Scattered Spider

Scattered Spider is a financially motivated cybercriminal threat actor active since at least May 2022. It is also tracked as UNC3944, Octo Tempest, Muddled Libra, Scatter Swine, 0ktapus/Oktapus, Storm-0875, Roasted 0ktapus, DEV-0971, LUCR-3, Star Fraud, and related variants. Multiple sources describe it as an English-speaking collective, with members primarily based in the United States, the United Kingdom, and Canada. The group initially targeted telecommunications and business process outsourcing organizations, including activity aimed at gaining access to mobile carrier environments to support SIM swapping and phone-number porting. It later expanded to large enterprises across sectors including technology, retail, hospitality, gaming, financial services, manufacturing, law, natural resources, managed service providers, and critical infrastructure. Reported victims and linked campaigns include Twilio-related intrusions, Caesars Entertainment, MGM Resorts, Transport for London, and UK retail targets such as Marks & Spencer, Harrods, and Co-op Group. Scattered Spider is characterized by aggressive social engineering and identity-focused intrusion tradecraft. Reported techniques include vishing, smishing, phishing, adversary-in-the-middle credential theft, MFA fatigue, SIM swapping, impersonation of employees and IT/help desk staff, and abuse of self-service password reset and help-desk-driven MFA reset workflows. The group has used phone calls, SMS, and Microsoft Teams to pose as internal support personnel, direct victims to credential-harvesting pages, or convince them to install commercial remote monitoring and management tools. Sources also describe the group gathering personal and role information from open sources and leaks to support impersonation. After initial access, Scattered Spider has used valid accounts and legitimate tools to persist, move laterally, and evade detection. Reported tooling and methods include AnyDesk, ScreenConnect/ConnectWise Control, TeamViewer, Splashtop, Pulseway, Tactical RMM, Fleetdeck.io, Level.io, Tailscale, Teleport.sh, Ngrok, and other remote access or tunneling tools. The group has conducted reconnaissance across Windows, Linux, Active Directory, VMware vSphere/ESXi, Azure AD/Microsoft 365, Google Workspace, AWS, SharePoint, Slack, Teams, Exchange Online, code repositories, backups, and Snowflake environments. It has searched for credential documentation, VPN instructions, network diagrams, user provisioning and MFA registration procedures, and other material useful for escalation and extortion. Several sources link Scattered Spider to credential theft, cloud and identity abuse, and hypervisor-focused operations. Reported behaviors include registering attacker-controlled MFA devices, adding federated identity providers to SSO tenants, abusing Okta Org2Org, using Golden SAML-related techniques, exporting users and groups, extracting VPN and MFA enrollment data, and targeting VMware ESXi infrastructure. The group has been observed enabling SSH, altering firewall rules, disabling security controls, manipulating virtual disks offline, and deploying ransomware against ESXi environments. Scattered Spider has also been linked to malware and driver-based defense evasion. Reported tooling includes POORTRY and STONESTOP to terminate security software, use of signed vulnerable or malicious drivers, exploitation of CVE-2015-2291 in the Intel Ethernet diagnostics driver iqvw64.sys, and exploitation of CVE-2021-35464 in ForgeRock AM. Associated malware named in the content includes AveMaria/WarZone, Raccoon Stealer, VIDAR Stealer, RattyRAT, and DragonForce ransomware. The group monetizes access through data theft, extortion, and ransomware. Multiple sources state that Scattered Spider became an affiliate of ALPHV/BlackCat in mid-2023 and initially used stolen-data extortion before deploying ALPHV/BlackCat ransomware on Windows and Linux, with later focus on VMware ESXi. Other reporting identifies Scattered Spider as a notable ransomware affiliate and states that trusted third parties observed deployment of DragonForce ransomware in more recent incidents. The content also notes associations or overlap with broader cybercrime ecosystems including The Com and mentions links or associations in reporting involving RansomHub, DragonForce, and remnants of Lapsus$. Law-enforcement reporting in the content identifies Scattered Spider as a prolific cybercrime group whose members have been arrested and prosecuted. The material specifically names Owen Flowers and Thalha Jubair as key members who pleaded guilty in the United Kingdom over the Transport for London attack, and notes additional U.S. cases involving alleged Scattered Spider members. The content also repeatedly notes the group's reputation for recruiting teenagers.