Threat ActorScattered Spider
Description
Scattered Spider is believed to be run by a band of miscreants around the world in English speaking countries. Various media reports cite that the attackers are likely native English speakers and conduct their operations over internet forums, Discord and Telegram.
Gaining notoriety in 2023 for attacking gambling and entertainment giant MGM, Scattered Spider used social engineering attacks that allowed them to impersonate an employee that ultimately allowed them to gain credentials to secure environments. Once inside, they deployed ALPHV/BlackCat ransomware on various devices on the network which caused significant disruption to their operations.
Scattered Spider is often linked with the ALPHV/BlackCat ransomware group due to it using the ALPHV/BlackCat ransomware as a service, in which profits are shared between both entities. Scattered Spider’s most high-profile attacks since MGM have targeted retail, aviation, and cloud platforms, with a continued focus on large, high-value organizations using advanced social engineering and extortion tactics.
Aliases
- SCATTERED SPIDER
- Scattered Spider
- Octo Tempest
- ALPHV
- Scatter Swine
- Star Fraud
- Roasted 0ktapus
- Storm-0875
- Muddled Libra
- UNC3944
- Scattered Spider Group
Common Vulnerabilities and Exposures
Targeted Industries
- Apparel
- Aviation
- Business Process Outsourcing
- Cloud Services
- Education
- Financial Services
- Food Production
- Gaming
- Health Care
- Hospitality
- Insurance
- IT
- Manufacturing
- Media
- Medical Technology
- Retail
- Technology
- Telecommunications
- Transportation
Objectives
Data Exfiltration, Financial Gain, and Persistent Access
Known Tools Used
- ADRecon
- AnyDesk
- ASG Remote Desktop
- AveMaria
- ConnectWise Control
- DCSync
- Fleetdeck.io
- FiveTran
- gosecretsdump
- Govmomi
- Hekatomb
- Impacket
- ITarian
- LaZagne
- Level.io
- LogMeIn
- ManageEngine
- Mimikatz
- Microburst
- Ngrok
- Octopus Phishing Kits
- PingCastle
- ProcDump
- PsExec
- Pulseway
- Pure Storage FlashArray
- Raccoon Stealer
- RedLine Stealer
- Roasted 0ktapus Phishing Kits
- RustDesk
- SharpHound
- Socat
- Spectre RAT
- Spidey Bot
- Splashtop
- Stealc
- TacticalRMM
- Tailscale
- TeamViewer
- TightVNC
- VIDAR
- WinRAR
- WsTunnel
Known Infection Vectors
- Active Directory (AD) reconnaissance
- Cloud and SaaS application compromise
- Credential phishing (email
- SMS
- voice/phishing)
- Help desk voice-based phishing (vishing)
- Impersonation of IT/helpdesk staff
- MFA fatigue attacks (push bombing)
- MFA prompt theft (convincing users to share OTP/MFA codes)
- Misuse of commercial remote access tools
- SIM swapping
- Social engineering (phone
- SMS
- email)
- Spear phishing
- Virtual desktop infrastructure (VDI) compromise
References
Scattered Spider (MITRE)
https://attack.mitre.org/groups/G1015/
