UNC3944

Threat Actor updated 17 days ago (2024-10-08T19:00:55.726Z)
Download STIX
Preview STIX
UNC3944, also known as Scattered Spider and Oktapus, is a financially motivated threat actor group that has been expanding its target sectors. Initially focusing on telecommunication firms and tech companies, the group has broadened its attacks to hospitality, retail, media, and financial services. The group's primary modus operandi involves leveraging the Identity Provider (IDP) for initial access into an environment with the intent of stealing Intellectual Property (IP) for extortion purposes. In recent times, the group has notably launched ransomware attacks in the hospitality and retail sectors. The group's tactics have evolved to include more sophisticated methods such as using Azure Serial Console to gain administrative console access to Virtual Machines (VMs). This is achieved through phishing and SIM swapping attacks aimed at taking over Microsoft Azure admin accounts. In Q2 2024, UNC3944 added RansomHub and Qilin ransomware to its arsenal, further demonstrating its adaptability and increasing threat level. The group's ability to effectively use social engineering techniques, thanks to its members' proficiency in American English, has contributed significantly to its success. Law enforcement agencies have made progress in curbing UNC3944's activities. Spanish police arrested a 22-year-old British national suspected of being a key member of the group, while UK law enforcement apprehended a 17-year-old teenager from Walsall believed to be part of the same cybercrime organization. Despite these arrests, the group continues to pose a significant threat, with recent reports suggesting involvement in a cyberattack on hotel and casino giant Caesars Entertainment. UNC3944 has not yet claimed any attacks against the health sector, but given their evolving tactics and targets, this sector should remain vigilant.
Description last updated: 2024-10-08T18:16:13.245Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Scattered Spider is a possible alias for UNC3944. Scattered Spider is a financially motivated threat actor known for its sophisticated techniques and broad range of targets, including all major cloud service providers. This group seeks to maintain persistence on targeted networks, often using phishing to obtain login credentials and gain access. It
4
Octo Tempest is a possible alias for UNC3944. Octo Tempest, also known as Scattered Spider, is a prominent threat actor in the cybersecurity landscape. This group has rapidly gained notoriety in the ransomware domain by incorporating RansomHub and Qilin ransomware into its arsenal, significantly enhancing its ability to compromise systems and n
3
Muddled Libra is a possible alias for UNC3944. Muddled Libra, a threat actor subgroup known for its sophisticated cyber-attack techniques, has recently been noted for its advanced exfiltration and discovery methods using AWS and Azure cloud services. The group has not claimed responsibility for any specific attacks, but their tactics align close
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Cybercrime
Phishing
Esxi
Azure
Extortion
Mandiant
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Darkgate Malware is associated with UNC3944. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicioUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with UNC3944. AlphV, also known as BlackCat, is a notorious threat actor that has been active since November 2021. This group pioneered the public leaks business model and has been associated with various ransomware families, including Akira, LockBit, Play, and Basta. AlphV gained significant attention for its laUnspecified
4
Source Document References
Information about the UNC3944 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
17 days ago
CERT-EU
a year ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
BankInfoSecurity
4 months ago
Securityaffairs
4 months ago
Securityaffairs
7 months ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago