UNC3944

Threat Actor Profile Updated 12 days ago
Download STIX
Preview STIX
UNC3944, also known as Scattered Spider and 0ktapus, is a financially motivated threat actor group that has been active since 2021. The group is known for its sophisticated cyberattacks, leveraging the Identity Provider (IDP) as initial access into an environment with the goal of stealing Intellectual Property (IP) for extortion. Initially targeting telecommunication firms and tech companies, UNC3944 has expanded its scope to include hospitality, retail, media, and financial services sectors. The group has demonstrated a particular proficiency in social engineering techniques, aided by its members' ability to speak American English. This expertise has enabled UNC3944 to successfully execute phishing and SIM swapping attacks to gain control over Microsoft Azure admin accounts and virtual machines. The group's modus operandi involves the use of the Azure Serial Console to gain administrative console access to VMs, followed by the deployment of ALPHV (also known as BlackCat) ransomware. This ransomware-as-a-service (RaaS) model allows UNC3944 to manage victims and support extortion efforts efficiently. Notably, the group tends to target critical virtual machines to maximize the scale of its operation. However, as of now, UNC3944 has not claimed any attacks against the health sector. In a significant development, Spanish police arrested a 22-year-old British national suspected of being a key member of UNC3944. This arrest followed reports attributing a recent cyberattack on hotel and casino giant Caesars Entertainment to the group. Despite this setback, UNC3944 remains a significant cybersecurity threat, given its evolving tactics and expanding target sectors. Cybersecurity firm Mandiant emphasizes the importance of re-thinking the security of virtual machines in light of UNC3944's activities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Scattered Spider
4
Scattered Spider is a prominent threat actor group known for its malicious cyber activities. Their modus operandi includes searching SharePoint repositories for information, seeking to maintain persistence on targeted networks, and exfiltrating data for extortion purposes. The group primarily uses p
Muddled Libra
2
Muddled Libra is a notable threat actor known for its sophisticated use of cloud services, particularly Amazon Web Services (AWS) and Microsoft Azure, to execute cyberattacks. The group leverages legitimate cloud service provider (CSP) features to efficiently exfiltrate data. In AWS, Muddled Libra t
Octo Tempest
2
Octo Tempest, a financially motivated collective of native English-speaking threat actors, has emerged as a significant cybersecurity concern. Known for wide-ranging campaigns featuring adversary-in-the-middle (AiTM) techniques, social engineering, and SIM-swapping capabilities, Octo Tempest has evo
0ktapus
1
0ktapus, also known as Scatter Swine, is a threat actor that first emerged in August 2022 and has been linked to smishing attacks against over 100 organizations, including Twilio and Cloudflare. The group's primary objective was to gain access to company mailing lists or customer-facing systems, wit
Scatter Swine
1
Scatter Swine, also known by multiple names such as 0ktapus, Scattered Spider, UNC3944, and Muddled Libra, is a threat actor group that has been active since early 2022. The group first came to light in August 2022 when they executed smishing attacks against over 100 organizations, including Twilio
Oktapus
1
Oktapus, also known as Scattered Spider, is a threat actor that has been associated with several high-profile cyber attacks since 2022. This group, which is suspected to be comprised of multiple actors using the same toolkit, has targeted numerous organizations in the IT, software development, and c
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Phishing
Extortion
Azure
Esxi
Cybercrime
Mandiant
Evasive
Github
Credentials
Smishing
Police
Health
Reconnaissance
Telegram
Okta
MGM
Microsoft
Locker
Ddos
RaaS
Windows
Loader
Malware
Proxy
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DarkgateUnspecified
2
DarkGate is a malicious software (malware) known for its harmful impact on computer systems and devices. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data host
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AlphvUnspecified
4
AlphV, a notorious threat actor in the cybersecurity industry, has been responsible for numerous high-profile ransomware attacks. The group's activities include the theft of 5TB of data from Morrison Community Hospital and hacking Clarion, a global manufacturer of audio and video equipment for cars.
Black CatUnspecified
1
Black Cat, also known as AlphV, is a prominent threat actor known for its malicious activities in the cybersecurity landscape. The group gained significant attention when it launched an attack on Change Healthcare, a subsidiary of Optum and UnitedHealth Group (UHG), in late February. This ransomware
LapsusUnspecified
1
Lapsus is a significant threat actor that has been active since its inception in early 2022. The group gained notoriety for its cyberattacks, including a high-profile breach of Nvidia, an American multinational technology company, in the same year. This attack led to the leak of thousands of passwor
RhysidaUnspecified
1
Rhysida, a ransomware-as-a-service (RaaS) group, emerged as a significant threat actor in May 2023. Initially targeting Windows, it later expanded its operations to Linux systems. The group is known for its distinct attack methodology that involves defense evasion, exfiltration of data for ransom, a
Scattered SwineUnspecified
1
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the UNC3944 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
BankInfoSecurity
12 days ago
Millions Affected by Prudential Ransomware Hack in February
Securityaffairs
a month ago
Spanish police arrested an alleged member of the Scattered Spider group
Securityaffairs
3 months ago
U.S. Department of Health warns of attacks against IT help desks
CERT-EU
10 months ago
Hackers claim MGM cyberattack as outage drags into fourth day | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
BankInfoSecurity
10 months ago
UNC3944 Is Now Deploying Ransomware Variants
CERT-EU
10 months ago
Scattered Spider traps 100+ victims in its web as it moves into ransomware • The Register | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
8 months ago
FBI shares tactics of notorious Scattered Spider hacker collective
BankInfoSecurity
8 months ago
CISA, FBI Issue New Warning Following Las Vegas Cyberattack
CERT-EU
8 months ago
NoEscape Ransomware, AvosLocker Ransomware, Retch Ransomware, S-H-O Ransomware and More: Hacker’s Playbook Threat Coverage Round-up: October 31st, 2023
CERT-EU
8 months ago
Scattered Ransomware Attribution Blurs Focus on IR Fundamentals
DARKReading
9 months ago
Octo Tempest Group Threatens Physical Violence as Social Engineering Tactic
CERT-EU
9 months ago
'One of the most dangerous financial criminal groups' responsible for MGM cyberattack
CERT-EU
9 months ago
Cyber Security Today, Oct. 27, 2023 – Malware hiding as a cryptominer may have infected 1 million PCs since 2017 | IT World Canada News
CERT-EU
9 months ago
Meet Octo Tempest, 'Most Dangerous Financial' Hackers
BankInfoSecurity
9 months ago
Meet Octo Tempest, 'Most Dangerous Financial' Hackers
CERT-EU
10 months ago
Hackers say they stole 6 terabytes of data from casino giants MGM, Caesars | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
10 months ago
MGM casino's ESXi servers allegedly encrypted in ransomware attack
CERT-EU
10 months ago
Tactics of MGM-Caesars attackers were known for several months
CERT-EU
a year ago
Cybercrime Group 'Muddled Libra' Targets BPO Sector with Advanced Social Engineering
CERT-EU
10 months ago
Retool Falls Victim to SMS-Based Phishing Attack Affecting 27 Cloud Clients