UNC3944

Threat Actor updated a month ago (2024-10-08T19:00:55.726Z)

Download STIX

Preview STIX

UNC3944, also known as Scattered Spider and Oktapus, is a financially motivated threat actor group that has been expanding its target sectors. Initially focusing on telecommunication firms and tech companies, the group has broadened its attacks to hospitality, retail, media, and financial services. The group's primary modus operandi involves leveraging the Identity Provider (IDP) for initial access into an environment with the intent of stealing Intellectual Property (IP) for extortion purposes. In recent times, the group has notably launched ransomware attacks in the hospitality and retail sectors. The group's tactics have evolved to include more sophisticated methods such as using Azure Serial Console to gain administrative console access to Virtual Machines (VMs). This is achieved through phishing and SIM swapping attacks aimed at taking over Microsoft Azure admin accounts. In Q2 2024, UNC3944 added RansomHub and Qilin ransomware to its arsenal, further demonstrating its adaptability and increasing threat level. The group's ability to effectively use social engineering techniques, thanks to its members' proficiency in American English, has contributed significantly to its success. Law enforcement agencies have made progress in curbing UNC3944's activities. Spanish police arrested a 22-year-old British national suspected of being a key member of the group, while UK law enforcement apprehended a 17-year-old teenager from Walsall believed to be part of the same cybercrime organization. Despite these arrests, the group continues to pose a significant threat, with recent reports suggesting involvement in a cyberattack on hotel and casino giant Caesars Entertainment. UNC3944 has not yet claimed any attacks against the health sector, but given their evolving tactics and targets, this sector should remain vigilant.

Description last updated: 2024-10-08T18:16:13.245Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Scattered Spider is a possible alias for UNC3944. Scattered Spider is a notorious threat actor group known for its malicious cyber activities. The group primarily targets enterprise data within Software as a Service (SaaS) applications, including less sophisticated outfits and more well-known systems such as Microsoft cloud environments and on-prem	4
Octo Tempest is a possible alias for UNC3944. Octo Tempest, also known as Scattered Spider, is a prominent threat actor in the cybersecurity landscape. This group has rapidly gained notoriety in the ransomware domain by incorporating RansomHub and Qilin ransomware into its arsenal, significantly enhancing its ability to compromise systems and n	3
Muddled Libra is a possible alias for UNC3944. Muddled Libra, a threat actor subgroup known for its sophisticated cyber-attack techniques, has recently been noted for its advanced exfiltration and discovery methods using AWS and Azure cloud services. The group has not claimed responsibility for any specific attacks, but their tactics align close	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Cybercrime

Phishing

Esxi

Azure

Extortion

Mandiant

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Darkgate Malware is associated with UNC3944. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicio	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with UNC3944. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB	Unspecified	4

Source Document References

Information about the UNC3944 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	a month ago	MoneyGram Money Transfer Firm Reports Customer Data Breach
CERT-EU	a year ago	Cyber Security Today, Sept. 13, 2023 – Warning: This group specializes in SMS texting scams \| IT World Canada News
Securityaffairs	4 months ago	UK police arrested a 17-year-old linked to Scattered Spider gang
Securityaffairs	4 months ago	Octo Tempest group adds RansomHub and Qilin ransomware to its arsenal
BankInfoSecurity	5 months ago	Millions Affected by Prudential Ransomware Hack in February
Securityaffairs	5 months ago	Spanish police arrested an alleged member of the Scattered Spider group
Securityaffairs	7 months ago	U.S. Department of Health warns of attacks against IT help desks
CERT-EU	a year ago	Hackers claim MGM cyberattack as outage drags into fourth day \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
BankInfoSecurity	a year ago	UNC3944 Is Now Deploying Ransomware Variants
CERT-EU	a year ago	Scattered Spider traps 100+ victims in its web as it moves into ransomware • The Register \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	FBI shares tactics of notorious Scattered Spider hacker collective
BankInfoSecurity	a year ago	CISA, FBI Issue New Warning Following Las Vegas Cyberattack
CERT-EU	a year ago	NoEscape Ransomware, AvosLocker Ransomware, Retch Ransomware, S-H-O Ransomware and More: Hacker’s Playbook Threat Coverage Round-up: October 31st, 2023
CERT-EU	a year ago	Scattered Ransomware Attribution Blurs Focus on IR Fundamentals
DARKReading	a year ago	Octo Tempest Group Threatens Physical Violence as Social Engineering Tactic
CERT-EU	a year ago	'One of the most dangerous financial criminal groups' responsible for MGM cyberattack
CERT-EU	a year ago	Cyber Security Today, Oct. 27, 2023 – Malware hiding as a cryptominer may have infected 1 million PCs since 2017 \| IT World Canada News
CERT-EU	a year ago	Meet Octo Tempest, 'Most Dangerous Financial' Hackers
BankInfoSecurity	a year ago	Meet Octo Tempest, 'Most Dangerous Financial' Hackers
CERT-EU	a year ago	Hackers say they stole 6 terabytes of data from casino giants MGM, Caesars \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting