Hacker groups are collaborative units of hackers that work together to achieve a common goal—often criminal in nature. Within the group, individuals might specialize in tasks like hacking, financial management of stolen assets, or even social engineering.

One hacker group that is a cause of growing concern is Scattered Spider. The group uses social engineering techniques to steal sensitive information, including that of casinos and large businesses.  

In this post, we’ll outline some of the background of Scattered Spider and what differentiates them from some of the other high-profile hacker groups out there, like APT29 or Fancy Bear. 

Scattered Spider Background

Scattered Spider (aka UNC3944, Scatter Swine, Muddled Libra or Starfraud) reportedly became active in 2022. Like most hacker groups, it’s financially motivated and has been involved in data extortion and cybercriminal activities. The group is largely based in the United States and United Kingdom, and at least some of its members could be as young as teens. 

Their speciality is social engineering—including phishing, SIM swaps, and push bombing. They’ve used malware including Raccoon Stealer, VIDAR Stealer, and AveMaria but are also associated with legitimate tools like Level.io, Splashtop, and Tailscale. 

Scattered Spider’s most high-profile attacks include one against Caesars Entertainment and MGM Resorts in September 2023. The group managed to steal six terabytes of data related to guests during the attack. That attack was enough to put it on the radar of CBS’ long-running television magazine program, “60 Minutes.” You can view the episode below.

How Scattered Spider Operates

Scattered Spider projects sometimes start with social engineering tactics: a phishing/smishing/vishing attack to gain access to credentials, using phone calls, emails or text messages to trick victims and convince them that they are legitimate IT support professionals.  

Once they have the credentials, Scattered Spider takes advantage of known weaknesses in software to disable security programs and make it harder to detect their intrusions. Then, when they gain initial access, they’ll try to move laterally within the network to reach sensitive data and systems. This allows them to steal valuable information or deploy ransomware for extortion.

Scattered Spider has been known to target IT help desks specifically. By compromising help desk accounts or exploiting trust in the department, they can gain a foothold within a company’s network and request a ransom in exchange for stolen data. 

What Have They Done? 

According to reports, Scattered Spider have posed as company IT staff in phone calls and text messages to trick employees to hand over their credentials, run commercial remote access tools on their devices, or share their one-time passwords (multi-factor authentication codes). 

They have also used a technique known as multi-factor authentication (MFA) bombing (bombarding employees with MFA notifications) to trick employees into pressing the Accept button. Cellular carriers were also convinced to transfer control of targeted users’ phone numbers to a SIM card under their control to access MFA prompts. 

The FBI has noted that Scattered Spider uses publicly available remote access tunneling tools for their criminal activity. 

Scattered Spider exploits vulnerabilities like CVE-2015-2291 to terminate security software and avoid detection. They have a deep understanding of the Microsoft Azure environment and built-in tools. 

Once they have access, they conduct a thorough reconnaissance of different environments (Microsoft 365, Windows, Linux, Google Workspace) and download tools to bypass VPN and MFA enrollment data. 

The group has been involved in at least half a dozen incidents targeting large outsourcing firms with interests in cryptocurrency and gambling. 

Who Do They Target?

Based on recent SIM swapping attacks, Scattered Spider has launched campaigns targeting large telecom and business process outsourcing (BPO) organizations in order to gain access to mobile carrier networks. As soon as they are disrupted, they move to the next. 

In 2022, Twilio disclosed that the group gained access to information related to several customers, including Okta. 

Scattered Spider has been attributed to over 100 victims, including telecommunications and technology companies, managed security service providers (MSSPs), financial services companies, business process outsourcing companies, crypto companies, transportation businesses, and several Las Vegas casinos. 

What Makes Scattered Spider So Dangerous?

There are a few reasons cybersecurity experts are concerned about Scattered Spider, mostly because they don’t have a signature style. They change their tools, infrastructure and targets regularly, which makes it harder to find them.

There is also speculation that the Scattered Spider group could be more than run-of-the-mill hackers. Their range of targets and the complexity of their attacks could indicate that they are state-sponsored. 

How To Mitigate

Scattered Spider attacks are difficult to spot but not impossible to evade. The best way to defend against their attacks is to implement user awareness training. Train employees to identify phishing scams, smishing attempts, and suspicious vishing calls. Educate teams on best practices for password management and avoiding social engineering tactics. Every employee should know where, when, and how IT support may get in touch with them and have the ability to verify their identity. 

Next, take technical steps:

• Enforce MFA for all user accounts. This adds an extra layer of security beyond passwords, making it harder for attackers to gain access even with stolen credentials.
• Implement stricter access controls for IT help desk accounts and limit privileges based on job functions. This minimizes the potential damage if a compromised help desk account is used.
• Maintain a rigorous patch management system to address known vulnerabilities in software and operating systems promptly. This eliminates weaknesses Scattered Spider might exploit to gain a foothold.
• Implement robust endpoint security solutions that can detect and prevent malware infections and unauthorized access attempts.
• Segment your network to limit the lateral movement of attackers within the system. This makes it harder for them to reach sensitive data even if they gain initial access.
• Consider implementing advanced threat detection solutions that use machine learning to identify and respond to evolving cyberattacks, including those employed by Scattered Spider.

Avoiding an attack isn’t always possible, so prepare a response plan that outlines the steps to take if a Scattered Spider attack occurs. This plan should include procedures for containment, eradication, recovery, and communication.

By implementing a multi-layered approach that combines user awareness training, robust network security, continuous monitoring, and a defined incident response plan, organizations can significantly reduce the risk of falling victim to Scattered Spider’s attacks.

If you aren’t sure whether or not your cyber defenses can withstand an attack by this hacker group (or any other threats), get in touch with Coro today.