Industry groups urge vigilance as Scattered Spider evolves tactics

A coalition of information-sharing groups urged their members on Wednesday to take additional steps to mitigate potential attacks by the cybercrime gang Scattered Spider, which has spent recent months attacking the insurance, retail and airline industries. 

“Threat actors such as Scattered Spider are constantly innovating, so organizations must be diligent in continually monitoring their processes and identities to look for new exploits,” the group of information sharing and analysis centers (ISACs) — representing the financial services, food and agriculture, information technology, healthcare, aviation, automotive, retail, maritime and electricity sectors — said in a joint advisory.

Their warning came one day after the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that Scattered Spider had developed an evolving set of tactics to conduct social-engineering attacks on its targets.

The ISACs said they expect the group to continue to find new ways to evade existing security measures.

“Scattered Spider presents a real threat, and financial services firms must remain diligent as it and other threat actors innovate and scan for new exploits,” John Denning, chief information security officer at the FS-ISAC, told Cybersecurity Dive. “However, the threat of Scattered Spider extends across borders and industries — as do many cybersecurity threats — and its historical activity indicates that its focus will shift as it identifies new organizations and sectors to exploit.”

Scattered Spider, an English-speaking threat group based mainly in the United States and the United Kingdom, has perfected a strategy based on tricking IT help desks into handing over user credentials or bypassing multifactor authentication technology. The ISACs urged their members to develop multichannel verification methods, which are designed to make sure a password reset or other request is coming from a real employee. 

More sensitive requests, such as large financial transfers, should require multiple layers of approvals to prevent theft, the ISACs said. 

After debuting on the cybercrime scene in 2023, Scattered Spider experienced a resurgence earlier this year as it launched a months-long hacking campaign that ensnared companies ranging from British department store Marks & Spencer to Whole Foods distributor United Natural Foods and Australian airline Qantas.

According to Google researchers, however, the group has gone quiet in recent weeks following the arrest of four suspected members for allegedly hacking three major British retailers. They caution that Scattered Spider has previously taken a step back following high profile arrests only to later resume activities.

Researchers have also cautioned that threat groups either affiliated or inspired by Scattered Spider have used similar tactics.