Scattered Spider: Beyond the Headlines – Tactics, Targets, and Mitigations

Scattered Spider, a name that has dominated cybersecurity headlines since 2023, represents more than a traditional threat actor group. Recent reports from CISA¹ and Silent Push² reveal a decentralized collective operating under multiple aliases (UNC3944, Octo Tempest) with ties to groups like Lapsus$ and ShinyHunters. Their focus on identity-based attacks—particularly against cloud services and critical infrastructure—demands a reevaluation of conventional defense strategies.

The Fluid Nature of Scattered Spider

Unlike hierarchical cybercrime syndicates, Scattered Spider operates as a loosely affiliated collective with members across the US, UK, Canada, and Australia. The group’s tactics center on social engineering, with vishing (voice phishing) and adversary-in-the-middle (AiTM) phishing accounting for 78% of their initial access attempts in 2024². Their attacks frequently target IT help desks, where they impersonate employees to reset multi-factor authentication (MFA) credentials. The 2024 Snowflake breach, affecting 165 organizations, demonstrated their ability to exploit MFA gaps at scale¹.

Technical Tradecraft and Evolution

Scattered Spider’s post-compromise activities show a preference for living-off-the-land techniques. They abuse legitimate tools like ScreenConnect and TeamViewer for persistence, while native OS utilities (PowerShell, WMI) facilitate lateral movement. Recent campaigns have incorporated:

BYOVD attacks: Using vulnerable drivers (CVE-2024-XXXX) to disable endpoint detection
Cloud log tampering: Selective deletion of AWS CloudTrail logs to obscure activity
Ransomware partnerships: Collaboration with ALPHV/BlackCat for double extortion

The group has shifted infrastructure in 2025, adopting Cloudflare-hosted phishing kits and dynamic DNS domains (e.g., klv1.it[.]com) to evade takedowns².

High-Profile Campaigns and Impact

Target	Impact	TTPs
Marks & Spencer (2025)	$100M+ losses, systems shutdown	DragonForce ransomware, AD compromise
Co-op (2025)	Customer/staff data leaked	Help desk scam, data extortion
Snowflake (2024)	165 organizations compromised	MFA bypass via stolen credentials

The Marks & Spencer attack exemplifies their evolving ransomware tactics—exfiltrating data to MEGA.NZ before encryption, then demanding payment under threat of public release³.

Defensive Recommendations

Mitigating Scattered Spider’s techniques requires layered defenses:

Identity Security: Implement FIDO2/WebAuthn for phishing-resistant MFA and enforce in-person verification for privileged account resets
Endpoint Controls: Block RMM tool execution via AppLocker and monitor for unexpected driver loads (BYOVD indicators)
Cloud Monitoring: Enable immutable logging in AWS/Azure environments and alert on log deletion events

Push Security’s webinar⁴ recommends integrating IOFA™ threat feeds to track emerging infrastructure, such as the domain twitter-okta[.]com used in recent AiTM campaigns.

Legal and Operational Developments

Law enforcement has made progress against the group, with seven arrests in 2024 including alleged leader Tyler Buchanan³. However, their decentralized structure suggests continued operations under new aliases. The National Cyber Security Centre (NCSC) advises organizations to:

“Treat all help desk verification requests as potential compromises until multi-party approval is completed.”

This aligns with CISA’s guidance in AA23-320A¹, which emphasizes adding friction to identity verification processes.

As cloud environments remain a primary target, organizations must balance usability with security—particularly for identity and access management systems. The group’s rapid adoption of new techniques, like the Spectre RAT variants analyzed by Silent Push², demonstrates the need for continuous threat intelligence updates.