Scatter Swine

Scatter Swine, also known by multiple names such as 0ktapus, Scattered Spider, UNC3944, and Muddled Libra, is a threat actor group that has been active since early 2022. The group first came to light in August 2022 when they executed smishing attacks against over 100 organizations, including Twilio and Cloudflare. They employ tactics such as social engineering, phishing, multi-factor authentication (MFA) bombing, and SIM swapping to gain initial network access on large organizations. Scatter Swine's tactics mirror those adopted by another group called LAPSUS$. This group has shown a particular focus on accessing credentials or systems used for SIM swapping attacks, likely in support of secondary criminal operations occurring outside of victim environments. In August 2022, Scatter Swine made significant strides in its malicious activities by stealing one-time passwords (OTPs) delivered to Okta customers. This sophisticated social engineering attack led to the compromise of 216 customer accounts. Numerous cybersecurity entities, including Group-IB, CrowdStrike, and Okta, have documented and mapped many of these attacks to Scatter Swine and its associated intrusion groups. By Q3 of 2023, Scatter Swine had escalated its activities, carrying out several high-profile attacks against the gaming industry and other large enterprises. Despite the varied naming conventions used by different companies to track this threat actor, the consistent pattern of their activities points to a globally distributed group with a relentless phishing campaign. Their continued presence poses a significant threat to large organizations, necessitating robust detection and mitigation strategies.