Scatter Swine

Threat Actor updated 4 months ago (2024-05-05T10:17:49.008Z)

Download STIX

Preview STIX

Scatter Swine, also known by multiple names such as 0ktapus, Scattered Spider, UNC3944, and Muddled Libra, is a threat actor group that has been active since early 2022. The group first came to light in August 2022 when they executed smishing attacks against over 100 organizations, including Twilio and Cloudflare. They employ tactics such as social engineering, phishing, multi-factor authentication (MFA) bombing, and SIM swapping to gain initial network access on large organizations. Scatter Swine's tactics mirror those adopted by another group called LAPSUS$. This group has shown a particular focus on accessing credentials or systems used for SIM swapping attacks, likely in support of secondary criminal operations occurring outside of victim environments. In August 2022, Scatter Swine made significant strides in its malicious activities by stealing one-time passwords (OTPs) delivered to Okta customers. This sophisticated social engineering attack led to the compromise of 216 customer accounts. Numerous cybersecurity entities, including Group-IB, CrowdStrike, and Okta, have documented and mapped many of these attacks to Scatter Swine and its associated intrusion groups. By Q3 of 2023, Scatter Swine had escalated its activities, carrying out several high-profile attacks against the gaming industry and other large enterprises. Despite the varied naming conventions used by different companies to track this threat actor, the consistent pattern of their activities points to a globally distributed group with a relentless phishing campaign. Their continued presence poses a significant threat to large organizations, necessitating robust detection and mitigation strategies.

Description last updated: 2024-05-05T10:13:00.778Z

What's your take? (Question 1 of 1)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Scattered Spider	2	Scattered Spider is a threat actor group known for its malicious cyber activities. The group's operations involve searching SharePoint repositories for sensitive information, maintaining persistence on targeted networks, and exfiltrating data for extortion purposes. They primarily gain access to vic

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Phishing

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Scatter Swine Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	10 months ago	FBI shares tactics of notorious Scattered Spider hacker collective
CERT-EU	10 months ago	Scattered Ransomware Attribution Blurs Focus on IR Fundamentals
CERT-EU	10 months ago	Okta Hacked Yet Again: 2FA Firm Failed to 2FA
CERT-EU	a year ago	MGM casino's ESXi servers allegedly encrypted in ransomware attack
CERT-EU	a year ago	Cybercrime Group 'Muddled Libra' Targets BPO Sector with Advanced Social Engineering
CERT-EU	a year ago	Financially Motivated UNC3944 Threat Actor Shifts Focus to Ransomware Attacks \| #ransomware \| #cybercrime \| National Cyber Security Consulting
Unit42	a year ago	Threat Group Assessment: Muddled Libra
CERT-EU	a year ago	UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety - Cyber Security Review
CERT-EU	a year ago	Mailchimp suffers second security breach in 6 months, impacting 133 customers
CERT-EU	a year ago	Biggest Lessons from the MGM Ransomware Attack \| #ransomware \| #cybercrime \| National Cyber Security Consulting