FBI, CISA warn about Scattered Spider’s evolving tactics

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released an updated advisory about the cybercrime collective Scattered Spider, warning that the group continues to unleash a wave of cyberattacks around the world using several new intrusion techniques. 

The notorious gang has expanded its targeting in recent months to include retailers, insurers and airlines in multiple countries. Although it has focused primarily on targets in the U.K. and the U.S., the group recently caught the attention of Canadian and Australian authorities, which co-signed the new advisory along with the U.K.

Scattered Spider “represents a serious and ongoing threat to U.S. organizations, using sophisticated social engineering and intrusion tactics to disrupt operations and extort victims,” the four governments warned. “Their activities have impacted multiple sectors and underscore the continued risk ransomware poses to national security and economic stability.”

Scattered Spider has conducted social-engineering attacks by tricking IT help-desk workers into handing over credentials or otherwise bypassing multifactor authentication, allowing them to gain direct access to targeted systems.

The group has used a range of techniques, according to the new government advisory, including phishing, “push bombing” (blitzing targets with multifactor-authentication push alerts until they eventually approve one) and SIM-swapping attacks. 

Scattered Spider has also deployed multiple ransomware variants, including Dragonforce, for use in data-extortion attacks.

Microsoft researchers earlier this month said the group has been using adversary-in-the-middle tactics and abusing text-messaging services.

Scattered Spider has recently been observed encrypting data on targeted computer networks before demanding a ransom, according to the international advisory. The group has encrypted VMWare ESXi servers, among others.

British authorities earlier this month arrested four people in connection with social-engineering attacks against retailers Marks & Spencer, Harrods and Coop, attacks that researchers have linked to Scattered Spider.

The arrest may provide a brief opening for for security community to reassess its collective posture, according to researchers.

“Since the recent arrests tied to the alleged Scattered Spider (UNC3944) members in the UK, Mandiant Consulting hasn’t observed any new intrusions directly attributable to this specific threat actor,” said Charles Carmakal, CTO Mandiant Consulting – Google Cloud.

“This presents a critical window of opportunity that organizations must capitalize on to thoroughly study the tactics UNC3944 wielded so effectively, assess their systems, and reinforce their security posture accordingly.”

Mandiant officials warn that other groups, including UNC6040, have employed similar tactics to Scattered Spider. That group has abused Salesforce instances in social engineering attacks.

In recent months, other major companies have disclosed intrusions that bear the hallmarks of Scattered Spider intrusions. Qantas recently disclosed a breach that affected 5.7 million passengers, saying hackers breached one of the airline’s call centers.

Allianz Life Insurance Company of North America on Friday announced an intrusion that affected a majority of its 1.4 million customers.

On July 22, Clorox sued its IT help-desk provider, Cognizant, for $380 million, claiming its vendor failed to prevent a crippling 2023 attack that experts have attributed to Scattered Spider. The suit alleges that Cognizant handed over network credentials to the attackers without properly authenticating them. In response, Cognizant said Clorox was responsible for its own flawed security.