AnyDesk, Atera, ScreenConnect: Legitimate remote administration tools leveraged for persistent and stealthy control.

Data Exfiltration

• Rclone: Command-line program used for syncing and exfiltrating data to cloud storage (e.g., Mega, Dropbox).
• MEGASync / FileZilla: Occasionally used to automate large data transfers.
• PuTTY / Plink: Employed to establish covert tunnels out of compromised environments.

Credential Theft Tools

• Mimikatz: Classic credential dumper used after privilege escalation.
• ADRecon & BloodHound: Used for Active Directory reconnaissance to identify high-value targets and paths to domain dominance.