I propose an article on Scattered Spider, the name given by a security vendor (CrowdStrike) to a group of cybercriminals that has recently emerged in the cybercrime landscape.
I tried to keep it short, but far too much information gets lost—happy reading.
Scattered Spider is the name given by cybersecurity researchers (notably CrowdStrike) to a recently emerged group in the cybercrime landscape. Active since 2022, this financially motivated collective has quickly become one of the most significant threats of recent years by combining advanced social engineering, authentication bypass techniques, and large-scale ransomware attacks.
In a geopolitical context where hacker groups are no longer confined to one region, Scattered Spider operates primarily out of Western countries and targets organizations worldwide. Its approach highlights a noteworthy technological shift: exploiting digital identities and human weaknesses (such as external IT support, multi-factor authentication, etc.) to infiltrate companies that otherwise have strong security measures. This article presents a detailed analysis of Scattered Spider, covering its history, tactics, and operations, in order to understand how it operates and to inform effective defensive strategies.
Origin and History
Scattered Spider appeared on the radar in 2022. Initial signs of its activity date back to May 2022, when targeted phishing attacks were attributed to this group (also dubbed “Oktapus” in reference to an early campaign that focused on stealing Okta authentication credentials). Over the course of 2022, more than half a dozen incidents linked to Scattered Spider were documented, aimed notably at outsourcing companies operating in the cryptocurrency sector. In December 2022, a major campaign was uncovered targeting telecommunication operators and business process outsourcing (BPO) companies. This indicated early on the group’s interest in exploiting the access of third-party providers as a foothold into larger targets.
In 2023, Scattered Spider intensified its operations and broadened its toolkit. During this period, the group began to systematically employ ransomware to monetize its breaches, thus fully embracing the Ransomware-as-a-Service business model. Several high-profile attacks in late 2023 were attributed to Scattered Spider, affecting prominent organizations such as Transport for London (a major transit agency), the MGM Resorts hotel-casino chain, and Caesars Entertainment. These successful breaches propelled Scattered Spider into notoriety as one of the most feared cyber threats at that time.
The expansion continued in 2024, with the group moving into more traditional sectors. In the UK, the retail giant Marks & Spencer was compromised, suffering an estimated loss of £300 million (approximately €355 million or $380 million) due to stolen data and operational disruption. In the United States and elsewhere, other companies in retail, financial services, and technology were similarly impacted. In parallel, law enforcement managed to identify and apprehend certain suspected members of the group around late 2023 and early 2024; several young individuals based in the UK and the US were arrested. Despite these actions, the collective remained active, indicating a resilient and decentralized structure that could continue its operations even after setbacks.
In 2025, Scattered Spider again diversified its target profile. In June of that year, the group struck the civil aviation sector, breaching internal systems at WestJet (Canada) and Hawaiian Airlines (USA), with a suspected attack on Qantas (Australia) in July. Going after such critical infrastructure demonstrates the group’s growing ambitions: these companies possess highly sensitive data (e.g. customer information and access credentials) and operate systems where continuous uptime is critical. This shift toward aviation highlights Scattered Spider’s willingness to target strategic industries, exploiting the complexity of airline IT environments where security gaps may exist and downtime is extremely costly. As of mid-2025, the group continues to evolve and pose threats, despite increased pressure from authorities and the cybersecurity community.
Techniques, Tactics, and Procedures (TTPs)
Scattered Spider’s modus operandi is characterized by a heavy reliance on social engineering techniques combined with opportunistic use of a wide range of technical tools. The group exploits human weaknesses as much as technological gaps, covering many tactics in the MITRE ATT&CK framework (from reconnaissance and initial access to persistence, lateral movement, data exfiltration, and impact). Key TTPs observed in Scattered Spider operations include:
- Targeted reconnaissance: Prior to an attack, Scattered Spider operators conduct meticulous online information gathering (OSINT) on their victim. They study the target company’s internal structure, the technologies and software it uses (for example, whether an identity provider like Okta is in place), and its third-party vendors. Armed with this knowledge, they craft highly believable, tailored phishing lures that can easily fool even vigilant employees.
- Sophisticated phishing and vishing: To achieve initial access, the group sends employees links to fake login pages almost indistinguishable from the legitimate portals of their organization (for instance, domains like “company-sso.com” or “company-okta.com”). These links are delivered via email, SMS (smishing), or messaging apps. When an unwitting user enters their credentials on the counterfeit site, the attackers promptly follow up with direct phone calls impersonating the company’s IT help desk (vishing). Using caller ID spoofing, they make the call appear genuine, which increases their credibility. During these calls, they manipulate the victim into revealing additional information, approving authentication prompts, or installing remote support software.
- MFA bypass and credential theft: Even when multi-factor authentication is enabled, Scattered Spider has found ways to neutralize it. One of their favored techniques is “push bombing” (MFA fatigue), which involves bombarding the target with repeated authentication approval requests until the person, out of fatigue or confusion, eventually accepts one. The attackers may pose as IT support while this is happening to persuade the user that the MFA prompts are legitimate. In more targeted cases, the group has performed SIM card swapping, hijacking the victim’s mobile number to intercept one-time passcodes sent via SMS.
- Establishing persistence via remote tools: Once an account is compromised, the intruders move quickly to set up a foothold that will be hard to detect or dislodge. Frequently, they trick the victim into installing legitimate remote support software such as AnyDesk, TeamViewer, ScreenConnect, or Pulseway. By abusing trusted tools, they obtain direct remote access to the machine without immediately raising suspicion, and they can return at will. The group also often registers their own devices as new MFA factors on compromised accounts, or even integrates a malicious federated identity provider into the organization’s SSO environment, to ensure they retain access even if passwords are changed.
- Stealing credentials and sensitive data: On compromised machines, Scattered Spider deploys specialized information-stealing malware and credential dumping tools. Identified malware used by the group include infostealer trojans like Vidar, Meduza, and ULTRAKNOT, as well as remote access trojans like AveMaria to maintain control. The group also leverages well-known post-exploitation utilities such as Mimikatz and secretsdump.py to dump passwords from memory, extract password hashes from Active Directory databases (NTDS.dit), and collect authentication tokens or session cookies. These stolen credentials and authentication artifacts are then used to broaden their access within the victim’s environment.
- Privilege escalation and lateral movement: Armed with user account data, the attackers attempt to obtain higher-level access (administrative or root privileges, cloud admin accounts, etc.). They focus on accounts with elevated privileges (IT administrators, security staff, executives) and exploit internal trust relationships between systems. The group uses standard administration tools and protocols (RDP, SSH, PsExec, VPN clients, Azure/Cloud consoles, etc.) to move laterally through the network. In one notable technique, they have added their own rogue identity provider to a victim’s cloud tenant to surreptitiously grant themselves elevated privileges. Once they control an administrator or similarly privileged account, they gain access to critical parts of the IT environment, including cloud infrastructure (AWS, Azure, SaaS applications used by the company). At this stage they may also disable security mechanisms to prepare for the final stages of the attack.
- Cloud environment exploitation: Scattered Spider is adept at leveraging cloud misconfigurations and native cloud features to advance their attack while staying under the radar. For example, the group has been observed enabling automated inventory services (such as AWS Systems Manager) to map out assets and identify targets for lateral movement within cloud environments. They may copy sensitive data from cloud storage (databases, code repositories, S3 buckets, etc.) to locations under their control. In recent incidents, the attackers systematically searched for access to enterprise Snowflake data warehouses in order to exfiltrate large volumes of data via automated queries in a short time frame.
- Data exfiltration: After locating valuable information (for instance, files on SharePoint, Google Drive/G Suite, internal file shares, backups, or email stores), the group proceeds to extract this data. Exfiltration often involves uploading data to external cloud storage services like MEGA.nz or to attacker-controlled cloud instances (e.g. a private AWS S3 bucket). Scattered Spider also uses tunneling tools (such as Chisel or Plink) to smuggle stolen files out of the victim’s network, sometimes routing through encrypted channels or even exfiltrating via encrypted messaging platforms like Telegram.
- Ransomware deployment and double extortion: In the final phase of the attack, the group aims to maximize profit through extortion. They deploy a ransomware payload across the victim’s critical systems, typically ransomware strains offered as-a-service such as BlackCat/ALPHV, Qilin (aka Agenda), DragonForce, or RansomHub. These malware encrypt data and disrupt operations, locking the organization out of its own systems. At the same time, the attackers leverage the threat of publishing the previously exfiltrated data, executing a double-extortion scheme: the victim is pressured to pay not only to decrypt their files but also to prevent sensitive information from being leaked publicly. This tactic places targeted organizations in a difficult position, increasing the likelihood they will acquiesce to the attackers’ demands.
- Evasion and constant adaptation: To minimize detection, Scattered Spider heavily employs living-off-the-land (LOTL) techniques—using legitimate tools already present in the environment (e.g., PowerShell scripts, built-in Windows utilities, compromised valid accounts) rather than easily flagged malware. The group also uses sophisticated methods to disable or bypass security solutions: for instance, loading a malicious but digitally signed kernel driver (codenamed POORTRY) or even a UEFI bootkit like BlackLotus, which can incapacitate antivirus/EDR tools early in the boot process. The attackers frequently modify their TTPs to avoid known indicators of compromise. They have even been reported to actively spy on the victim’s response efforts: Scattered Spider operatives search through internal communications platforms (email, Slack/Teams chats) for any discussion of the incident, and have covertly joined incident response bridge calls. By understanding how the defenders are reacting, they adapt their own tactics in real time, making it immensely challenging for security teams to contain and eradicate the threat.
Targets and Sectors Affected
Scattered Spider does not confine its attacks to a single industry; on the contrary, it practices opportunistic “big game hunting”, going after large organizations across many sectors. Industries targeted by the group include:
- Telecommunications and technology – This sector was particularly hit in the early stage of the group’s activity, with campaigns against mobile carriers and cloud service or identity providers.
- Retail and financial services – Major retail chains, supermarkets, and financial institutions saw increased targeting once Scattered Spider adopted ransomware as a tactic. The theft of customer data and the disruption of business in these sectors have direct financial consequences, which the group seeks to exploit.
- Other varied sectors – The group does not shy away from any profitable opportunity. Incidents have spanned manufacturing, hospitality (e.g. hotel and casino operators), legal services, healthcare, energy utilities, and even the cryptocurrency ecosystem. This diversity shows that any environment with valuable data or critical operations can become a target.
In terms of victim profile, Scattered Spider mainly targets large enterprises with a global footprint. Victims are often among the most prominent companies in their field (including Fortune 500 corporations), with vast stores of data and operations whose disruption would be highly damaging. By focusing on these “big fish,” the attackers can attempt higher ransom demands and exert maximum pressure.
From a geographical perspective, Scattered Spider’s confirmed attacks have primarily affected organizations in North America (United States, Canada) and Western Europe (notably the United Kingdom, France, Switzerland, Germany, and Italy). However, the group has also struck in the Asia-Pacific region (for example, incidents in Australia, Japan, India, and South Korea) and in South America (Brazil). This international reach — unusual for such a young group — demonstrates its ability to operate globally, unhindered by language or regional barriers.
Multiple highly publicized incidents underscore the breadth of Scattered Spider’s targeting. In addition to the cases already mentioned (MGM Resorts, Marks & Spencer, WestJet, etc.), attacks have been reported against Cloudflare (a major cloud services provider), the delivery platform DoorDash, and well-known British retailers like Harrods and the Co-op supermarket chain. Each of these breaches resulted in sensitive data being compromised or critical services being disrupted, highlighting the serious threat Scattered Spider poses across all sectors.
Attribution and Potential Affiliations
Firmly attributing Scattered Spider’s activities to specific individuals remains challenging, in part due to the group’s very nature. Scattered Spider operates as a loosely organized collective without a clear hierarchy, and its membership appears fluid. Threat intel analysts have likened it to other opportunistic rings like LAPSUS$, which involved extremely young hackers. Indeed, several alleged Scattered Spider members have been apprehended in recent years: investigations in 2023 led to the arrest of young adult suspects (ages 17 to 22) in the United States and the UK, and in 2025 another trio of British teenagers and one Latvian under twenty were detained. These facts suggest the group is primarily composed of very young, English-speaking cybercriminals operating outside the traditional hotbeds of organized cybercrime (unlike, say, a Russian ransomware cartel or a state-sponsored unit).
Different security vendors have tracked this group under various labels, reflecting the difficulty of pinning down its identity. For example, CrowdStrike coined the name Scattered Spider, while Mandiant/Google tracks it as UNC3944. Microsoft assigned it the cluster ID Storm-0875, and other aliases have surfaced (such as Muddled Libra, Octo Tempest, Scatter Swine, or Oktapus for certain phishing waves). Though confusing, these multiple names all refer to the same adversary, recognizable by its techniques.
In terms of criminal affiliations, Scattered Spider appears to be deeply embedded in the ransomware ecosystem. Rather than develop its own ransomware, the group collaborates with existing RaaS (Ransomware-as-a-Service) operations. It has been observed working with the threat actors behind BlackCat/ALPHV, RansomHub, DragonForce, and Qilin/Agenda – corresponding to the ransomware families it deploys in attacks. In practice, Scattered Spider functions as an affiliate: it breaches networks and steals data, then partners with these ransomware franchises to encrypt systems and handle the extortion negotiation. This partnership model shows the group’s opportunism, maximizing its illicit gains by leveraging established criminal platforms without necessarily being subordinate to them.
Finally, recent intelligence suggests Scattered Spider is seeking alliances with other infamous hacker collectives to amplify its impact. In mid-2025, experts reported the emergence of a sort of coalition dubbed “Scattered LAPSUS$ Hunters”, involving members of Scattered Spider alongside the LAPSUS$ group (notorious for brazen hacks in 2022) and actors from ShinyHunters (known for massive data breaches). If confirmed, this unusual collaboration would represent a strategic shift: Scattered Spider would be expanding beyond stealthy, behind-the-scenes intrusions into more public and chaotic extortion campaigns, by tapping into LAPSUS$’ penchant for publicity and ShinyHunters’ data-leak channels. For Scattered Spider, partnering with such groups broadens the reach of its attacks (especially in terms of public exposure and “name-and-shame” pressure on victims) while capitalizing on the complementary skills of those collaborators. It underscores Scattered Spider’s high adaptability and its willingness to reshape itself according to the opportunities present in today’s cybercriminal underground.
Impacts and Consequences
The attacks orchestrated by Scattered Spider have had severe repercussions for targeted organizations. Financially, the costs are often enormous: they include potential ransom payments (some victims have yielded to extortion, paying tens of millions of dollars), business losses from operational downtime, and expenses related to incident response (forensics, system restoration, security improvements, etc.). For example, the 2024 Marks & Spencer breach resulted in direct losses estimated at over €350 million (approximately $380 million). Similarly, the attack on MGM Resorts forced the shutdown of its hotels and casinos for several days, leading to significant revenue loss and a reversion to manual operations.
Beyond the immediate monetary damage, these intrusions cause serious reputational harm to the victim organizations. The public disclosure of sensitive data (for instance, customer information, contracts, or source code) can erode customer trust and business partnerships, and may expose the company to legal penalties or regulatory fines (especially in cases of personal data leaks under laws like GDPR). The critical sectors targeted (transportation, finance, healthcare, etc.) also face potential societal impacts: an attack on an airline or transit operator can disrupt thousands of people and highlight systemic vulnerabilities.
These incidents have also highlighted the difficulty of defense against such a cunning adversary. Scattered Spider’s methods prey on human factors that are hard to completely eliminate (error, misplaced trust) and bypass traditional technical controls. The fact that the group can infiltrate a company’s internal communications and even eavesdrop on incident response efforts adds a layer of complexity, delaying containment and increasing the operational stress on security teams. Every additional day of disruption compounds the economic harm and the pressure on the victim to consider paying the ransom.
On a global scale, Scattered Spider’s campaign has served as a wake-up call for the cybersecurity community. It demonstrated that a small band of determined hackers – armed primarily with phones and social savvy – could defeat the defenses of multinational companies with substantial security investments. This realization has prompted many organizations to urgently reassess their procedures (for example, strengthening authentication or helpdesk verification protocols) and has driven authorities to enhance international cooperation in pursuing these criminals. In summary, the consequences of Scattered Spider’s actions are measured not only in direct damages, but also in long-term changes to security practices and a heightened vigilance against social engineering-driven attacks.
Responses and Countermeasures
The severity of Scattered Spider’s campaigns has spurred both private organizations and government agencies to bolster their defenses. Based on analyses and published recommendations (notably from CISA, the UK’s NCSC, and security researchers), several measures are advised to counter this kind of threat:
- Strengthen helpdesk and support verification processes: Procedures for password resets or MFA re-enrollment should include strict identity verification steps. For example, require supervisor approval or a callback to a user’s known phone number before making critical account changes. Train IT support staff to recognize social engineering red flags (e.g. unusual urgency, off-script requests, suspicious caller details) and establish internal verification codes or callbacks for authentic support communications. These steps can thwart attackers impersonating employees via social engineering aimed at helpdesk personnel.
- Implement phishing-resistant multi-factor authentication: It is recommended to replace vulnerable MFA methods (like basic push notifications or SMS codes) with solutions that are resilient to phishing. Utilizing hardware security keys compliant with FIDO2/WebAuthn, or employing app-based MFA with number matching, makes it nearly impossible for attackers to hijack or brute-force the second factor. All critical services (VPNs, email, cloud consoles, etc.) should enforce this hardened MFA. In parallel, educate users about MFA fatigue attacks and encourage them to report any barrage of unexpected login prompts rather than approve them, to guard against push bombing.
- Limit and monitor remote access tools: Given that Scattered Spider often abuses legitimate remote desktop software, organizations should institute an allowlist policy for remote access applications. Maintain an inventory of approved remote support tools and block execution or installation of unapproved ones by default. Regularly review execution logs to spot any unusual use of remote access programs (for instance, a remote support executable launching from a temp directory). It’s also advisable to restrict RDP/VPN access to only what is necessary: close unused RDP ports, enforce MFA for remote logins, set time-of-day access restrictions if feasible, and monitor for failed login attempts — all to reduce the RDP attack surface.
- Enhance account and access monitoring: Defenders should set up alerts for signs of suspicious account activity. For example, detect “risky sign-ins” (login attempts flagged for unusual patterns, new device registrations for MFA, or creation of new admin accounts). Pay special attention to high-privilege accounts and to access by external vendors (which Scattered Spider has exploited in the past). Endpoint detection and response (EDR) tools and network monitoring can help identify anomalies indicative of lateral movement or data exfiltration (e.g. atypical internal file transfers or large uploads to external sites).
- Bolster overall security hygiene and resilience: Fundamental best practices remain crucial to limiting the impact of a breach. Key steps include:
- Keeping systems and software updated – apply patches promptly, prioritizing fixes for any known exploited vulnerabilities.
- Segmenting networks – partition your network so that compromise of one segment (user workstations, for example) does not immediately grant access to critical servers or backups. This hampers an attacker’s ability to move freely and can contain the damage.
- Regularly backing up critical data – maintain offline, encrypted backups and routinely test your ability to restore from them. Immutable backups stored separately ensure that even if systems are encrypted by ransomware, operations can be recovered.
- Enforcing strong password policies – require long, unique passwords or passphrases, ideally managed via a secure password manager. Avoid frequent forced password changes (which can lead to users choosing predictable patterns) and disable unused accounts to reduce potential entry points.
- Training and drilling your teams – continue to educate employees about phishing/vishing tactics. Conduct periodic simulations (e.g. red team exercises or tabletop drills) that mirror Scattered Spider–style scenarios (helpdesk impersonation, Active Directory takeover, etc.) to test your organization’s response and improve your incident plans.
- Cooperate with authorities and share intelligence: Given Scattered Spider’s international footprint, collaboration is key. Victim organizations are encouraged to promptly report incidents to relevant authorities (such as national CERTs, the FBI or CISA in the U.S.) and to share indicators of compromise (IP addresses, phishing domains, malware hashes) through trusted channels. This collective approach aids in tracking the adversaries, warning other potential targets, and enriching the overall intelligence on their tactics. Up-to-date advisories (for instance, CISA’s alert AA23-320A) provide defenders with a detailed mapping of Scattered Spider’s methods and specific mitigations, which should be regularly consulted and implemented.
Conclusion
The case of Scattered Spider exemplifies the evolution of modern cybercrime. In just a few years, this group has managed to disrupt the threat landscape, proving that social ingenuity coupled with technical know-how can circumvent even well-fortified security infrastructures. It reminds cybersecurity leaders that protecting an organization cannot rely solely on firewalls and malware detection—people have become the primary targets, and internal processes (like IT support and identity management) need as much hardening as the systems themselves.
Deeply understanding Scattered Spider’s modus operandi is crucial to anticipating the next attacks of this type. Each tactic employed—from phone-based impersonation to cloud exploitation—highlights areas of weakness that defenders must address and sheds light on blind spots in our defensive strategies. Because this group is particularly agile and unpredictable, it forces defenders to adopt a proactive stance: continuously monitoring for indicators of compromise and regularly stress-testing their organization’s resilience against realistic attack scenarios.
Scattered Spider remains active despite arrests, indicating that it relies on an informal hacker community capable of regrouping and adapting. It is likely that this group (or copycats inspired by it) will continue refining techniques or adopting new ones in the future—perhaps by exploiting other human-factor gaps or leveraging emerging technologies to stay undetected. Ongoing academic research and threat intelligence monitoring are essential to keep pace with these developments: they enable the security field to devise innovative solutions, whether that means more reliable authentication systems, AI-driven anomaly detection, or better methods to train users to recognize deception.
Ultimately, Scattered Spider is a formidable adversary but also a source of lessons. The attention it has garnered—from specialized blogs to official security advisories—underscores the importance of sharing knowledge and experience in the face of a common threat. By learning from each incident and collectively strengthening our defenses, the cybersecurity community can reduce the impact of such attacks. The fight is asymmetrical, but by staying informed, agile, and united, defenders can counter even the most sophisticated campaigns orchestrated by groups like Scattered Spider.
Sources
Varonis Blog : https://www.varonis.com/fr/blog/scattered-spider
Sysdream Blog : https://sysdream.com/blog/rapport-scattered-spider/
CISA (AA23-320A) : https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
Vectra Threat Actors (Scattered Spider) : https://fr.vectra.ai/modern-attack/threat-actors/scattered-spider
