CISA and FBI Release Tactics, Techniques, and Procedures of the Scattered Spider Hacker Group

The joint Cybersecurity Advisory AA23-320A, collaboratively issued by agencies such as the FBI, CISA, RCMP, ASD’s ACSC, AFP, CCCS, and NCSC-UK, serves as a critical update on the Scattered Spider cybercriminal group.

Originally published in November 2023 and revised multiple times, most recently on July 29, 2025 this advisory highlights the group’s persistent and adaptive operations targeting large organizations in critical infrastructure, commercial facilities, and related sectors.

Scattered Spider, known by aliases including UNC3944, Scatter Swine, Oktapus, Octo Tempest, Storm-0875, and Muddled Libra, specializes in data extortion, ransomware deployment, and sophisticated social engineering tactics.

Overview of Scattered Spider Threat Actors

The 2025 updates emphasize new techniques, such as advanced impersonation to manipulate IT helpdesks for password resets and MFA transfers, alongside the use of malware like RattyRAT for stealthy reconnaissance and DragonForce ransomware for encrypting systems like VMware ESXi servers.

These evolutions allow the group to exfiltrate data rapidly to platforms like MEGA[.]NZ or Amazon S3, often after running thousands of queries in environments like Snowflake, before demanding ransoms through secure channels such as TOR, Tox, or encrypted apps.

The advisory underscores the group’s shift from broad phishing campaigns to targeted, multilayered spearphishing and vishing operations, enriched by personal data gathered from social media, open sources, and illicit marketplaces.

By mapping activities to the MITRE ATT&CK framework (version 17), it details how Scattered Spider evades detection through living-off-the-land (LOTL) techniques, using legitimate tools to blend into normal network activity while frequently modifying TTPs to counter defenses.

Key Tactics, Techniques, and Procedures (TTPs)

Scattered Spider’s attacks follow a structured lifecycle, beginning with reconnaissance where threat actors scour business websites, social media, and databases for employee PII, roles, and credentials, often purchasing them from dark web markets.

Initial access is gained through phishing, smishing, MFA fatigue (bombarding users with prompts until acceptance), SIM swaps, or exploiting trusted third-party relationships.

Impersonation plays a central role, with actors posing as IT staff via phone calls or SMS to trick employees into sharing OTPs, running remote access tools like TeamViewer, AnyDesk, Ngrok, or Teleport.sh, or directing helpdesks to reset credentials.

Once inside, they establish persistence by registering fake MFA tokens, deploying remote monitoring and management (RMM) software such as Fleetdeck.io, Pulseway, or Tactical.RMM, and creating new user identities backed by fabricated social media profiles.

Privilege escalation involves modifying authentication processes or leveraging internal communication tools for further social engineering. Discovery and lateral movement target SharePoint sites, Active Directory, code repositories, and cloud resources like AWS EC2, enabling data collection from emails, backups, and databases.

Exfiltration focuses on high-value assets, staged in centralized ETL tools before transfer, often followed by encryption for extortion.

Malware like Raccoon Stealer and VIDAR aids in stealing browser data, cookies, and login credentials, while the group monitors victim responses in tools like Slack or Microsoft Teams to adapt and maintain access, using proxies to obscure their origins.

To counter these threats, the advisory aligns recommendations with CISA and NIST’s Cross-Sector Cybersecurity Performance Goals (CPGs), emphasizing phishing-resistant MFA (e.g., FIDO/WebAuthn or PKI-based) to thwart push bombing and SIM swaps.

Organizations should implement application allowlisting to block unauthorized remote tools, audit logs for abnormal remote access, and restrict RDP by closing unused ports, enforcing lockouts, and requiring MFA.

Network segmentation limits lateral movement, while timely patching of known vulnerabilities, offline encrypted backups, and regular restoration testing minimize impact.

According to the report, Password policies should follow NIST standards: unique, strong passwords (15+ characters), no reuse, and no hints, with administrator credentials needed for software installs.

Enhanced monitoring via EDR tools detects unusual activity, such as risky logins or exfiltration attempts, and employee training on vishing and spearphishing is crucial.

The advisory advises validating security controls against ATT&CK techniques using tools like CISA’s Decider, and for UK entities, referencing NCSC’s May 2025 blog on similar incidents.

By adopting these measures including disabling unused ports, adding external email banners, and maintaining immutable backups organizations can significantly reduce the likelihood of compromise and mitigate the financial and operational fallout from Scattered Spider’s extortion-driven campaigns.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!