Scattered Spider
Scattered Spider, tracked by cybersecurity analysts as UNC3944 and also known by aliases such as Octo Tempest and Storm-0875, is a financially motivated cybercriminal group that employs sophisticated social engineering to target large organizations, particularly their IT help desks and contracted support vendors.[1] The group, active since at least 2022, focuses on English-speaking countries including the United States, United Kingdom, Canada, and Australia, with victims spanning sectors like retail, hospitality, technology, and financial services.[2] Its operations emphasize initial access via voice phishing (vishing), SMS phishing, and multi-factor authentication (MFA) fatigue attacks, often impersonating legitimate support personnel to trick employees into resetting credentials or granting remote access.[1] Once inside networks, Scattered Spider actors leverage living-off-the-land techniques—using built-in system tools like PowerShell and legitimate remote access software such as TeamViewer—and escalate privileges to exfiltrate sensitive data, including personally identifiable information (PII) and financial records, which they host on platforms like MEGA.nz or Amazon S3 for extortion purposes.[1] The group frequently deploys ransomware variants, including DragonForce and affiliates of ALPHV/BlackCat, to encrypt systems and demand payments, though their primary revenue stems from data leaks on extortion sites rather than consistent ransom recoveries.[2] Notable incidents include disruptions to hospitality giants, contributing to operational outages and estimated losses exceeding $100 million in a single case, alongside a surge in retail targets representing up to 11% of data leak victims in 2025.[3] Despite law enforcement disruptions and arrests of suspected members—many of whom are young English-speaking individuals—the group demonstrates resilience through transient affiliations with ransomware networks like RansomHub and adaptation to new tactics, such as targeting software-as-a-service (SaaS) applications and hybrid environments.[2] Cybersecurity advisories from agencies like the FBI and CISA highlight Scattered Spider's expertise in bypassing traditional defenses, underscoring the need for enhanced identity verification and phishing-resistant authentication to mitigate their persistent threat to critical infrastructure.[1]Group Identification
Names and Designations
Scattered Spider is the principal name for this cybercrime group, originating from tracking by cybersecurity firm CrowdStrike, which identified the actors' dispersed operations resembling a web spun across multiple locations.[4] The designation reflects the group's use of English-speaking operatives, often young adults from the United States and United Kingdom, conducting financially motivated intrusions.[1] Mandiant has designated the group as UNC3944, a tracking identifier assigned to cyber threat actors based on observed tactics, techniques, and procedures (TTPs) in intrusions targeting critical infrastructure and enterprises.[2] Other cybersecurity firms employ distinct labels, including Octo Tempest by the U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (HHS HC3), which highlights the group's ransomware affiliations and social engineering focus.[5] Palo Alto Networks' Unit 42 uses Muddled Libra to denote the actors' chaotic yet persistent extortion campaigns.[6] Aliases linked to specific operations include 0ktapus (or Roasted 0ktapus), derived from a 2022 phishing campaign impersonating Okta authentication services to steal credentials from multiple organizations.[7] Starfraud appears in self-referential communications, such as extortion demands, and has been corroborated by firms like SentinelOne and Microsoft (as Storm-0971 or DEV-0971).[8][9] Additional operational monikers, such as Scatter Swine, have surfaced in threat intelligence reports tracking the group's evolution toward ransomware deployment with affiliates like ALPHV/BlackCat.[10] These designations underscore the group's adaptability, with overlaps confirmed across federal advisories from the FBI and CISA, which prioritize the Scattered Spider label for inter-agency coordination.[6][1]Organizational Structure and Demographics
Scattered Spider functions as a decentralized, loose-knit collective rather than a rigidly hierarchical organization, with operations coordinated by a small core of 2-4 senior operators who drive targeting and execution.[11][12] This structure leverages external affiliates for initial access brokering, ransomware deployment, and extortion negotiations, allowing flexibility and rapid adaptation despite law enforcement disruptions.[11] The group recruits and collaborates via online hacker forums, forming ad-hoc teams for specific intrusions while maintaining anonymity through compartmentalized roles.[13] Demographically, Scattered Spider comprises primarily English-speaking young males based in the United States and United Kingdom, with members often in their teens or early twenties.[12][13] Some participants are reported as young as 16, reflecting a youth-driven composition motivated by financial gain through extortion and data theft.[13] Arrests underscore this profile: in 2024, U.S. authorities charged five members, including individuals linked to over 120 breaches, while UK police detained four suspects, among them 19-year-old British national Thalha Jubair accused of extensive intrusions yielding $115 million in ransoms.[14][15] These actions have temporarily reduced activity but highlight the group's reliance on replaceable, geographically dispersed young operatives.[12]Historical Development
Early Formation and Activities (Pre-2023)
Scattered Spider, a cybercriminal collective tracked by cybersecurity firm Mandiant as UNC3944, first exhibited notable activity in late 2021 through mid-2022, primarily through the deployment of phishing kits like EIGHTBAIT to enable SMS-based phishing (smishing) campaigns.[16] These initial efforts targeted employees at telecommunication providers and business process outsourcing (BPO) firms, leveraging stolen credentials to conduct SIM swapping attacks that hijacked victims' mobile numbers for unauthorized account access.[16][2] The group's early tactics emphasized social engineering over technical exploits, with actors impersonating IT help desk personnel via phone calls to solicit password resets or bypass multi-factor authentication (MFA) prompts.[16] Phishing pages hosted on compromised or attacker-controlled domains forwarded captured credentials to Telegram channels, facilitating rapid SIM porting requests to mobile carriers.[16] This approach supported secondary crimes such as cryptocurrency wallet drains and personal data extortion, though direct ransomware deployment remained absent in this phase.[2] Primarily comprising young, English-speaking operatives based in the United States and United Kingdom, the loose-knit group coordinated via online forums and used commercial residential IP proxies to mask operations during reconnaissance and execution.[17] Their focus on telecom infrastructure reflected a foundational reliance on human-targeted intrusions, yielding initial successes in evading detection through low-volume, personalized attacks rather than mass malware distribution.[16] By late 2022, these activities had infiltrated multiple organizations, setting the stage for tactical evolution while maintaining a pattern of data exfiltration for leverage in negotiations.[2]Rise to Prominence (2022-2023)
Scattered Spider, tracked as UNC3944 by Mandiant, began gaining traction in 2022 through sophisticated phishing campaigns targeting telecommunications and business process outsourcing (BPO) firms to facilitate SIM swapping and credential theft.[16][1] The group, linked to the 0ktapus operation, deployed phishing kits mimicking legitimate authentication pages from providers like Okta, compromising over 130 organizations including Twilio (targeted twice), DoorDash, and Signal, primarily to harvest employee credentials for further intrusions.[18][19] These efforts emphasized social engineering over traditional exploits, enabling initial access via SMS phishing (smishing) and vishing to bypass multi-factor authentication (MFA) through tactics like push bombing and help desk manipulation.[16] By mid-2023, Scattered Spider escalated from data theft to ransomware deployment and extortion, introducing new phishing kits and targeting broader sectors such as hospitality and retail.[16] The group's tactics evolved to include creating rogue virtual machines in victim cloud environments for persistence, using tools like AnyDesk and PowerShell for lateral movement, and exfiltrating data to services like MEGA.nz before encrypting systems with affiliates' ransomware strains.[1] This shift marked a departure from pure credential harvesting, amplifying their operational impact and visibility within underground forums like Telegram.[16] Prominence peaked in September 2023 with near-simultaneous breaches of major Las Vegas casinos Caesars Entertainment and MGM Resorts International, attributed to social engineering attacks on IT help desks.[20][21] On or around September 7, attackers compromised Caesars via a third-party vendor, leading to data exfiltration and a $15 million ransom payment out of a $30 million demand.[22] MGM faced disruption starting September 11, with systems outages affecting slots, reservations, and operations for over a week, as Scattered Spider claimed responsibility and issued extortion demands without immediate ransomware deployment.[20][22] These incidents, disrupting high-profile businesses and drawing regulatory scrutiny, solidified the group's reputation as a persistent threat reliant on human-targeted intrusions rather than zero-day vulnerabilities.[1][23]Operational Tactics
Social Engineering and Phishing
Scattered Spider primarily relies on social engineering rather than zero-day exploits or advanced technical vulnerabilities for initial access, targeting human elements in IT help desks and employee authentication processes.[1] The group employs vishing—spearphishing via voice calls—to impersonate legitimate employees or executives, often using publicly available personal details from sources like LinkedIn to build convincing narratives when contacting help desks for password resets or multifactor authentication (MFA) token approvals.[24] These calls frequently involve multiple attempts to probe and learn an organization's specific reset procedures before executing the primary breach.[1] In phishing operations, Scattered Spider deploys smishing campaigns via SMS messages containing links to organization-specific fake domains, such as "targetsname-helpdesk[.]com," designed to harvest credentials.[1] They utilize phishing frameworks like Evilginx to create proxy sites that mimic legitimate login portals, capturing both credentials and session cookies to bypass MFA protections.[25] Domain impersonation tactics include typosquatting (e.g., "c0mpany[.]com") and subdomain spoofing (e.g., "SSO.company[.]com") to evade detection, with over 80% of such domains mimicking technology vendors to target single sign-on (SSO), VPN, and IT support systems.[25] To overcome MFA barriers, actors conduct push bombing by flooding victims with repeated authentication prompts, exploiting user fatigue to elicit approvals, or perform SIM swaps by socially engineering cellular carriers to port victims' phone numbers to attacker-controlled SIMs, thereby intercepting SMS-based codes.[1][24] These methods enable rapid credential acquisition, often supplemented by purchasing initial access from illicit markets, and are executed by English-fluent operators with minimal accents to enhance credibility against Western targets in sectors like technology, finance, and retail.[25][3]Technical Exploitation Techniques
Scattered Spider actors frequently leverage legitimate remote monitoring and management (RMM) tools such as TeamViewer, AnyDesk, Splashtop, ScreenConnect, Ngrok, Tailscale, Pulseway, Fleetdeck.io, and Tactical.RMM for post-compromise persistence and command-and-control (C2) operations, often deploying these via user-directed installation or stolen administrative access.[1][24] These tools enable remote execution without deploying custom malware, aligning with living-off-the-land (LOTL) binaries to minimize detection.[26][27] For credential access, the group employs Mimikatz to dump credentials from memory and LSASS processes, alongside infostealers like Raccoon Stealer and VIDAR for harvesting browser-stored data and tokens.[1][28] They also target privileged credential managers such as CyberArk and Thycotic Secret Server using custom PowerShell scripts like SecretServerSecretStealer to extract vaulted secrets, and psPAS for CyberArk enumeration.[27][28] In cloud environments, actors abuse AWS IAM profiles via API calls (T1526) and session managers for lateral movement, while registering stolen multifactor authentication (MFA) tokens for sustained access.[24][1] Lateral movement relies on native protocols including RDP (T1021), PsExec over SMB (T1569.002), SSH, and LDAP/SAMR requests, supplemented by tools like Remmina for remote desktop and IMPACKET for protocol abuse.[26][24][27] Privilege escalation involves modifying single sign-on (SSO) tenants to federate with attacker-controlled identity providers, self-assigning compromised Okta accounts to applications, or deploying PCUnlocker ISO images to reset local admin passwords.[28][1] Discovery phases feature Active Directory enumeration with ADRecon, SharePoint searches for VPN/VDI documentation, and Microsoft 365 Delve for data source mapping.[28][1] Defense evasion incorporates bring-your-own-vulnerable-driver (BYOVD) techniques, such as STONESTOP and POORTRY to disable endpoint detection and response (EDR) agents, alongside registry deletions to suppress antivirus alerts and proxy chaining via Ngrok or Teleport for obfuscated C2.[24][27] Rare zero-day or unpatched exploits include CVE-2021-35464 in ForgeRock Access Management for authentication bypass and CVE-2015-2291 in Intel drivers for kernel access, though the group predominantly favors credential-based over vulnerability exploitation.[24] Data exfiltration occurs via services like MEGA.nz, Amazon S3 buckets, or extract-transform-load (ETL) tools such as Airbyte and Fivetran for staging and syncing large datasets from SaaS platforms like Salesforce or Snowflake.[1][28] For impact, actors deploy ransomware variants including ALPHV/BlackCat, DragonForce, and RansomHub, often encrypting VMware ESXi hypervisors via SSH-transferred Python scripts or targeting vCenter for widespread disruption.[1][27][26] These methods emphasize operational efficiency, with observed adaptations in 2024-2025 toward SaaS-specific reconnaissance and cloud-native persistence.[28][24]Ransomware Deployment and Extortion
Scattered Spider actors typically initiate ransomware deployment after gaining initial network access through social engineering, such as vishing or phishing, followed by lateral movement to exfiltrate sensitive data for leverage.[1] This data theft enables a double-extortion model, where victims face both system encryption and threats of data publication on dark web leak sites unless ransoms are paid, often in cryptocurrency.[29] The group has partnered with ransomware-as-a-service (RaaS) affiliates, including ALPHV/BlackCat, to execute these operations, sharing proceeds from successful extortions.[30] Deployment involves targeting virtualized environments, particularly VMware ESXi hypervisors, to achieve rapid encryption across multiple systems, reducing detection windows from days to hours.[31] Observed tactics include privilege escalation via compromised credentials, deployment of custom scripts for data enumeration, and execution of ransomware payloads like RansomHub, Qilin, and DragonForce, which encrypt files and append extensions such as ".qilin" or ".rhub".[32] [33] In some incidents, actors have customized ransomware variants to evade endpoint detection, prioritizing high-value sectors like retail and hospitality for maximum disruption.[34] Extortion demands vary by victim scale, ranging from millions in Bitcoin or Monero, with negotiations conducted via encrypted channels or victim portals on RaaS leak sites.[24] Refusal to pay prompts phased data leaks to pressure compliance, as seen in affiliations with groups publicizing stolen datasets exceeding terabytes in size.[35] This approach exploits operational downtime costs, with encrypted systems rendering services inoperable until decryption keys are provided post-payment.[26] Law enforcement notes that Scattered Spider's English-speaking operators often reference victim-specific details in demands to heighten urgency.[1]Major Incidents
2023 Casino Breaches
In September 2023, the cybercriminal collective known as Scattered Spider, also tracked as UNC3944, executed targeted intrusions against two major Las Vegas-based casino and hospitality operators: Caesars Entertainment and MGM Resorts International.[20][1] These incidents, occurring within days of each other, relied heavily on social engineering techniques such as vishing—voice phishing—to deceive IT help desk personnel into divulging or resetting credentials, bypassing multi-factor authentication through fatigue attacks or direct manipulation.[21][22] The group exploited publicly available information from platforms like LinkedIn to impersonate executives or employees, facilitating initial access to vendor systems and escalating privileges within corporate networks.[1] Following access, Scattered Spider exfiltrated sensitive customer data, including loyalty program details with personal identifiers and partial payment information, before issuing extortion demands.[21][22]Caesars Entertainment Attack (September 2023)
On or around September 7, 2023, Scattered Spider initiated the Caesars breach by targeting a third-party IT help desk vendor via social engineering, tricking staff into providing access credentials.[21] The intruders subsequently stole data on approximately 10.6 million customers from the Caesars Rewards loyalty program, encompassing names, email addresses, phone numbers, and partial credit card details dating back to 2018.[22] In response to the extortion threat, Caesars Entertainment paid an estimated $15 million ransom—half of the $30 million demanded—to affiliates of the ALPHV/BlackCat ransomware operation, with whom Scattered Spider collaborated for data monetization.[36] This payment, disclosed in a September 2023 SEC filing, mitigated widespread operational disruptions, allowing the company to restore systems more swiftly than in comparable incidents, though it drew criticism for incentivizing further attacks.[37] Caesars notified affected individuals and enhanced security protocols post-breach, but the event underscored vulnerabilities in outsourced IT support chains.[22]MGM Resorts International Attack (September 2023)
Scattered Spider gained initial access to MGM Resorts' network on September 11, 2023, again through vishing attacks on help desk resources, impersonating legitimate users to obtain system credentials.[22][21] The compromise triggered ransomware deployment, encrypting systems and disrupting operations across MGM properties, including slot machines, hotel check-ins, digital keys, and reservation platforms, resulting in an estimated 10-day outage.[22] Unlike Caesars, MGM refused to pay the ransom, leading Scattered Spider and ALPHV affiliates to leak over 100 gigabytes of stolen data—including customer PII and internal documents—on underground forums starting September 14, 2023.[20][22] The attack caused financial losses exceeding $100 million in revenue and remediation costs, as reported by MGM in SEC disclosures, while prompting FBI involvement in the investigation.[36] Full system recovery extended into late September, with lingering effects on guest services and highlighting the risks of non-payment in extortion scenarios.[21]Caesars Entertainment Attack (September 2023)
In early September 2023, Scattered Spider (also known as UNC3944) targeted Caesars Entertainment through social engineering, specifically by impersonating a company employee to deceive a third-party IT support vendor into providing access credentials.[38][39] This vishing (voice phishing) tactic enabled initial system infiltration without widespread technical exploits.[40] The breach resulted in the exfiltration of sensitive data from a significant portion of Caesars' loyalty program members, including driver's license numbers and Social Security numbers (SSNs), affecting customer privacy and exposing the company to potential identity theft risks.[41] Scattered Spider, operating as an affiliate of the ALPHV/BlackCat ransomware-as-a-service group, threatened to publicly release the stolen data unless a ransom was paid.[40][22] Caesars negotiated with the attackers and paid approximately $15 million—half of an initial $30 million demand—to secure the deletion of exfiltrated data and limit further harm, as detailed in the company's subsequent SEC filing.[42][43] This swift payment minimized operational disruptions, such as system outages or service interruptions, unlike peer incidents in the casino sector during the same period.[22] The company disclosed the incident publicly on September 14, 2023, confirming the data theft but emphasizing no material impact on operations due to the ransom resolution.[41] Attribution to Scattered Spider stemmed from the group's own claims of data theft from Caesars and aligned forensic indicators, including shared tactics with contemporaneous breaches.[22][44]MGM Resorts International Attack (September 2023)
The MGM Resorts International cyberattack occurred on September 11, 2023, when the hacking group Scattered Spider gained unauthorized access to the company's systems through social engineering tactics targeting the IT help desk.[20] [21] Attackers impersonated MGM employees using details gathered from LinkedIn profiles and other open sources to conduct vishing attacks, convincing help desk personnel to reset multi-factor authentication (MFA) credentials or provide one-time passwords.[45] [1] This initial foothold exploited weak MFA controls and password reuse, allowing escalation to privileged access in Okta identity management and Azure cloud environments, where attackers configured unauthorized inbound federation to maintain persistence.[45] Following access, Scattered Spider collaborated with the ALPHV/BlackCat ransomware-as-a-service operation to deploy ransomware, encrypting approximately 100 VMware ESXi hypervisors and exfiltrating around 6 terabytes of data, including customer information such as names, contact details, dates of birth, driver's license numbers, and loyalty program records.[21] [45] MGM Resorts refused to pay the demanded ransom, prompting the group to publicly claim responsibility on September 14, 2023, and threaten data leaks.[21] The intrusion caused severe operational disruptions across MGM properties, particularly in Las Vegas, halting slot machines, online reservations, digital room keys, elevators, and point-of-sale systems for about 10 days, forcing manual operations and affecting thousands of guests.[20] [21] In response, MGM shut down affected systems to contain the breach, engaged cybersecurity firms and the FBI for investigation, and incurred $100 million in third-quarter losses, including $84 million in revenue shortfalls and $10 million in remediation costs, though no confirmed evidence of customer financial data compromise emerged.[21] The company offered affected individuals credit monitoring and identity protection services while committing up to $40 million to enhance IT security, highlighting vulnerabilities in identity and access management as a key lesson from the incident.[21] [45]Snowflake Data Warehouse Compromises (2023)
In 2023, Scattered Spider (tracked as UNC3944 by Mandiant) incorporated targeting of victims' Snowflake data warehouse instances as a key tactic for data exfiltration following initial network compromise. After gaining access via social engineering—such as vishing help desk personnel or exploiting stolen credentials—actors performed reconnaissance to identify Snowflake environments, enabling rapid querying and export of sensitive data without deploying persistent malware. This method leveraged Snowflake's native SQL capabilities, such asSELECT statements and COPY INTO for external staging, to steal terabytes of information in hours, often prioritizing customer records, financial details, and intellectual property for extortion.[1]
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in coordination with international partners, documented this behavior in a November 3, 2023, advisory, noting its prevalence across intrusions into sectors like retail, hospitality, and critical infrastructure. For instance, actors scanned compromised endpoints for Snowflake client tools like DBeaver or configuration files containing authentication tokens, bypassing multifactor authentication (MFA) gaps or network controls in many cases. While specific victim counts tied exclusively to Snowflake exfiltration remain undisclosed, the tactic aligned with Scattered Spider's 2023 campaigns, which emphasized data theft over immediate ransomware deployment to maximize leverage in negotiations.[1][46]
Mandiant reported potential overlaps with other actors, such as UNC5537, which exploited infostealer-compromised Snowflake credentials dating back to 2020 but active into 2023; however, Scattered Spider's approach distinctly relied on live pivoting from footholds rather than credential marketplaces alone. No evidence indicates direct compromise of Snowflake's core infrastructure; attacks targeted customer-hosted instances lacking MFA or IP allowlisting. This pattern contributed to heightened alerts, with over 165 Snowflake customers later assessed for exposure risks, underscoring systemic vulnerabilities in cloud data configurations.[47][48]