SCATTERED SPIDER Using Aggressive Social Engineering Techniques to Deceive IT Support Teams

A wave of sophisticated cyberattacks has swept across major organizations in the UK and US, with sectors ranging from hospitality and telecommunications to finance and retail falling victim to a threat actor known as SCATTERED SPIDER.

Unlike traditional ransomware groups that rely primarily on technical exploits, SCATTERED SPIDER has gained notoriety for its aggressive social engineering tactics, particularly targeting IT support teams with cunning psychological manipulation.

Active since at least 2022, SCATTERED SPIDER has formed a dangerous partnership with DragonForce, a ransomware-as-a-service (RaaS) operation that provides the group with encryption capabilities and data leak platforms.

This collaboration allows SCATTERED SPIDER to focus on what they do best: manipulating people to gain network access while outsourcing the technical aspects of ransomware deployment.

SOSIntelligence researchers identified a distinctive characteristic of this threat actor: they appear to be native English speakers with strong ties to Western countries.

This cultural fluency makes their phone-based attacks and impersonation schemes alarmingly effective when targeting corporate help desks and support personnel.

One of the most high-profile incidents attributed to SCATTERED SPIDER was the 2023 attack on MGM Resorts, which caused large-scale IT disruption across casinos and hotels in the US.

According to investigators, this devastating breach originated from a remarkably simple phone-based social engineering ploy that convinced support staff to reset credentials.

The group’s motivation appears primarily financial, with a focus on data theft and ransomware deployment.

However, their methodical approach resembles nation-state actors more than typical cybercriminals, blurring the lines between opportunistic attacks and advanced persistent threats.

Vishing: The Central Weapon in SCATTERED SPIDER’s Arsenal

SCATTERED SPIDER’s social engineering methodology centers around vishing (voice phishing) attacks targeting IT support teams.

Their operators speak fluent, unaccented English and demonstrate exceptional impersonation skills when pretending to be employees locked out of their accounts or IT personnel responding to incidents.

A typical attack begins with reconnaissance, gathering employee names and organizational details from LinkedIn, press releases, and social media.

Armed with this information, attackers call help desks, creating urgent scenarios that pressure support staff to bypass normal verification procedures.

When targeting authentication systems, SCATTERED SPIDER employs techniques like “MFA fatigue” – repeatedly triggering authentication prompts until frustrated users approve the request.

They also conduct SIM-swapping attacks to intercept SMS verification codes sent during password resets.

Upon gaining initial access, the group moves rapidly to compromise identity infrastructure like Okta, Active Directory, or Azure AD.

They leverage tools such as Mimikatz for credential harvesting and use legitimate Windows administration tools (PowerShell, PsExec) for lateral movement, making their activities difficult to distinguish from normal IT operations.

Cybersecurity experts recommend reinforcing help desk verification protocols, implementing phishing-resistant MFA solutions, and conducting regular social engineering awareness training.

As SOSIntelligence notes in their analysis, “Security isn’t just a technology problem—it’s a people and process problem too”.

Power up early threat detection, escalation, and mitigation with ANY.RUN’s Threat Intelligence Lookup. Get 50 trial searches.