Scattered Spider weaves web of social-engineered destruction

In an underworld fueled by infamy and money that leaves a trail of human misery in its wake, the unbound collective colloquially known as Scattered Spider deviates from many norms in cybercrime.

The cunning threat group composed of young, native English-speaking people lacks cohesion, is rife with infighting and doesn’t have a data leak site, which many financially motivated cybercriminals use to claim responsibility for alleged victims and ramp up pressure to pay extortion demands. 

Scattered Spider’s preferred methods of intrusion — social engineering and phishing — makes it difficult for most threat hunters to attribute attacks to the collective with confidence. The cybercrime outfit doesn’t leave the types of fingerprints behind that researchers typically track, and as a result there’s considerable discrepancies and uncertainty across the industry with respect to what Scattered Spider is, how it determines targets and which companies it has attacked.

As Scattered Spider has risen the ranks of cybercrime — most recently suspected of attacking Marks & Spencer in the United Kingdom, United Natural Foods, WestJet and Hawaiian Airlines — researchers have been mapping clues about the organization and how it operates.

Following a brief hiatus starting last summer, Scattered Spider regrouped earlier this year and has hit dozens of companies in the retail, insurance and aviation industries. The group first gained notoriety for attacks on MGM Resorts and Caesars Entertainment in 2023.

Scattered Spider has infiltrated more than 100 businesses since 2022, hitting organizations in hospitality and gaming, manufacturing, technology and cloud services, telecommunications, retail, manufacturing, food production, insurance and financial services, media, apparel, business process outsourcing, health care, transportation and aviation, according to researchers.

The group’s total take on extortion demands exceeds $66 million, the cybersecurity firm Halcyon told CyberScoop, but it’s likely collected much more. “I’ve had clients pay them eight figures,” said Charles Carmakal, chief technology officer at Mandiant Consulting, which tracks the group as UNC3944.

Scattered Spider doesn’t always encrypt data or systems, but when it does the group has used multiple ransomware variants, including Akira, AlphV, Play, Qilin, RansomHub and most recently DragonForce, researchers said.

Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, describes Scattered Spider as a “decentralized but tightly aligned group” with a clear division of roles and responsibilities. This includes a small band of two to four senior operators and leaders who function as project managers, coordinating with initial access brokers, ransomware affiliates and negotiators.

“Meanwhile, you have newcomers and junior affiliates, and they’re conducting all those lower-tier operations to prove themselves, trying to test detection thresholds,” said Kaiser, former deputy assistant director of the FBI’s cyber policy, intelligence and engagement branch. 

Researchers wobble on the number of people involved with Scattered Spider because of this tiered structure. The inner circle is tight, followed by dozens of others and then a larger pool of people who filter in and out of the group to facilitate operations, incident response specialists told CyberScoop.

Scattered Spider is an offshoot of The Com, a much larger grassroots network of more than 1,000 people responsible for a vast catalog of crimes, including social engineering, crypto theft, phishing, SIM swapping, extortion, sextortion, swatting, kidnapping and murder. 

While the volume and intensity of attacks linked to Scattered Spider following its resurgence might appear extraordinary, the group’s tempo of activity was much higher in previous years, according to Carmakal. 

Many Scattered Spider victims have disclosed attacks over the years, but they were never formally attributed to the cybercrime collective. 

“It is notable again because we are paying more attention to this group,” Carmakal said. “Now we talk about them and people care about them because they’ve seen the kinetic outcomes of their cyberattacks. That’s the difference.”

Social engineering the help desk

Another change involves the group’s tactics. While Scattered Spider’s early hits in 2022 and 2023 were the result of social-engineering attacks, the group transitioned to domain-based phishing through much of 2024 before activity went dormant last summer. The group’s revival this year marks a throwback in tactics, as it has relied exclusively once again on social engineering as an initial access vector.

“Come March, when they basically abandoned all their phishing pages, they threw out all of the playbooks they’ve been using and they went back to their very original playbooks,” said Zach Edwards, threat researcher at Silent Push.

Scattered Spider has mostly intruded companies’ networks over the past few months by socially engineering help-desk employees. This includes requests for password resets, removing phone numbers from multifactor authentication solutions to enroll new devices, or adding a phone number to an account to issue a self-service password reset. 

“Once Scattered Spider calls the help desk and gets on the phone with them, there’s a clock ticking, and the help desk has only so much time to close that ticket in order to hit their metrics,” said Adam Meyers, senior video president of counter adversary operations at CrowdStrike. 

“They’re taking advantage of the fact that these help desks validate the authenticity of the person simply by checking whatever the criteria is that they’ve been given,” he said.

These callers have been very successful without much effort, according to Chris Yule, director of threat research at Sophos Counter Threat Unit. “In some cases, if not many cases, they are not getting very much pushback at all or any resistance they’re having to overcome.”

There’s a debate among threat researchers about the extent to which Scattered Spider is purposely targeting single industries before pivoting to new sectors, or merely going after help-desk outsourcing firms, which happen to have a lot of customers in a specific vertical.

Researchers at Halcyon said recent attacks against U.K. retailers and U.S.-based insurance companies likely originated, at least in part, from Scattered Spider’s compromise of business process outsourcing providers. 

Carmakal doesn’t think Scattered Spider is methodically targeting outsourced IT help desks in particular and cautioned people against concluding that any particular help-desk provider is the source of a compromise.

Mandiant defines patterns of attribution

Mandiant, which has provided incident response services to many Scattered Spider victims, has repeatedly offered early warnings of patterns of attacks in a given industry, including a shift to U.S.-based retailers, and more recently the insurance industry and North American airlines. Each of those ominous warnings were proven out days or weeks later as attack sprees came to light across those sectors.

When Mandiant says Scattered Spider is targeting a specific sector, from an investigative perspective, the attacks follow the same attacker playbook. “It’s how they’re getting access to credentials. It’s what they’re doing immediately when they have credentials. It’s how they’re using credentials on domain controllers in a very unique way. It’s the tooling that they’re using. It’s the re-use of the infrastructure,” Carmakal said. 

“There’s a lot of patterns that allow us to predict what they’re going to do over the next few days and weeks, and those patterns and predictability could change at any point in time. They’re a very capable group,” he continued. “I see patterns in the totality of the incident. It can’t just be a pattern in the social engineering and the telephone call.”

Scattered Spider isn’t the only cybercrime ring using social engineering or attacking organizations in sectors known to be targeted by the group. Yet, Scattered Spider often gets unsubstantiated credit for activities beyond its purview.

Other threat groups such as UNC6040, which is also affiliated with the Com, have attacked companies in the same sectors via social engineering. Google Threat Intelligence Group attributed at least 20 intrusions to UNC6040 as of last month. 

“Activity involving a social engineering of the help desk might look and feel like Scattered Spider,” but some industry observers are prematurely drawing attribution conclusions, Carmakal said.

Web of destruction drifts in the wind

Scattered Spider’s web of destruction persists and continues to catch more victims because its techniques and specialization in targeting the cloud and identity works across all sectors. 

“They’re targeting the weakest link in the security chain, which is the human,” Meyers said. “They’re very fast and, once they gain access, you have oftentimes well under 48, even 24, hours to find them and eradicate them from your infrastructure before they’re able to run an encryption. So, speed is a killer.

“Unless somebody takes them off the field, they’re gonna keep doing what they’re doing,” he added. “There’s no reason not to.”

Edwards noted that social engineering attacks have been successful since the dawn of the telephone. “Voice as confirmation is a fabulous way to get around security, where if you know the little keyphrases to use — the slang, the lingo — it’s voice of trust,” he said.

“If you call, you know the right things to say, you know what they’re going to ask, and you have answers ready,” Edwards added. “It’s an incredibly effective way to basically gain trust from someone and then get them to do something they normally wouldn’t do.”