Scattered Spider: Identity Insights

Introduction 

We are kicking off our identity insight series by performing a close examination on threat actors that place a heavy emphasis on exploiting identities when carrying out attacks on organizations. These blog posts will examine a specific threat actor’s broader tradecraft, how they have evolved, and provide an aggregate view of their identity-specific attack techniques. For organizations with existing identity security and intelligence teams, our identity insight series is intended to bridge gaps between these teams. We provide actionable steps organizations can take to reduce their chances of being impacted by specific threat actors. This in turn can help reduce the organization’s identity attack surface. While greater emphasis may be placed on the identity specific components a threat actor leverages, we provide links to other resources to ensure your review of this threat actor profile and their TTPs are holistic.

Who Is Scattered Spider? 

Scattered Spider (also commonly known as UNC3944, Octo Tempest, and Muddled Libra), are monikers to describe a large collective group of threat actors. These threat actors have targeted a variety of industries since 2021.  

The Scattered Spider organization is large and dispersed. The FBI has indicated the group has upwards of 1,000 members – but there are several distinct groups or personas that operate under this umbrella moniker. Additionally, several groups are affiliated and form tactical relationships with the larger group.  

 

Figure 1: Hydden Depiction of Scattered Spider, a collective with several individual and affiliated cybercriminal groups

This network of cybercriminals is a part of an even larger group of hackers who affiliate themselves as part of “the Community” or “the Com”.  It is widely believed that many of these groups may have formed as early as mid 2021. The first public reporting was released on August 25th of 2022 from both Group-IB and Okta. The members of the broader group are mainly native English speakers residing in the United States, Canada, and the UK. Members average between 13-25 years of age and are active primarily on Telegram and Discord applications.   

Initial Tradecraft 

These first public reports highlighted the use of a versatile phishing kit to target people and gain access to their identities. It is suspected that the threat actors first retrieved target lists of victims and the phone numbers through prior attacks on mobile and telecom operators.  

The phishing kit enabled threat actors to quickly register a new copycat Okta domain such as (https://yourorgname-okta.com) and pair this with a broad or targeted social engineering campaign (typically sent via SMS message). The messages were often cleverly crafted to exhibit a sense of urgency which helped convince the victims that they should “take action” on the request.  

Once the victim clicked on the link, they would be directed to what appeared to be their organization’s legitimate authentication sign-on page. The victim would be convinced the page was legitimate, and they would supply their credentials and 2FA codes. The kit also could deploy AnyDesk to a system, which indicated that initially the kit was not designed to only support smishing campaigns.  

Early versions of the kit indicate that the data entered was “live streamed” to a telegram channel where the attackers were sitting and waiting for victims to supply their credentials. The actor would then replay those credentials manually in the victim organizations legitimate Okta authentication sign-on page and continue to carry out the rest of their attack. Often this would result in the attacker quickly moving laterally across applications connected to Okta, escalating their access when/where possible, and stealing sensitive data as quickly as possible.  

We’ve observed many iterations of this kit, and the versatility of this kit has evolved over time. We have also observed copycat kits used by other groups in “the Com” that have taken the initial code and have made small alterations or customizations to target different industries, such as cryptocurrency organizations.  

Characteristics and Evolution 

Over time, the threat actors have become more intentional in victim selection when setting sight on their next target. We’ve witnessed instances where the threat actor will gain access to a few identities at an organization with a broad SMS phishing wave, then leverage those compromised identities to launch additional phishing attacks via business email compromise (BEC). The evolution of their victim targeting indicates an increased effort focusing on performing extensive initial reconnaissance prior to the launch of new campaigns. 

Figure 2: Illustrates how the threat groups have evolved and aggregated their techniques to intentionally target specific employee types with elevated access rights or those likely to have direct access to sensitive data

While this is not an all-inclusive list – we have put together a broad set of characteristics that describe the shared tradecraft and evolution: 

• Use of a phishing kit that leverages one or more near replica copies of an organizations IDP sign-on authentication page combined with a custom domain name leveraging the target organizations name. Most frequently we observe a dash “-” leveraged within the registered domain name

• Sophisticated social engineering techniques that have evolved over time from initially leveraging text-based phishing to increasingly leveraging voice phishing (vishing) 

• Abuse of mobile devices and 2FA on mobile devices – SIM swapping, SMS phishing, MFA push fatigue 

• The groups perform extensive reconnaissance before and after gaining initial access to a target organization. In several instances, it has been noted that the actors leverage a victims previously compromised PII to bypass user identification verification processes

• Some groups are extremely opportunistic, while others have clear goals – 

• • Some groups focus exclusively on cloud environments while others target hybrid environments 

• • Most groups leverage publicly available security utilities combined with abuse of an organizations existing security tools 

• • Some groups will simply search for the type of data they want to directly reach their objectives 

• • While initial groups relied more on malware-free operations, there have been several instances of these groups leveraging Ransomware, Infostealers, Remote Access Trojans (RATs), and exploiting public-facing servers when necessary 

Figure 3: Summary of techniques utilized by Scattered Spider groups

Like other actors, they tend to take the path of least resistance to gain initial access to organizations. In many cases, we observe these threat actors conducting these attacks and extracting sensitive data from the victim organization in a matter of hours. Their goal is to steal sensitive data as quickly as possible for extortion. The longer these groups remain in an environment undetected, the higher likelihood additional data is being siphoned out of the organization. 

Timeline of Activity 

Publicly documented activity does not represent the full breadth or nature of these groups. There are many private organizations that have been impacted where there has been no public disclosure. The largest and most widely recognized attack was the attack on MGM that occurred in late 2023.   

The best timeline that displays an aggregate of the public reporting that the research team at Hydden has observed was released from the Sekoia.io team in February of 2024 (Figure 1 in this link). We continued to observe consistent activity from this group from December of 2023 through November of 2024, with some periods of less activity. We have decided to omit any historical references on industry type targeting from the time in which attacks began until the current date as we have observed these groups have evolved to target industries of all types. 

There have been several arrest announcements in 2024 including the coordinated arrest of the 17-year-old suspect involved in the MGM resorts attack. These events often have a ripple effect in the community, which we suspect could be the cause of brief periods of inactivity. Due to the nature and size of these groups, we expect them to continue to operate and evolve.  

Current Known Identity Attack Vectors 

Rather than zooming in on a specific group and persona that falls under the Scattered Spider moniker, we instead zoom out at the higher-level tradecraft across the groups and the identity specific attack vectors at play.  These have been categorized into five buckets: 

1. People – Heavy emphasis is placed on compromising people and their connected identities through social engineering attacks. The social engineering component has increasingly leveraged voice phishing (vishing) over time. There has recently been evidence of the threat actors leveraging AI for voice impersonation of employees.  These actors have also been known to target connected family members. 
2. Credential Theft Techniques – These actors often gain access to credentials directly through social engineering via SMS phishing and phone calls. These groups have even resorted to leveraging violence-as-a-service (VaaS) (see Figure 3 in this link), to retrieve credentials.  In many other instances, we have observed the actors gain initial access to an organization through employee credentials and cloud service tokens that have been retrieved through other methods, such as purchasing them from an Initial Access Broker (IAB) or other dark web marketplace.  The actors have been known to gain access to some customer environments from publicly leaked authentication tokens.  Once initial access is gained, the groups prioritize searching for and retrieving additional credentials to escalate privileges within an environment. Examples include: 
   1. Manually search for credentials in common communication tools such as Slack, information/documentation repositories, and code repositories 
   2. Leverage tools to harvest credentials from privileged access management (PAM) products 
   3. Harvesting credentials directly from secret managers within cloud service providers 
   4. Leveraging a wide range of open-source tools to harvest additional credentials
   5. Leveraging a variety of Infostealers to harvest additional credentials
3. MFA Theft or Bypass Techniques – These actors have leveraged a myriad of methods to circumvent or bypass MFA. The most popular examples include: 
   1. 1. Direct capture of MFA codes through phishing kits 
      2. SIM Swapping 
      3. MFA Push Fatigue 
      4. Registering their own devices for MFA
      5. Downgrade MFA policy configuration to SMS 
      6. Bypass MFA by replaying tokens with satisfied claims 
4. Identity Provider Abuse Techniques – These actors have been observed abusing identity provider configurations to either maintain persistence within a customer environment, further escalate privileges, or extend reconnaissance operations.  Some recent examples of this were documented in a recent blog featured by researchers at EclecticIQ which show examples of CTS abuse and federated identity provider abuse through delegated authentication. 
5. Infrastructure Abuse Techniques – These actors have been known to leverage credentials compromised in earlier stages of the attack to access a customer’s infrastructure and security tools to perform privileged actions or further compromise other identities.  A few examples include: 
   1. Attaching a custom ISO file to existing virtual machines in an environment to reset local administrator passwords to bypass domain controls 
   2. Creating new API keys in existing EDR tools to execute commands on managed endpoints 
   3. Performing bulk downloads of user/group and role information to further reconnaissance efforts  
   4. Performing snapshots of domain controller disk images to download and compromise credentials in NTDS.dit  

Identity Risk Mitigation Strategies 

Effective risk mitigation should contain a mixture of both people, process, and technical controls. Due to the observed opportunistic and adaptable nature of these threat actors, we have decided to make our recommendations broad and non-vendor specific.  We believe these best practice recommendations below will help organizations defend against these threat groups and other groups who may leverage similar techniques.  

People & Process: 

• Helpdesk and IT staff should avoid knowledge-based identity verification checks when performing password or MFA resets whenever possible. Improved methods of identity verification should include: 
  • Video verification (including having the employee show their ID/badge on a call). In lieu of video verification with an employee directly, video verification may be performed with a direct manager or team lead 
• Employees should receive (at minimum) annual training on modern social engineering attacks and ways to detect and report suspected mobile device tampering such as port-out and SIM swapping conditions 
• For employer-owned mobile devices, organizations should incorporate into their onboarding procedures the configuration of carrier-provided account security configuration settings to protect against unauthorized access. In many instances, a carrier may provide additional methods of verification for account change requests 
• Organizations should regularly have tabletop and red team exercises that incorporate exploiting the people & process and technical controls mentioned in this section 

Technical Controls: 

• Organizations should proactively monitor for look-a-like (typo squatting) domains which may be leveraged in social engineering campaigns to target individuals at your organization. In some cases, it may make sense to proactively purchase these domains. You can find comprehensive examples in the links provided in our resources section 
• By default, consider blocking newly registered domains from both corporate endpoint and mobile devices. A general best practice is domain age less than or equal to 14 or 30 days
• Remove SMS as an MFA verification option from any identity provider policy configuration for any/all employees, contractors, or vendors that access your organizations resources 
• Configure phishing-resistant MFA options in organizational identity provider policy configurations. Examples include: 
  • FIDO2/WebAuthn authentication 
  • PKI-based (typically smart card – PIV/CAC card) 
• In lieu of phishing-resistant MFA being an option at your organization, consider implementing app-based authentication. This includes one-time passwords (OTP), mobile-push notifications with number matching, or token-based OTPs 
• Monitor authentication flow, identity provider policy change, and registration events: 
  • Monitor for any additional mobile device MFA-registration events and MFA policy downgrade events 
  • Where possible within identity provider configurations, ensure that you are exploring the full range of conditional access policy capabilities  
  • Monitor for unauthorized application assignments in identity provider configurations 
  • Ensure adequate monitoring capabilities are in place for unauthorized policy specific or tenant wide changes in identity provider configurations 
• Ensure that your attack surface management program explicitly includes identity discovery: 
  • Organizations should inventory all applications/systems that contain identities within their environment  
  • Organizations should leverage a dark web monitoring service that proactively monitors all human and non-human identities discovered within their environment. 
    • Organizations should check last password change dates against the date the account was discovered in a dark web marketplace and force password changes for these accounts 
• Organizations should ensure that their endpoint protection software can detect infostealer and open-source tool presence that can be leveraged to harvest credentials: 
  • Credential harvesting examples: Mimikatz, IMPACKET, ProcDump, DCSync, LAPsToolkit, LaZagne, gosecretsdump, Hekatomb, smbpasswd.py, LinPEAS, ADFSDump, Jercretz, TruffleHog 
  • Infostealer examples: ATOMIC, ULTRAKNOT, and VIDAR 
• Organizations should search for and delete any instances of discovered identity credentials stored in common communication tools and documentation repositories. 
  • A simple exercise such as searching for specific keywords such as “password” or “pw” in these tools may reveal alarming results for clean up 
  • Controls should be put in place to prevent future occurrences 
• Centralize identity event logging and any administrative changes into a common platform. 
  • Prioritization should be placed on monitoring and enforcing review processes for privileged account access 
  • Prioritization should be placed on understanding and monitoring identities and identity types that are public/external facing – a relevant example includes understanding access tokens that exist within public code repositories 
  • Prioritize monitoring of any identities that have access to data/objects that hold sensitive data within your organization 
  • Monitor for unauthorized privileged group or role membership changes in any system or applications which contain identities 
  • Monitor and have mechanisms to verify how local administrator password changes occur 
• Ensure adequate monitoring is in place for Privileged Access Management (PAM) systems in your environment. This includes cloud service provider credential managers. It is recommended to follow vendor specific hardening and monitoring best practices. 
  • Programmatic API and user account access should follow least privilege and just in time access principles 
  • Adequate monitoring should be in place to detect suspicious/anomalous events occurring within the PAM 

Resources & Acknowledgements 

Our blog leveraged firsthand knowledge from real-world victims combined with open-source intelligence disclosed in the below public case studies. We acknowledge and credit the incredible organizations and researchers who have released the below materials which allowed us to present this aggregate view: 

https://cloud.google.com/blog/topics/threat-intelligence/unc3944-sms-phishing-sim-swapping-ransomware/ 

https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications 

https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/ 

https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/ 

https://unit42.paloaltonetworks.com/muddled-libra/ 

https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries 

https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud 

https://www.healthcareitnews.com/news/hc3-alerts-providers-scattered-spider-threat 

https://cyberscoop.com/potent-youth-cybercrime-ring-made-up-of-1000-people-fbi-official-says/  

https://sec.okta.com/scatterswine  

https://www.group-ib.com/blog/0ktapus/  

https://www.cnn.com/2023/10/05/business/mgm-100-million-hit-data-breach/index.html 

https://blog.sekoia.io/scattered-spider-laying-new-eggs/  

https://thehackernews.com/2024/07/17-year-old-linked-to-scattered-spider.html  

 

Have you been a victim of a Scattered Spider attack and want to confidentially share further insights? Do you have feedback or corrections? Contact us at: [email protected]