Updated Advisory: Mitigating Scattered Spider❗️

International law enforcement and cyber agencies have issued a have issued an urgent Joint Cybersecurity Advisory in response to recent activity by the threat actor and cybercriminal group known as Scattered Spider.

These threat actors have been actively targeting the commercial facilities sector, its subsectors, and other critical industries. The advisory includes tactics, techniques, and procedures (TTPs) identified through FBI investigations as recent as June 2025.

Scattered Spider—also known as Starfraud, UNC3944, Scatter Swine, Oktapus, Octo Tempest, Storm-0875, and Muddled Libra— is still using social engineering techniques like phishing, push bombing & SIM swap attacks to target CriticalInfrastructure organizations & commercial facilities.

Network defenders should implement the mitigations outlined in the advisory to improve your organization’s cybersecurity posture.

These include the following:

• Audit remote access tools on your network to identify currently used and/or authorized software.
• Review logs for execution of remote access software to detect abnormal use of programs running as a portable executable. ·
• Use security software to detect instances of remote access software being loaded only in memory.
• Require authorized remote access solutions to be used only from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).

Advisory Updates

Note: This advisory was originally published on November 16, 2023, and has undergone multiple updates:

• Nov. 16, 2023: Initial publication
• Nov. 21, 2023: Revised password guidance on page 12
• July 29, 2025: Updated with new TTPs identified by U.S. and international federal agencies. These updates include more advanced social engineering methods and additional malware and ransomware variants used by Scattered Spider to steal data and encrypt systems.

Scattered Spider is known for targeting large organizations and their third-party IT help desks.

Update – July 29, 2025: According to reliable third-party sources, Scattered Spider primarily conducts data theft for extortion purposes and has recently been observed deploying DragonForce ransomware alongside its standard methods. Although some TTPs have remained unchanged, the group frequently evolves its techniques to avoid detection.

Authoring Agencies

The authoring agencies include: the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Royal Canadian Mounted Police (RCMP), Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), Australian Federal Police (AFP), Canadian Centre for Cyber Security (CCCS), and the United Kingdom’s National Cyber Security Centre (NCSC-UK)

Call To Immediate Action❗️

The authoring organizations strongly urge commercial facilities and critical infrastructure entities to review and apply the guidance in the Mitigations section of this advisory to minimize the risk and potential impact of Scattered Spider activities.

Download the original November 2023 version of this report HERE

Download the updated July 2025 version HERE

A Closer Look At Scattered Spider

Scattered Spider, also known as UNC3944, is a cybercriminal group primarily composed of teenagers and young adults, believed to reside in the United States and the United Kingdom.

The group rose to prominence following high-profile cyberattacks and extortion attempts targeting major casino operators Caesars Entertainment and MGM Resorts International. Beyond these, they have also reportedly targeted companies such as Visa, PNC Financial, Transamerica, New York Life, Synchrony Financial, Truist Bank, Twilio, and, more recently, Snowflake customers.

Scattered Spider typically relies on sophisticated social engineering tactics and deception to gain initial access to an organization. Common entry points include SMS-based phishing (smishing) and voice phishing (vishing). The group is also known to contact external-facing help desks, impersonating legitimate users in an effort to reset passwords or bypass multi-factor authentication (MFA), thereby gaining unauthorized account access.

Their operations often escalate to large-scale data theft and ransomware deployment. This leads to double extortion scenarios, where victims are coerced into paying both to recover their encrypted data and to prevent the public release of stolen information.

Known tactics include:

• Help desk impersonation: Uses social engineering to convince help desks to reset passwords and MFA material for targeted administrators or other privileged accounts
• “SIM swapping” to gain initial access to identities
• Double extortion to monetize their breaches, both encrypting and threatening to release data
• Active Directory Compromise: Known to extract NTDS.dit from Domain Controllers – the primary credential-holding database for Active Directory
• Credential phishing: Utilizes look-a-like domains to fool victims into submitting credentials — these often contain terms such as okta, sso, help, corp, internal, sso, etc.
• Lateral movement: Known to abuse RDP, SSH, PsExec and Scheduled Tasks to move across systems within a network
• Persistence via RMM tools: Abuses remote monitoring and management platforms like AnyDesk to maintain access
• Credential dumping: Using tools like Mimikatz, secretsdump.py and DCSync
• Ransomware deployment: Has been observed using the DragonForce Ransomware-as-a-Service (RaaS) variant to execute attacks

Alternate Names and Affiliations

While most commonly referred to as Scattered Spider in media and press releases, the group has also been labeled Star Fraud, Octo Tempest, Scatter Swine, and Muddled Libra. They are considered part of a broader cybercriminal ecosystem known as "the Community" or "the Com", which includes individuals responsible for breaches of major U.S. tech firms.

Origins and Early Tactics

Formed around May 2022, Scattered Spider initially focused on attacks against telecommunications companies. Their methods included SIM swapping, MFA fatigue attacks, and phishing via SMS and Telegram. They exploited vulnerabilities like CVE-2015-2291, a Windows anti-DoS flaw, to disable security software and evade detection. The group is known for its technical sophistication, particularly in cloud platforms like Microsoft Azure, Google Workspace, and AWS, often leveraging legitimate remote-access tools.

Transition to Critical Infrastructure & Casinos

After targeting infrastructure sectors, the group shifted focus to casinos in 2023.

MGM Resorts Hack

On September 11, 2023, Scattered Spider infiltrated MGM Resorts by impersonating an employee during a call to the company's help desk, using LinkedIn for social engineering. The next day, MGM reported the breach in a Form 8-K filing with the SEC. The attack disabled hotel systems, including ATMs, room keys, food and beverage credits, and parking charges. Scattered Spider partnered with ALPHV, a ransomware-as-a-service (RaaS) provider.

In July 2024, a 17-year-old from the UK was arrested in connection to the hack. He was released on bail pending trial.

Caesars Entertainment Hack

Scattered Spider reportedly extorted Caesars Entertainment by demanding a $30 million ransom, of which the company paid $15 million. The breach compromised personal data including driver's license and potentially Social Security numbers. Caesars admitted it could not guarantee the deletion of the stolen data.

There is some dispute over whether Scattered Spider was solely responsible for the Caesars attack, with conflicting reports suggesting involvement from another group.

Aftermath and Lawsuits

Both companies experienced stock drops following the attacks. MGM's CEO admitted the company was “completely in the dark” during the incident. The FTC and FBI launched investigations, and Moody's warned of potential credit rating downgrades due to MGM’s operational disruption.

Class-action lawsuits were filed against both MGM and Caesars, alleging negligence in securing customer data. In January 2025, MGM settled for $45 million.

Snowflake Data Breaches

Scattered Spider members were later tied to breaches involving Snowflake customers, where they stole large volumes of data and demanded ransoms. Victims included AT&T, Ticketmaster, Advance Auto Parts, LendingTree, and Neiman Marcus, among nearly 100 organizations.

Mitigate The Threat: Defensive Security Recommendations

To safeguard against threats such as Scattered Spider, implement the following security measures:

• Strengthen Help Desk Procedures: Enforce strict identity verification to reduce the risk of social engineering attacks.
• Use Phishing-Resistant MFA: Implement multi-factor authentication methods like number matching or hardware tokens instead of basic push notifications for all remote access.
• Ensure Complete Endpoint Coverage: Deploy and maintain fully configured Endpoint Detection and Response (EDR) tools with real-time alert monitoring across all devices.
• Filter Web Traffic: Utilize web proxies to block access to suspicious or malicious websites.
• Monitor Critical Data Stores: Leverage cyber security solutions to identify unusual data access patterns that may signal a breach in progress.
• Run Red-Team Exercises: Regularly simulate attacks, especially those targeting Active Directory, to identify and address vulnerabilities.
• Restrict Server Internet Access: Enforce default-deny firewall rules and only allow essential domains and IP addresses.
• Keep Systems Updated: Regularly patch and update all operating systems and applications to close security gaps.
• Maintain Secure Backups: Store backups offline and test them frequently to ensure reliable recovery during an incident.