Scattered Spider

Threat Actor updated 22 days ago (2024-11-29T14:28:11.436Z)

Download STIX

Preview STIX

Scattered Spider, also known as Octo Tempest, 0ktapus, and UNC3944, is a notorious threat actor group involved in major data extortion campaigns. This cybercriminal group has been associated with high-profile attacks on organizations like Caesars Entertainment and MGM, often in collaboration with the Black Cat/ALPHV ransomware group. The group's modus operandi involves searching SharePoint repositories for information, maintaining persistence on targeted networks, and exfiltrating data for extortion purposes. They also exploit infrastructure, such as remote systems, and use phishing techniques to obtain login credentials, thereby gaining access to victim's networks. Throughout 2024, authorities globally have made significant strides in apprehending members of Scattered Spider. In January, U.S. authorities arrested Noah Michael Urban, a 19-year-old from Florida, suspected of being part of this group. Later in July, law enforcement in the U.K. arrested a 17-year-old teenager from Walsall, also believed to be a member of Scattered Spider. These arrests highlight the global nature of this cybercrime group, with its members spread across different regions. The U.S. Justice Department has charged five alleged members of Scattered Spider with conspiracy to commit wire fraud, marking a significant move in the fight against cybercrime. Despite these developments, the threat posed by Scattered Spider remains substantial. They are part of a broader cybercriminal community called "The Com," where hackers brag about high-profile cyber thefts. Over the past two years, Scattered Spider is suspected of hacking into hundreds of organizations, including Twilio, LastPass, DoorDash, and Mailchimp. The persistent threat underscores the need for continued vigilance and proactive cybersecurity measures.

Description last updated: 2024-11-25T13:44:54.873Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Octo Tempest is a possible alias for Scattered Spider. Octo Tempest, also known as Scattered Spider or 0ktapus, is a notable threat actor group in the cybercrime landscape. The group, comprised of five individuals in their early 20s, has been linked to major data extortion campaigns against high-profile targets such as Caesars Entertainment and MGM, oft	5
UNC3944 is a possible alias for Scattered Spider. UNC3944, also known as Scattered Spider or 0ktapus, is a notable threat actor in the cybersecurity landscape. This group primarily targets telecommunication firms and tech companies, but has expanded its operations to hospitality, retail, media, and financial services sectors. The group's modus oper	5
Muddled Libra is a possible alias for Scattered Spider. Muddled Libra, a threat actor subgroup known for its sophisticated cyber-attack techniques, has recently been noted for its advanced exfiltration and discovery methods using AWS and Azure cloud services. The group has not claimed responsibility for any specific attacks, but their tactics align close	4
Oktapus is a possible alias for Scattered Spider. Oktapus, a threat actor also known as Scattered Spider, Scatter Swine, and Muddled Libra, has been identified as a significant cybersecurity risk due to its sophisticated phishing campaigns. The group first gained notoriety in 2022 when it launched the Oktapus phishing campaign, targeting employees	4
Scatter Swine is a possible alias for Scattered Spider. Scatter Swine, also known by multiple names such as 0ktapus, Scattered Spider, UNC3944, and Muddled Libra, is a threat actor group that has been active since early 2022. The group first came to light in August 2022 when they executed smishing attacks against over 100 organizations, including Twilio	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Phishing

Cybercrime

Ransom

Malware

Lateral Move...

Credentials

Esxi

RaaS

Extortion

Sharepoint

Exploit

Smishing

Azure

Fraud

Bitcoin

MGM

Crowdstrike

Encryption

Scams

Vpn

Exploits

Okta

Windows

Aws

Microsoft

Reconnaissance

Fbi

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Akira Malware is associated with Scattered Spider. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims glo	Unspecified	2
The Raccoon Malware is associated with Scattered Spider. Raccoon is a malicious software (malware) developed by Russian-speaking coders, first spotted in April 2019. It was designed to steal sensitive data such as credit card information, email credentials, cryptocurrency wallets, and more from its victims. The malware is offered as a service (MaaS) for $	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with Scattered Spider. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient p	is related to	7
The Ransomhub Threat Actor is associated with Scattered Spider. RansomHub, a threat actor in the realm of cybersecurity, has emerged as a significant player within the ransomware landscape. The group is known for its malicious activities, including data breaches and extortion attempts. It has been observed that RansomHub affiliates actively participate in campai	Unspecified	4
The Noberus Threat Actor is associated with Scattered Spider. Noberus, also known as ALPHV or BlackCat, is a significant threat actor in the cybersecurity landscape. The group, which primarily operates a ransomware-as-a-service (RaaS) model, was the second most active ransomware group in April 2023, responsible for 14% of total observed victims. Originating fr	Unspecified	2
The Cozy Bear Threat Actor is associated with Scattered Spider. Cozy Bear, also known as APT29 and Midnight Blizzard, is a threat actor believed to be linked to the Russian government. This entity has been behind numerous cyberattacks with malicious intent, targeting various organizations and systems worldwide. The first significant intrusion attributed to Cozy	Unspecified	2
The Qilin Threat Actor is associated with Scattered Spider. Qilin, a threat actor known for its malicious activities in the cyberspace, has been on the rise with an increase in victim count by 44% reaching 140 in Q3. This group is part of the Octo Tempest group which recently added RansomHub and Qilin ransomware to its arsenal, enhancing its capabilities to	Unspecified	2

Source Document References

Information about the Scattered Spider Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CrowdStrike	8 hours ago	Falcon Platform Wins AAA Award With 100% Accuracy in SE Labs Q3 Test
DARKReading	11 days ago	Texas Teen Arrested for Scattered Spider Telecom Hacks
BankInfoSecurity	a month ago	Will Arrests Squash Scattered Spider's Cybercrime Assault?
Krebs on Security	a month ago	Feds Charge Five Men in ‘Scattered Spider’ Roundup
InfoSecurity-magazine	a month ago	Five Charged in Scattered Spider Case
Securityaffairs	a month ago	US DoJ charges five alleged members of the Scattered Spider cybercrime gang
BankInfoSecurity	a month ago	Feds Indict 5 Suspects Tied to Scattered Spider Cybercrime
DARKReading	4 months ago	Thousands of Oracle NetSuite E-Commerce Sites Expose Sensitive Customer Data
DARKReading	a month ago	CrowdStrike Spends to Boost Identity Threat Detection
BankInfoSecurity	2 months ago	Canadian Cops Bust Suspected Hacker Tied to Snowflake Hits
BankInfoSecurity	2 months ago	MoneyGram Money Transfer Firm Reports Customer Data Breach
CrowdStrike	3 months ago	How CrowdStrike Hunts, Identifies and Defeats Cloud-Focused Threats
InfoSecurity-magazine	3 months ago	CrowdStrike Apologizes for IT Outage, Defends Microsoft Kernel Access
CrowdStrike	3 months ago	Elevating Identity Security at Fal.Con 2024 \| CrowdStrike
Krebs on Security	3 months ago	The Dark Nexus Between Harm Groups and ‘The Com’
DARKReading	3 months ago	Socially Savvy Scattered Spider Traps Cloud Admins in Web
DARKReading	4 months ago	BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets
Securityaffairs	4 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
DARKReading	4 months ago	Microsoft on CISOs: Thriving Community Means Stronger Security
Securityaffairs	5 months ago	security-affairs-malware-newsletter-round-5