UNC3944

Threat Actor updated 10 months ago (2024-11-29T14:04:03.800Z)

Download STIX

Preview STIX

UNC3944, also known as Scattered Spider or 0ktapus, is a notable threat actor in the cybersecurity landscape. This group primarily targets telecommunication firms and tech companies, but has expanded its operations to hospitality, retail, media, and financial services sectors. The group's modus operandi involves leveraging the Identity Provider (IDP) for initial access into an environment with the aim of stealing Intellectual Property (IP) for extortion. Recent developments reveal that UNC3944 has started using Azure Serial Console to gain administrative console access to Virtual Machines (VMs), employing phishing and SIM swapping attacks to take over Microsoft Azure admin accounts. The group has been linked to major data extortion campaigns against high-profile organizations such as Caesars Entertainment and MGM, often collaborating with the notorious Black Cat/ALPHV ransomware group. In the second quarter of 2024, UNC3944 added RansomHub and Qilin ransomware to its arsenal, enhancing its capabilities for malicious activities. The group's members have demonstrated effective social engineering techniques, aided by their ability to speak American English, which has likely contributed to their success in executing these attacks. Law enforcement agencies have taken significant action against UNC3944. A 22-year-old British national suspected of being a key member of the group was arrested by Spanish police, and a 17-year-old from Walsall, UK, believed to be a member of the group, was also apprehended. Furthermore, the U.S. Justice Department charged five alleged members of UNC3944 with conspiracy to commit wire fraud. Despite these arrests, it remains crucial for organizations to maintain robust security measures and stay vigilant against potential threats posed by groups like UNC3944.

Description last updated: 2024-11-21T16:04:40.333Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Scattered Spider is a possible alias for UNC3944. Scattered Spider, also known as Octo Tempest, 0ktapus, and UNC3944, is a notorious threat actor group involved in major data extortion campaigns. This cybercriminal group has been associated with high-profile attacks on organizations like Caesars Entertainment and MGM, often in collaboration with th	6
Octo Tempest is a possible alias for UNC3944. Octo Tempest, also known as Scattered Spider or 0ktapus, is a notable threat actor group in the cybercrime landscape. The group, comprised of five individuals in their early 20s, has been linked to major data extortion campaigns against high-profile targets such as Caesars Entertainment and MGM, oft	4
Muddled Libra is a possible alias for UNC3944. Muddled Libra, a threat actor subgroup known for its sophisticated cyber-attack techniques, has recently been noted for its advanced exfiltration and discovery methods using AWS and Azure cloud services. The group has not claimed responsibility for any specific attacks, but their tactics align close	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Phishing

Extortion

Cybercrime

Esxi

Reconnaissance

Azure

Credentials

RaaS

Exploit

Mandiant

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Darkgate Malware is associated with UNC3944. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicio	Unspecified	2
The Dragonforce Malware is associated with UNC3944. DragonForce is a malicious software (malware) developed by a hacktivist group of the same name. This malware has been used in a series of attacks targeting various organizations globally. In 2022, DragonForce targeted over 70 government and commercial entities in India, disrupting their web resource	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with UNC3944. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient p	Unspecified	4
The Lapsus Threat Actor is associated with UNC3944. Lapsus is a significant threat actor that has been active since its inception in early 2022. The group gained notoriety for its cyberattacks, including a high-profile breach of Nvidia, an American multinational technology company, in the same year. This attack led to the leak of thousands of passwor	Unspecified	2

Source Document References

Information about the UNC3944 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	25 days ago	A Scattered Spider member gets 10 years in prison
Krebs on Security	25 days ago	SIM-Swapper, Scattered Spider Hacker Gets 10 Years
Securityaffairs	a month ago	Exploit weaponizes SAP NetWeaver bugs for full system compromise
InfoSecurity-magazine	a month ago	Cybercriminals ‘Spooked’ After Scattered Spider Arrests
InfoSecurity-magazine	2 months ago	New Scattered Spider Tactics Target VMware vSphere Environments
Securityaffairs	2 months ago	Scattered Spider targets VMware ESXi in using social engineering
InfoSecurity-magazine	4 months ago	DragonForce Ransomware Leveraged in MSP Attack Using RMM Tool
Securityaffairs	4 months ago	Shields up US retailers. Scattered Spider threat actors can target them
InfoSecurity-magazine	4 months ago	Inside DragonForce, the Group Tied to M&S, Co-op and Harrods Hacks
Securityaffairs	5 months ago	A member of the Scattered Spider cybercrime group pleads guilty
InfoSecurity-magazine	10 months ago	Five Charged in Scattered Spider Case
Securityaffairs	10 months ago	US DoJ charges five alleged members of the Scattered Spider cybercrime gang
BankInfoSecurity	a year ago	MoneyGram Money Transfer Firm Reports Customer Data Breach
CERT-EU	2 years ago	Cyber Security Today, Sept. 13, 2023 – Warning: This group specializes in SMS texting scams \| IT World Canada News
Securityaffairs	a year ago	UK police arrested a 17-year-old linked to Scattered Spider gang
Securityaffairs	a year ago	Octo Tempest group adds RansomHub and Qilin ransomware to its arsenal
BankInfoSecurity	a year ago	Millions Affected by Prudential Ransomware Hack in February
Securityaffairs	a year ago	Spanish police arrested an alleged member of the Scattered Spider group
Securityaffairs	a year ago	U.S. Department of Health warns of attacks against IT help desks
CERT-EU	2 years ago	Hackers claim MGM cyberattack as outage drags into fourth day \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting