UNC3944

Threat Actor updated 25 days ago (2024-08-14T10:17:48.286Z)

Download STIX

Preview STIX

UNC3944, also known as Scattered Spider and 0ktapus, is a financially motivated threat actor group that has been increasingly active in recent years. The group initially targeted telecommunication firms and tech companies but has now expanded its operations to include the hospitality, retail, media, and financial services sectors. UNC3944 uses a variety of techniques to gain initial access into an environment, such as leveraging the Identity Provider (IDP) and deploying ransomware attacks. The group's modus operandi includes stealing Intellectual Property (IP) for extortion purposes. Notably, they have added RansomHub and Qilin ransomware to their arsenal in the second quarter of 2024. UNC3944 has demonstrated a sophisticated understanding of cloud-based systems, specifically Microsoft Azure. The group has been using phishing and SIM swapping attacks to take over Microsoft Azure admin accounts, gaining access to virtual machines (VMs). Their next step involves using Azure Serial Console to gain administrative console access to VMs, further enhancing their control over the compromised systems. Their focus on VMs seems strategic, as these machines often run critical operations, making them high-value targets for ransomware attacks. Law enforcement efforts against UNC3944 have seen some success. A 22-year-old British national suspected of being a key member of the group was arrested by Spanish police, while UK law enforcement apprehended a 17-year-old teenager from Walsall under similar suspicions. Despite these arrests, the group remains active and continues to pose a significant threat. UNC3944 has not yet claimed any attacks against the health sector, but given their expanding range of targets, it's a possibility that cannot be ruled out.

Description last updated: 2024-08-14T09:26:43.388Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Scattered Spider	4	Scattered Spider is a threat actor group known for its malicious cyber activities. The group's operations involve searching SharePoint repositories for sensitive information, maintaining persistence on targeted networks, and exfiltrating data for extortion purposes. They primarily gain access to vic
Octo Tempest	3	Octo Tempest, a known threat actor in the cybersecurity landscape, has recently added RansomHub and Qilin ransomware to its arsenal of cyber weapons. This expansion of their capabilities marks a significant escalation in their potential for harm and demonstrates a clear evolution towards more sophis
Muddled Libra	2	Muddled Libra is a notable threat actor known for its sophisticated use of cloud services, particularly Amazon Web Services (AWS) and Microsoft Azure, to execute cyberattacks. The group leverages legitimate cloud service provider (CSP) features to efficiently exfiltrate data. In AWS, Muddled Libra t

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Phishing

Cybercrime

Esxi

Azure

Extortion

Mandiant

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Darkgate	Unspecified	2	DarkGate is a malicious software (malware) designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. Once embedded in a system, DarkGate can steal personal information, disrupt operations, or hold data for ransom. Recently, the malware was

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Alphv	Unspecified	4	Alphv is a threat actor group known for its malicious activities in the cyber world. They have been particularly active in deploying ransomware attacks, with one of their most significant actions being the theft of 5TB of data from Morrison Community Hospital. This act not only disrupted hospital op

Source Document References

Information about the UNC3944 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Cyber Security Today, Sept. 13, 2023 – Warning: This group specializes in SMS texting scams \| IT World Canada News
Securityaffairs	2 months ago	UK police arrested a 17-year-old linked to Scattered Spider gang
Securityaffairs	2 months ago	Octo Tempest group adds RansomHub and Qilin ransomware to its arsenal
BankInfoSecurity	2 months ago	Millions Affected by Prudential Ransomware Hack in February
Securityaffairs	3 months ago	Spanish police arrested an alleged member of the Scattered Spider group
Securityaffairs	5 months ago	U.S. Department of Health warns of attacks against IT help desks
CERT-EU	a year ago	Hackers claim MGM cyberattack as outage drags into fourth day \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
BankInfoSecurity	a year ago	UNC3944 Is Now Deploying Ransomware Variants
CERT-EU	a year ago	Scattered Spider traps 100+ victims in its web as it moves into ransomware • The Register \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	10 months ago	FBI shares tactics of notorious Scattered Spider hacker collective
BankInfoSecurity	10 months ago	CISA, FBI Issue New Warning Following Las Vegas Cyberattack
CERT-EU	10 months ago	NoEscape Ransomware, AvosLocker Ransomware, Retch Ransomware, S-H-O Ransomware and More: Hacker’s Playbook Threat Coverage Round-up: October 31st, 2023
CERT-EU	10 months ago	Scattered Ransomware Attribution Blurs Focus on IR Fundamentals
DARKReading	10 months ago	Octo Tempest Group Threatens Physical Violence as Social Engineering Tactic
CERT-EU	10 months ago	'One of the most dangerous financial criminal groups' responsible for MGM cyberattack
CERT-EU	10 months ago	Cyber Security Today, Oct. 27, 2023 – Malware hiding as a cryptominer may have infected 1 million PCs since 2017 \| IT World Canada News
CERT-EU	10 months ago	Meet Octo Tempest, 'Most Dangerous Financial' Hackers
BankInfoSecurity	10 months ago	Meet Octo Tempest, 'Most Dangerous Financial' Hackers
CERT-EU	a year ago	Hackers say they stole 6 terabytes of data from casino giants MGM, Caesars \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	MGM casino's ESXi servers allegedly encrypted in ransomware attack