CISA and FBI Shared Tactics, Techniques, and Procedures of Scattered Spider Hacker Group
The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have released an updated joint cybersecurity advisory detailing the sophisticated tactics employed by the Scattered Spider cybercriminal group, also known as UNC3944, Oktapus, and Storm-0875.
This threat actor has significantly evolved since its initial identification, now targeting large companies and their contracted information technology help desks with increasingly sophisticated social engineering techniques and ransomware deployment capabilities.
Scattered Spider represents a particularly dangerous evolution in cybercrime, combining traditional social engineering with advanced technical capabilities to breach high-value targets across commercial facilities and critical infrastructure sectors.
The group’s operations extend beyond simple data theft, encompassing comprehensive data extortion schemes that leverage both stolen information and ransomware encryption to maximize financial impact on victims.
CISA analysts identified that Scattered Spider has recently expanded its arsenal to include DragonForce ransomware alongside traditional data exfiltration techniques, marking a significant escalation in the group’s threat profile.
The threat actors demonstrate remarkable adaptability, frequently modifying their tactics, techniques, and procedures to evade detection while maintaining persistent access to compromised networks.
The group’s initial access methodology relies heavily on multilayered social engineering campaigns targeting both employees and IT support personnel.
Rather than deploying broad phishing campaigns, Scattered Spider conducts extensive reconnaissance using business-to-business websites, social media platforms, and open-source intelligence gathering to identify high-value targets within organizations.
Advanced Social Engineering and Persistence Mechanisms
Scattered Spider’s most distinctive characteristic lies in its sophisticated social engineering approach, which CISA researchers noted has evolved to include what they term “push bombing” attacks alongside traditional subscriber identity module (SIM) swap techniques.
The threat actors meticulously gather personally identifiable information from various sources, including commercial intelligence tools and database leaks, to craft convincing impersonation scenarios.
The group’s persistence strategy involves registering their own multifactor authentication tokens after successfully compromising user accounts, effectively establishing backdoor access that survives password resets.
This technique is complemented by the deployment of legitimate remote monitoring and management tools such as TeamViewer, Screenconnect, and newly identified tools like Teleport.sh and AnyDesk, which blend seamlessly with normal IT operations.
Their technical arsenal includes both legitimate tools repurposed for malicious activities and custom malware variants.
| Tactic | Technique Title | Technique ID | Use |
|---|---|---|---|
| Reconnaissance | Gather Victim Identity Information | T1589 | Gather usernames, passwords, PII of targets |
| Phishing for Information | T1598 | Phishing to gain credentials and network access | |
| Purchase Technical Data | T1597.002 | Buy credentials from illicit marketplaces | |
| Search Victim-Owned Websites | T1594 | Collect employee info (roles, contacts) | |
| Spearphishing Voice | T1598.004 | Calls to elicit sensitive information | |
| Social Media Reconnaissance | T1593.001 | Gather info from social platforms about staff | |
| Resource Development | Acquire Infrastructure: Domains | T1583.001 | Create phishing/smishing domains |
| Create Social Media Accounts | T1585.001 | Fake profiles to support fake identities | |
| Initial Access | Phishing (Email) | T1566 | Broad phishing to install RATs |
| Smishing | T1660 | SMS-based phishing to deliver malware | |
| Spearphishing Voice | T1566.004 | Voice calls to reset credentials/MFA | |
| Trusted Relationship | T1199 | Exploit contracted IT service relationships | |
| Valid Accounts: Domain Accounts | T1078.002 | Use valid accounts for access | |
| Execution | Serverless Execution | T1648 | Use ETL tools for cloud data collection |
| User Execution | T1204 | Trick users into running remote tools | |
| Persistence | Persistence (general) | TA0003 | Maintain long-term access |
| Create Account | T1136 | Add new user identities in org | |
| Modify Authentication – MFA | T1556.006 | Modify MFA to maintain access | |
| Valid Accounts | T1078 | Abuse valid credentials for persistence | |
| Privilege Escalation | Privilege Escalation (general) | TA0004 | Escalate privileges in the network |
| Modify Domain Trust | T1484.002 | Add federated identity provider with auto linking | |
| Defense Evasion | Create Cloud Instance | T1578.002 | Deploy new EC2 instances to evade detection |
| Impersonation | T1656 | Impersonate IT/helpdesk for info | |
| Credential Access | Credential Access (general) | TA0006 | Use tools like Raccoon Stealer |
| Forge Web Credentials | T1606 | Forge MFA tokens for access | |
| MFA Notification Flooding | T1621 | Send repeated prompts (MFA fatigue) | |
| Credentials in Files | T1552.001 | Search for stored credentials | |
| Private Keys | T1552.004 | Steal private keys from systems | |
| SIM Swap | T1451 | Gain control of MFA via SIM jacking | |
| Discovery | Discovery (general) | TA0007 | Search SharePoint, backups, AD |
| Browser Info Discovery | T1217 | Use stealer malware to get browser history | |
| Cloud Dashboard Discovery | T1538 | Use AWS Systems Manager Inventory | |
| File/Directory Discovery | T1083 | Search files/directories for valuable info | |
| Remote System Discovery | T1018 | Identify remote systems in network | |
| Steal Web Session Cookies | T1539 | Use tools to grab session cookies | |
| Lateral Movement | Lateral Movement (general) | TA0008 | Move across network after access |
| Remote Services: Cloud | T1021.007 | Use existing cloud services for lateral movement | |
| Collection | Data from Code Repositories | T1213.003 | Collect data/code from repos |
| SharePoint Collection | T1213.002 | Gather internal documents from SharePoint | |
| Data Staged | T1074 | Centralize data before exfiltration | |
| Email Collection | T1114 | Search emails for detection signs | |
| Cloud Storage Data | T1530 | Search cloud storage for sensitive data | |
| Command & Control | Remote Access Software | T1219 | Use RMM tools for access/control |
| Proxy | T1090 | Use proxy networks to mask activity | |
| Exfiltration | Exfiltration (general) | TA0010 | Steal data for extortion |
| Exfiltration Over Web Service | T1567 | Use Snowflake for high-volume exfiltration | |
| Impact | Data Encrypted for Impact | T1486 | Encrypt victim data, demand ransom |
| Exfiltration to Cloud Storage | T1567.002 | Exfiltrate to MEGA[.]NZ and US cloud | |
| Financial Theft | T1657 | Monetize access via extortion, theft |
Recent investigations revealed the use of RattyRAT, a Java-based remote access trojan designed for persistent, stealth access and internal reconnaissance, alongside established information stealers like Raccoon Stealer and VIDAR Stealer.
The threat actors demonstrate exceptional operational security awareness by actively monitoring targeted organizations’ internal communications through compromised Slack, Microsoft Teams, and Exchange Online accounts.
This surveillance capability allows them to join incident response calls and proactively adapt their tactics in response to defensive measures, making traditional threat hunting approaches significantly less effective.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
Source link
