How Scattered Spider Used Fake Calls to Breach Clorox via Cognizant

Cleaning products giant Clorox has sued its IT services partner, Cognizant, alleging that a devastating August 2023 ransomware attack that crippled production and cost the company $380 million in lost revenue was due to the firm’s negligence.

In a California Superior Court lawsuit, Clorox claims hackers linked to the Scattered Spider group simply obtained credentials by phoning Cognizant’s service desk for a password reset. Clorox further alleges Cognizant botched its response, prolonging the recovery time.

Now, Specops Software, a security analysis firm, published a detailed analysis of this incident, revealing precisely how this straightforward service desk attack unfolded and offering critical lessons for organisations.

According to their research, shared with Hackread.com, the incident began on August 11, 2023. Attackers, impersonating legitimate employees, placed multiple calls to Cognizant’s service desk. Their goal: to get passwords and Multi-Factor Authentication (MFA) resets for locked-out employees.

Despite Clorox’s clear procedures, the service desk agent reportedly bypassed these protocols, failing to verify the caller’s identity and providing new credentials. Compounding the oversight, no alert emails were sent to the impersonated employee or their manager – a basic notification that could have warned Clorox’s security team.

The hackers then repeated this tactic, gaining access to a second account belonging to an IT-security employee. This instantly elevated their access to domain-admin privileges, granting them unrestricted entry to Clorox’s core Active Directory environment, which controls user access across the network.

With high-level credentials, the intruders swiftly disabled security controls, escalated their privileges further, and deployed ransomware across key servers. This silently encrypted data, severing vital links between manufacturing, distribution, and IT systems. Production lines halted, and order fulfilment ceased. Clorox reported $49 million in direct remediation expenses and a staggering $380 million in lost revenue.

The risk of outsourcing critical IT support functions, while offering cost savings, can introduce vulnerabilities. Notably, UK retailer Marks and Spencer’s faced a similar incident where Scattered Spider tricked staff at their IT helpdesk contractor, Tata Consultancy Services (TCS), into resetting privileged credentials, also gaining Active Directory access.

This incident highlights the ongoing threat posed by Scattered Spider (aka 0ktapus, UNC3944). As Hackread.com reported, this group has been involved in numerous high-profile breaches, including MGM Resorts and other major retailers.

Their persistent exploitation of help desks to target VMware vSphere environments for ransomware deployment directly from the hypervisor to the Clorox incident shows that simple human vulnerabilities, if unaddressed, can lead to monumental financial and operational devastation.

To mitigate these risks, organisations must enforce strict Service Level Agreements (SLAs) with contractors, conduct regular red team exercises (simulated attacks) on outsourced processes, and demand transparent, real-time reporting of high-risk activities. Crucially, service desk permissions should be locked down to prevent agents from resetting admin or IT-privileged accounts without secondary approval workflows.