Scattered Spider is increasingly making headlines of late, evolving its techniques and broadening the scope of its criminal activities against a wider array of enterprises.
Active since at least May 2022, the financially motivated cybercriminal group initially targeted telecommunications and entertainment companies, including MGM Resorts and Caesars Entertainment, through SIM-swapping and ransomware operations.
[ See also: How CISOs can defend against Scattered Spider ransomware attacks ]
Over time, the group has shifted to high-value industries, most notably with attacks in May targeting major retailers such as Marks & Spencer, Co-op, and Harrods, and more recently airlines such as Hawaiian and Quantas in assaults that caused widespread disruption to their operations and millions of dollars in damages and recovery costs.
While the UK’s National Crime Agency this week announced four arrests for the attacks on Marks & Spencer, Co-op, and Harrods, law enforcement officials have given no indication that the group’s threat has abated.
Notorious for its aggressive use of social engineering, Scattered Spider is believed to be targeting a wider range of industries with more sophisticated attacks. Understanding the group’s latest tactics can help CISOs prepare to counter the threat.
In a recent attack, the subject of a post-mortem by threat detection and response vendor ReliaQuest, Scattered Spider used advanced social engineering to compromise the organization’s Entra ID, Active Directory, and virtual infrastructure. The attack chain demonstrates the Scattered Spider’s ability to blend patient planning with rapid execution, as well as increased knowledge of cloud-based and on-premises enterprise IT systems.
Scattered Spider took care to minimize its chance of detection and, even after the attack was discovered, aggressively attempted to maintain control of compromised systems.
Scattered Spider’s evolving plan of attack
Scattered Spider began its attack against the unnamed organization’s public-facing Oracle Cloud authentication portal, targeting its chief financial officer.
Using personal details, such as the CFO’s date of birth and the last four digits of their Social Security number obtained from public sources and previous breaches, Scattered Spider impersonated the CFO in a call to the company’s help desk, tricking help desk staff into resetting the CFO’s registered device and credentials.
The ruse was expedited by a combination of the priority help desk staff typically attach to requests from executive leadership and the fact that IT organizations routinely over-privilege C-suite accounts, allowing them access to a greater range of IT systems. It also demonstrates an evolution in Scattered Spider’s tactics, ReliaQuest notes. Whereas previously the group deployed credential harvesters via typosquatted domains to obtain valid credentials, its latest attacks see the group already equipped with valid credentials from the outset.
Given access to the CFO’s account, Scattered Spider mapped Entra ID (Azure AD) privileged accounts and groups before locating sensitive files on SharePoint and gaining an understanding of the targeted organization’s on-premises IT systems and cloud environment.
Cybercriminals hacked into the target’s Horizon Virtual Desktop Infrastructure (VDI) using the CFO’s credentials before using social engineering to compromise two further accounts and pivoting toward the on-premises environment. In parallel, the group breached the organization’s VPN infrastructure to maintain remote access to compromised systems.
Scattered Spider subsequently reactivated a decommissioned virtual machine and began creating a parallel virtual environment under its control before shutting down a virtualized production domain controller, and extracted the NTDS.dit database file (Active Directory credentials) — all the while evading traditional endpoint detection.
The cybercriminals extracted more than 1,400 secrets by taking advantage of compromised admin accounts tied to the target’s CyberArk password vault and likely an automated script. Scattered Spider granted administrator roles to compromised user accounts before using tools, including ngrok, to maintain access on compromised virtual machines.
“On several occasions, the group assigned additional roles to compromised users, including the Exchange Administrator role,” according to ReliaQuest. “This role was used to monitor the inboxes of high-profile employees, enabling the attackers to stay ahead of the security team and maintain their control over the environment.”
Ensuing battle over IT resources
Despite the stealth of the attack incident response defenders at the compromised company detected the attack and began to fight back, setting up a tug-of-war to establish control over the organization’s IT resources. In response, Scattered Spider abandoned attempts at covert infiltration and began an aggressive attempt to disrupt business operations and hinder response and recovery.
For example, the group began deleting Azure Firewall policy rule collection groups. The attack was ultimately thwarted, at least in its main aims. Although some sensitive data was extracted, the likely plan to deploy ransomware never came to fruition.
This battle over privileged roles escalated until Microsoft had to intervene to restore control over the tenant.
“Scattered Spider’s latest campaign demonstrates its ability to adapt and evolve, blending human-centric exploitation with technical sophistication to compromise identity systems and virtual environments,” ReliaQuest concludes.
Faster, further, stronger
Christiaan Beek, senior director, threat analytics at Rapid7, told CSO that Scattered Spider’s tradecraft has evolved over recent months as it has developed better knowledge of cloud-based systems and carried out more aggressive, multi-pronged attacks.
Beek noted the following additions to Scattered Spider’s arsenal:
Cloud intrusion techniques: “The group has demonstrated a deep understanding of cloud environments using AWS Systems Manager Session Manager, EC2 Serial Console, and IAM [identity and access management] role enumeration to pivot and persist within cloud infrastructure — techniques typically seen in advanced threat actors,” according to Beek.
New persistence methods: “They’ve begun abusing legitimate infrastructure tools like Teleport for long-term access, setting up encrypted outbound connections that evade traditional detection mechanisms — a shift from their earlier reliance on commercial RMM [remote monitoring and management] tools alone,” Beek said.
Faster, multilayered attacks: Scattered Spider’s operations have become more aggressive and compressed. “Within hours of initial compromise — often via social engineering — they escalate privileges, move laterally, establish persistence, and begin reconnaissance across both cloud and on-prem environments,” Beek explained. “This speed and fluidity represent a significant escalation in operational maturity.”
While Scattered Spider has expanded its targets to new industries — first retail and then technology, finance, and now aviation — over recent months, its fundamental modus operandi remain similar, ReliaQuest researchers have found.
“This shift shows the group is willing to adapt its targets to maximize financial returns,” a ReliaQuest spokesperson told CSO. “That said, its tactics haven’t really changed — Scattered Spider still leans on sophisticated social engineering to target help-desk employees and gain access to high-value accounts.”
Countermeasures
In a blog post last week, security tools vendor Rapid7 detailed Scattered Spider’s latest tactics, techniques, and procedures (TTPs), alongside recommendations for defensive best practices.
“[The] group’s techniques, while sophisticated in execution, often exploit lapses in basic security practices — such as over-reliance on help desk identity proofing, or unmonitored use of admin tools,” Rapid7 researchers wrote. “Strengthening those areas, along with user education and modern authentication controls, provides a strong defence against Scattered Spider’s blend of social engineering and technical prowess.”
“Phishing-resistant MFA is key to block attacks at the outset, whilst vigilant monitoring in the cloud and on endpoints plays a part in catching unusual behavior before it escalates. Beyond technology, it’s crucial to maintain disciplined identity practices,” Rapid7’s Beek told CSO. “This means limiting standing privileges and enforcing approvals for sensitive actions, alongside regularly reviewing access rights.”
Defending effectively against Scattered Spider involves tackling both human and technical vulnerabilities, ReliaQuest researchers noted.
“To defend against these attacks, strengthen help-desk verification procedures to prevent unauthorised access, harden virtualised infrastructure to detect suspicious activity, and regularly test and train employees against social engineering tactics,” ReliaQuest advised. “These measures protect identity systems and workflows and disrupt the group’s ability to manipulate trust and evade defences.”
No Responses