Scattered Spider: Tactics, Targets and Practical Defenses

In the ever-evolving domain of cybersecurity, Scattered Spider stands out as a formidable adversary, a collective of predominantly young, English-speaking threat actors known for their audacious social engineering tactics and relentless pursuit of financial gain. Tracked under various monikers such as UNC3944 by Mandiant and Octo Tempest by Microsoft, this group comprises individuals often in their late teens or early twenties, hailing primarily from the United States and the United Kingdom. Their operations are characterized by a decentralized structure, allowing them to adapt swiftly to defensive measures while maintaining a reputatioransn for infiltrating high-profile organizations with deceptive simplicity. What sets Scattered Spider apart is not just their technical prowess but their mastery of human psychology, turning routine interactions like help desk calls into gateways for multimillion-dollar breaches.

The significance of Scattered Spider in the contemporary cyber threat landscape cannot be overstated. As organizations increasingly rely on cloud services, identity providers, and interconnected supply chains, this group’s focus on identity compromise exposes critical vulnerabilities that traditional perimeter defenses often overlook. Their attacks have disrupted essential services, stolen vast troves of sensitive data, and extracted ransoms totaling over $115 million from at least 47 U.S. victims alone, underscoring the economic and operational toll of such threats. In a world where ransomware and data extortion are rampant, Scattered Spider exemplifies how accessible tools and social manipulation can rival the sophistication of state-sponsored actors.

Their ascent to notoriety accelerated in 2023 with high-impact intrusions into MGM Resorts and Caesars Entertainment, where they leveraged voice phishing to cause widespread disruptions in the hospitality sector. This momentum carried into 2024 with the Snowflake supply-chain breach, compromising data from numerous enterprises, and evolved further in 2025 to target aviation, retail, and insurance industries with renewed vigor. These incidents highlight a pattern of escalating ambition, exploiting weaknesses in identity management and third-party access to achieve outsized impacts.

This article serves as an educational resource for cybersecurity students, professionals, and organizations alike, delving into Scattered Spider’s origins, methodologies, and notable campaigns. By mapping their tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework, we provide a structured analysis that demystifies their operations. More importantly, we emphasize actionable defenses, drawing from real-world lessons to empower readers to fortify their environments against similar threats. Understanding Scattered Spider is not merely academic it’s a practical imperative in safeguarding digital assets amid growing cyber risks.

Scattered Spider’s journey began around May 2022, emerging from underground forums where young hackers exchanged tactics for SIM-swapping and credential theft. Initially focused on telecommunications targets, they employed SMS phishing and underground services to hijack mobile numbers, bypassing multi-factor authentication (MFA) and draining cryptocurrency wallets. This phase honed their social engineering skills, setting the stage for more ambitious endeavors. By late 2022, the group shifted toward business email compromise and initial access brokering, selling footholds in corporate networks to ransomware affiliates.

The year 2023 marked a pivotal escalation, with attacks on MGM Resorts and Caesars Entertainment showcasing their refined playbook: impersonating employees to manipulate IT help desks, leading to ransomware deployments via partners like ALPHV/BlackCat. These operations not only yielded significant ransoms but also demonstrated their ability to disrupt large-scale infrastructure, costing victims millions in downtime and recovery. Entering 2024, Scattered Spider capitalized on supply-chain vulnerabilities, as seen in the Snowflake incident, where they exfiltrated terabytes of data from over 165 customers. By 2025, their activities intensified across retail, insurance, and aviation sectors, targeting U.K. retailers like Marks & Spencer and U.S. airlines with persistent social engineering campaigns.

Composed of a fluid network of young threat actors, Scattered Spider operates without rigid hierarchy, drawing talent from communities like “The Com” and overlapping with groups such as LAPSUS$ and Infinity Recursion. Key members use aliases like EarthtoStar, Brad, and Everlynn, collaborating on Telegram channels for coordination. Affiliations with ransomware-as-a-service (RaaS) outfits like RansomHub and DragonForce allow them to monetize accesses efficiently, adapting to disruptions by switching partners.

Law enforcement efforts have intensified, yielding notable successes. In November 2024, U.S. authorities charged Noah Michael Urban, a 20-year-old alleged member, who pleaded guilty and received a 10-year sentence in August 2025. July 2025 saw the arrests of U.K. nationals Owen Flowers (18) and Thalha Jubair (19) for their roles in attacks on U.K. retailers and transport systems; Jubair faced U.S. charges in September 2025 for extorting $115 million. Joint advisories from CISA, FBI, and NCSC, updated in July 2025, detail evolving TTPs and indicators of compromise (IOCs), urging enhanced identity protections. Despite these crackdowns, the group’s decentralized nature ensures resilience, with new affiliates filling voids.

Scattered Spider’s approach is a blend of cunning social manipulation and opportunistic use of legitimate tools, mapped to the MITRE ATT&CK framework for clarity. This structure helps defenders anticipate and counter their moves, emphasizing that while their methods are not novel, their execution is exceptionally effective.

Gaining entry often starts with TA0001: Initial Access through T1566.004 (Phishing: Spearphishing Voice), where actors impersonate employees or contractors to vish IT help desks, requesting password resets with convincingly sourced details from LinkedIn or data leaks. Phishing campaigns (T1566.001) deploy credential-harvesting kits mimicking Okta or Azure portals, while SIM swapping (T1621) exploits telecom weaknesses to intercept MFA codes. These human-focused vectors bypass technical safeguards, illustrating why education on verification protocols is crucial.

Once inside, TA0006: Credential Access follows, with MFA fatigue attacks (T1621) overwhelming users with push notifications until they approve access. They exploit lax identity workflows (T1556.006) in platforms like Entra ID, using password spraying (T1110.003) or man-in-the-middle tools like Evilginx. This phase highlights the need for phishing-resistant MFA, as traditional methods like SMS prove inadequate against determined actors.

To maintain foothold (TA0003), they steal SSO/OAuth tokens (T1528) and create backdoor accounts (T1136.001). Escalation (TA0004) targets admin privileges in Azure AD or Okta (T1078.004), abusing misconfigurations for certificate-based access (T1550.001). By living off the land with native tools, they evade detection, underscoring the value of least-privilege principles.

Movement (TA0008) leverages remote management tools like AnyDesk (T1219) and PowerShell (T1059.001) to traverse networks, targeting VPNs and Citrix (T1550.002). Discovery (T1018) involves AD reconnaissance with tools like ADExplorer, probing for valuable assets. Tunneling via ngrok (T1572) obscures activity, making behavioral monitoring essential for early intervention.

Finally, TA0010: Exfiltration sees data theft (T1041) staged in cloud buckets, followed by extortion or ransomware (TA0040: Impact) via affiliates. Disruptions like system encryption (T1486) amplify damage. This endgame drives home the importance of data classification and rapid response to minimize losses.

Scattered Spider’s campaigns provide vivid illustrations of their TTPs in action. Below, we analyze key incidents, breaking down what happened, how they gained entry, the impacts, and actionable lessons for defenders.

MGM Resorts (2023):What happened: In September 2023, Scattered Spider compromised MGM’s systems, deploying BlackCat ransomware across IT infrastructure, including slot machines and hotel operations. How attackers got in: They vished the IT help desk, posing as an employee with details gleaned from LinkedIn, securing credentials and bypassing MFA via social engineering. What was the impact: The attack caused a 10-day outage, resulting in $100 million in lost revenue and additional recovery costs.Lessons learned: Implement callback verifications for help desk requests and segment critical systems like hypervisors to limit lateral movement.

Caesars Entertainment (2023):What happened: Concurrent with MGM, Caesars suffered a data breach involving loyalty program records. How attackers got in: Similar vishing targeted an IT vendor, leading to credential compromise and data exfiltration. What was the impact: 67 million records stolen, with a $15 million ransom paid to prevent leaks, sparking lawsuits and trust erosion. Lessons learned: Enforce MFA across vendors and conduct regular third-party risk assessments to close supply-chain gaps.

Snowflake Customer Data Breach (2024): What happened: Affiliates accessed Snowflake instances, exfiltrating data from clients like AT&T and Ticketmaster. How attackers got in: Exploited MFA-less accounts with stolen credentials, using proxy tools for persistence. What was the impact: Terabytes of PII and IP stolen, leading to ransoms and secondary breaches. Lessons learned: Mandate MFA by default and rotate access keys regularly to thwart supply-chain amplification.

Retail & Aviation Targets (2024–25): What happened: In 2025, attacks hit U.K. retailers like Marks & Spencer, Harrods, and Co-op, alongside U.S. airlines and the Transport for London system, involving data theft and disruptions. How attackers got in: Help desk vishing and SIM swaps compromised Entra ID and VDI accounts, enabling AD reconnaissance and exfiltration. What was the impact: Retailers faced profit losses up to £300 million, while aviation disruptions grounded operations; TfL’s 2024 attack crippled public transport. Lessons learned: Train staff on social engineering red flags and deploy anomaly detection for impossible travel logins.

Scattered Spider selectively pursues sectors rich in valuable data and sensitive to disruptions. Casinos like MGM were early targets due to their reliance on continuous operations and high-stakes customer information. Airlines, hit in late June 2025, offer PII from millions of passengers, where downtime translates to immediate financial and reputational harm. Retail giants such as Marks & Spencer and insurance firms provide troves of financial data, ideal for extortion.

These choices stem from opportunities for brand damage and quick payouts, exploiting dependencies on IT uptime. Common vulnerabilities include outsourced call centers with weak verification, inconsistent MFA enforcement, and MSP access points that serve as multipliers—one breach unlocks many. As 2025 progresses, their pivot to finance suggests a hunt for deeper pockets, driven by domain registrations indicating sector-specific phishing.

Scattered Spider’s toolkit emphasizes stealth through legitimacy. Phishing domains, numbering over 600 since 2022, mimic identity providers via typosquatting, hosted on resilient registrars like Cloudflare. Kits incorporate Evilginx for adversary-in-the-middle attacks, evolving to include email bombing for MFA fatigue.

Underground marketplaces supply SIM-swap services, complemented by infostealers like Raccoon. Cloud tools are abused: Entra ID for token theft, AWS S3 for exfiltration via S3 Browser. Tunneling with Chisel, ngrok, and MobaXterm (S0508) facilitates C2, while AD tools like ADRecon enable discovery.

IOCs include domains like trycloudflare[.]com subdomains and YARA rules for affiliate ransomware. Defenders should focus on behavioral indicators over static lists, as infrastructure flux demands adaptive hunting.

To combat Scattered Spider, organizations must fortify identity systems, enhance monitoring, and prepare robust incident response plans. Below is an expanded playbook with actionable, prioritized steps for students, professionals, and enterprises, emphasizing practical measures to disrupt their attack chain.

• Phishing-Resistant MFA: Deploy FIDO2 hardware keys or passkeys (e.g., YubiKey, Google Titan) to eliminate SMS-based MFA vulnerabilities, which Scattered Spider exploits via SIM swaps (T1621 mitigation). NIST 800-63B recommends phishing-resistant authenticators for high-risk environments. Implementation: Configure IdPs like Okta or Entra ID to enforce WebAuthn; budget $50-$100 per key for enterprise rollout.

• Robust Help-Desk Protocols: Require callbacks to verified numbers and dual-verifier checks (e.g., manager approval) for password resets. Use knowledge-based authentication only as a last resort, as attackers harvest answers from leaks. Example: Implement a ticketing system requiring secondary verification via a secure channel (e.g., Teams).

• Telecom Coordination: Partner with carriers to enable SIM swap alerts and PIN-based protections. Verizon and AT&T offer fraud detection APIs; integrate these into SOC workflows for real-time notifications.

• Conditional Access Policies: Enforce location-based and device-compliant access in Entra ID/Okta. Block logins from high-risk regions (e.g., known proxy IPs) to counter tunneling (T1572).

• Identity Governance: Regularly audit admin accounts and enforce least-privilege principles. Use tools like SailPoint to automate access reviews, reducing exposure to T1078.004 exploits.

• Anomaly Detection with UEBA: Use tools like Splunk or CrowdStrike Falcon to detect impossible travel (e.g., logins from London and Singapore within an hour) and MFA fatigue signals (rapid push notifications). Set thresholds: >5 MFA prompts in 60 seconds triggers alerts.

• Log Analysis for Admin Changes: Monitor IdP logs for unauthorized role escalations (T1098.005) using SIEM solutions like Elastic. Query example: event.action:role_assignment AND user.name:admin*.

• Network Detection and Response (NDR): Deploy solutions like Darktrace to identify tunneling (e.g., ngrok, T1572) or unusual RMM activity (T1219). Baseline normal traffic to flag deviations.

• Threat Intelligence Integration: Subscribe to feeds (e.g., Recorded Future) for Scattered Spider IOCs, such as phishing domains or C2 IPs, and integrate with firewalls for proactive blocking.

• Vishing Drills: Conduct quarterly tabletop exercises simulating help-desk vishing, training staff to recognize urgency tactics and verify identities. Use scripts mimicking Scattered Spider’s T1566.004 tactics.

• Identity Breach Playbooks: Develop runbooks for rapid credential rotation, session termination, and forensic analysis in IdP compromises. Example: Okta’s “Incident Response Guide” for stolen tokens.

• Threat Hunting: Proactively hunt for LotL tools (e.g., PowerShell, AnyDesk) using EDR platforms like Carbon Black. Query for suspicious processes: process_name:ngrok.exe OR process_name:anydesk.exe.

• Forensic Readiness: Maintain 90-day log retention for IdP and network activity to support post-incident analysis, aligning with CISA recommendations.

• Contractual Security Requirements: Mandate MFA, zero-trust access, and audit logs in MSP contracts. Include clauses for immediate breach notification.

• Vendor Access Reviews: Quarterly audits of third-party accounts in IdPs, revoking stale permissions. Use tools like Vanta for automation.

• Segmentation: Isolate vendor access to dedicated VLANs or virtual desktops, limiting lateral movement (T1550.002).

• Supply-Chain Monitoring: Assess vendors’ security postures using frameworks like NIST CSF. Require SOC 2 Type II compliance for critical partners.

• Core Lesson: The human layer is the primary attack vector; mastering social engineering defenses is critical. Study MITRE ATT&CK (e.g., T1566.004, T1078) to map attacker moves.

• Practical Skills: Simulate vishing attacks in lab environments (e.g., Kali Linux phishing frameworks) to understand TTPs. Practice configuring FIDO2 MFA in Okta sandbox.

• Career Insight: Identity security is the new perimeter. Certifications like CISSP or CompTIA CySA+ enhance understanding of threat hunting and IdP management.

Looking ahead, Scattered Spider will likely deepen supply-chain assaults, targeting vendors for broader reach. Extortion without encryption is rising, leveraging data leaks for pressure. Despite arrests and retirement claims on forums, activity persists, with new ransomware links in September 2025.For defenders in 2025 and beyond: Invest in AI-driven detection and cross-sector intelligence to stay ahead of this resilient threat.

Scattered Spider’s blend of social engineering, identity exploitation, and ransomware partnerships has inflicted profound damage, from casino shutdowns to aviation disruptions. With TTPs evolving to bypass modern controls, their $115 million haul underscores the stakes.Key defenses include robust MFA, vigilant monitoring, and staff training. Organizations must harden identity security and train people, because the strongest defenses often fail at the weakest human link.