Scattered Spider

Threat Actor updated 20 hours ago (2024-11-20T17:39:09.756Z)

Download STIX

Preview STIX

Scattered Spider is a notorious threat actor group known for its malicious cyber activities. The group primarily targets enterprise data within Software as a Service (SaaS) applications, including less sophisticated outfits and more well-known systems such as Microsoft cloud environments and on-premises infrastructure. Scattered Spider has been observed using various tactics to infiltrate target networks, including phishing to obtain login credentials, searching SharePoint repositories for information, maintaining persistence on the network, and exfiltrating data for extortion purposes. They have also demonstrated proficiency in exploiting remote systems and infrastructure. In recent years, Scattered Spider has been involved in several high-profile attacks. In one instance, they managed to gain global administrator rights to MGM Resorts' Azure instances, leading to significant data exfiltration and operational disruption. They have also been linked to a series of rapid, high-profile social engineering attacks aimed at bypassing multi-factor authentication. Furthermore, the group was tied to an attack on Bozeman, Montana-based Snowflake, where around 165 customers were notified of potential breaches by the threat group codenamed UNC5537, also known as Scattered Spider. As of May 2024, Scattered Spider continues to pose a significant threat to organizations worldwide. Their tactics have been observed in unclaimed attacks, such as the one on MoneyGram, demonstrating their ongoing activity. The group was seen establishing a foothold on a cloud-hosted virtual machine via a cloud service VM management agent. Scattered Spider, along with another threat actor group COZY BEAR, have shown cross-domain proficiency, enabling them to navigate multiple operating systems and security platforms swiftly and confidently. Both groups are capable of infiltrating all major cloud service providers, with Scattered Spider being financially motivated and COZY BEAR often targeting Azure services for data theft.

Description last updated: 2024-11-15T16:11:56.874Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
UNC3944 is a possible alias for Scattered Spider. UNC3944, also known as Scattered Spider and Oktapus, is a financially motivated threat actor group that has been expanding its target sectors. Initially focusing on telecommunication firms and tech companies, the group has broadened its attacks to hospitality, retail, media, and financial services.	4
Muddled Libra is a possible alias for Scattered Spider. Muddled Libra, a threat actor subgroup known for its sophisticated cyber-attack techniques, has recently been noted for its advanced exfiltration and discovery methods using AWS and Azure cloud services. The group has not claimed responsibility for any specific attacks, but their tactics align close	4
Octo Tempest is a possible alias for Scattered Spider. Octo Tempest, also known as Scattered Spider, is a prominent threat actor in the cybersecurity landscape. This group has rapidly gained notoriety in the ransomware domain by incorporating RansomHub and Qilin ransomware into its arsenal, significantly enhancing its ability to compromise systems and n	4
Tyler is a possible alias for Scattered Spider. Tyler, also known as "tylerb" in Telegram chat channels, is a threat actor identified by the cybersecurity community as a significant concern due to his involvement in high-profile ransomware attacks. Tyler, whose real name is Tyler Buchanan, is a 22-year-old from Dundee, Scotland. His arrest was re	2
Scatter Swine is a possible alias for Scattered Spider. Scatter Swine, also known by multiple names such as 0ktapus, Scattered Spider, UNC3944, and Muddled Libra, is a threat actor group that has been active since early 2022. The group first came to light in August 2022 when they executed smishing attacks against over 100 organizations, including Twilio	2
Oktapus is a possible alias for Scattered Spider. Oktapus, a threat actor also known as Scattered Spider, Scatter Swine, and Muddled Libra, has been identified as a significant cybersecurity risk due to its sophisticated phishing campaigns. The group first gained notoriety in 2022 when it launched the Oktapus phishing campaign, targeting employees	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Cybercrime

Lateral Move...

Phishing

RaaS

Esxi

Ransom

Extortion

Exploit

Credentials

Sharepoint

MGM

Malware

Encryption

Scams

Azure

Crowdstrike

Windows

Okta

Aws

Fraud

Microsoft

Reconnaissance

Fbi

Smishing

Vpn

Bitcoin

Exploits

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Akira Malware is associated with Scattered Spider. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims glo	Unspecified	2
The Raccoon Malware is associated with Scattered Spider. Raccoon is a malicious software (malware) developed by Russian-speaking coders, first spotted in April 2019. It was designed to steal sensitive data such as credit card information, email credentials, cryptocurrency wallets, and more from its victims. The malware is offered as a service (MaaS) for $	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with Scattered Spider. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB	is related to	7
The Ransomhub Threat Actor is associated with Scattered Spider. RansomHub, a threat actor in the realm of cybersecurity, has emerged as a significant player within the ransomware landscape. The group is known for its malicious activities, including data breaches and extortion attempts. It has been observed that RansomHub affiliates actively participate in campai	Unspecified	3
The Cozy Bear Threat Actor is associated with Scattered Spider. Cozy Bear, also known as APT29 and Midnight Blizzard, is a threat actor believed to be linked to the Russian government. This entity has been behind numerous cyberattacks with malicious intent, targeting various organizations and systems worldwide. The first significant intrusion attributed to Cozy	Unspecified	2
The Qilin Threat Actor is associated with Scattered Spider. Qilin, a threat actor known for its malicious activities in the cyberspace, has been on the rise with an increase in victim count by 44% reaching 140 in Q3. This group is part of the Octo Tempest group which recently added RansomHub and Qilin ransomware to its arsenal, enhancing its capabilities to	Unspecified	2
The Noberus Threat Actor is associated with Scattered Spider. Noberus, also known as ALPHV or BlackCat, is a significant threat actor in the cybersecurity landscape. The group, which primarily operates a ransomware-as-a-service (RaaS) model, was the second most active ransomware group in April 2023, responsible for 14% of total observed victims. Originating fr	Unspecified	2

Source Document References

Information about the Scattered Spider Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	3 months ago	Thousands of Oracle NetSuite E-Commerce Sites Expose Sensitive Customer Data
DARKReading	6 days ago	CrowdStrike Spends to Boost Identity Threat Detection
BankInfoSecurity	16 days ago	Canadian Cops Bust Suspected Hacker Tied to Snowflake Hits
BankInfoSecurity	a month ago	MoneyGram Money Transfer Firm Reports Customer Data Breach
CrowdStrike	2 months ago	How CrowdStrike Hunts, Identifies and Defeats Cloud-Focused Threats
InfoSecurity-magazine	2 months ago	CrowdStrike Apologizes for IT Outage, Defends Microsoft Kernel Access
CrowdStrike	2 months ago	Elevating Identity Security at Fal.Con 2024 \| CrowdStrike
Krebs on Security	2 months ago	The Dark Nexus Between Harm Groups and ‘The Com’
DARKReading	2 months ago	Socially Savvy Scattered Spider Traps Cloud Admins in Web
DARKReading	3 months ago	BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets
Securityaffairs	3 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
DARKReading	3 months ago	Microsoft on CISOs: Thriving Community Means Stronger Security
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
DARKReading	a year ago	Feds Snarl ALPHV/BlackCat Ransomware Operation
CERT-EU	9 months ago	MGM Resorts’ Cyberattack Headache Continues as Regulators Launch Investigations
DARKReading	4 months ago	Ransomware Gangs Exploit ESXi Bug for Instant, Mass Encryption of VMs
DARKReading	4 months ago	Teenage Scattered Spider Suspect Arrested in Global Cybercrime Sting
Securityaffairs	4 months ago	UK police arrested a 17-year-old linked to Scattered Spider gang
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3