UNC3944

Threat Actor updated 22 days ago (2024-11-29T14:04:03.800Z)

Download STIX

Preview STIX

UNC3944, also known as Scattered Spider or 0ktapus, is a notable threat actor in the cybersecurity landscape. This group primarily targets telecommunication firms and tech companies, but has expanded its operations to hospitality, retail, media, and financial services sectors. The group's modus operandi involves leveraging the Identity Provider (IDP) for initial access into an environment with the aim of stealing Intellectual Property (IP) for extortion. Recent developments reveal that UNC3944 has started using Azure Serial Console to gain administrative console access to Virtual Machines (VMs), employing phishing and SIM swapping attacks to take over Microsoft Azure admin accounts. The group has been linked to major data extortion campaigns against high-profile organizations such as Caesars Entertainment and MGM, often collaborating with the notorious Black Cat/ALPHV ransomware group. In the second quarter of 2024, UNC3944 added RansomHub and Qilin ransomware to its arsenal, enhancing its capabilities for malicious activities. The group's members have demonstrated effective social engineering techniques, aided by their ability to speak American English, which has likely contributed to their success in executing these attacks. Law enforcement agencies have taken significant action against UNC3944. A 22-year-old British national suspected of being a key member of the group was arrested by Spanish police, and a 17-year-old from Walsall, UK, believed to be a member of the group, was also apprehended. Furthermore, the U.S. Justice Department charged five alleged members of UNC3944 with conspiracy to commit wire fraud. Despite these arrests, it remains crucial for organizations to maintain robust security measures and stay vigilant against potential threats posed by groups like UNC3944.

Description last updated: 2024-11-21T16:04:40.333Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Scattered Spider is a possible alias for UNC3944. Scattered Spider, also known as Octo Tempest, 0ktapus, and UNC3944, is a notorious threat actor group involved in major data extortion campaigns. This cybercriminal group has been associated with high-profile attacks on organizations like Caesars Entertainment and MGM, often in collaboration with th	5
Octo Tempest is a possible alias for UNC3944. Octo Tempest, also known as Scattered Spider or 0ktapus, is a notable threat actor group in the cybercrime landscape. The group, comprised of five individuals in their early 20s, has been linked to major data extortion campaigns against high-profile targets such as Caesars Entertainment and MGM, oft	4
Muddled Libra is a possible alias for UNC3944. Muddled Libra, a threat actor subgroup known for its sophisticated cyber-attack techniques, has recently been noted for its advanced exfiltration and discovery methods using AWS and Azure cloud services. The group has not claimed responsibility for any specific attacks, but their tactics align close	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Phishing

Cybercrime

Extortion

Esxi

Azure

Mandiant

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Darkgate Malware is associated with UNC3944. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicio	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with UNC3944. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient p	Unspecified	4

Source Document References

Information about the UNC3944 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	a month ago	Five Charged in Scattered Spider Case
Securityaffairs	a month ago	US DoJ charges five alleged members of the Scattered Spider cybercrime gang
BankInfoSecurity	2 months ago	MoneyGram Money Transfer Firm Reports Customer Data Breach
CERT-EU	a year ago	Cyber Security Today, Sept. 13, 2023 – Warning: This group specializes in SMS texting scams \| IT World Canada News
Securityaffairs	5 months ago	UK police arrested a 17-year-old linked to Scattered Spider gang
Securityaffairs	5 months ago	Octo Tempest group adds RansomHub and Qilin ransomware to its arsenal
BankInfoSecurity	6 months ago	Millions Affected by Prudential Ransomware Hack in February
Securityaffairs	6 months ago	Spanish police arrested an alleged member of the Scattered Spider group
Securityaffairs	8 months ago	U.S. Department of Health warns of attacks against IT help desks
CERT-EU	a year ago	Hackers claim MGM cyberattack as outage drags into fourth day \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
BankInfoSecurity	a year ago	UNC3944 Is Now Deploying Ransomware Variants
CERT-EU	a year ago	Scattered Spider traps 100+ victims in its web as it moves into ransomware • The Register \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	FBI shares tactics of notorious Scattered Spider hacker collective
BankInfoSecurity	a year ago	CISA, FBI Issue New Warning Following Las Vegas Cyberattack
CERT-EU	a year ago	NoEscape Ransomware, AvosLocker Ransomware, Retch Ransomware, S-H-O Ransomware and More: Hacker’s Playbook Threat Coverage Round-up: October 31st, 2023
CERT-EU	a year ago	Scattered Ransomware Attribution Blurs Focus on IR Fundamentals
DARKReading	a year ago	Octo Tempest Group Threatens Physical Violence as Social Engineering Tactic
CERT-EU	a year ago	'One of the most dangerous financial criminal groups' responsible for MGM cyberattack
CERT-EU	a year ago	Cyber Security Today, Oct. 27, 2023 – Malware hiding as a cryptominer may have infected 1 million PCs since 2017 \| IT World Canada News
CERT-EU	a year ago	Meet Octo Tempest, 'Most Dangerous Financial' Hackers