Scattered Spider threat actors primarily steal data for extortion using a variety of social engineering approaches, and they have recently used BlackCat/ALPHV ransomware in addition to their usual TTPs.

CISA and FBI issue joint notice

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint Cybersecurity Advisory (CSA) on Scattered Spider, a cybercriminal gang that targets commercial facilities and subsectors. The advice contains tactics, methods, and procedures (TTPs) gathered from FBI investigations as recent as November 2023.

The FBI and CISA encourage network defenders and critical infrastructure companies to study the joint CSA for proposed mitigations to decrease the possibility and severity of a cyberattack by Scattered Spider actors. 

Last year, the hacking collective called Scattered Spider made international headlines for its destructive cyberattacks on gambling behemoths MGM Resorts and Caesars Entertainment. Analysts identified the hackers in 2022, who employ social engineering to trick people into disclosing their login credentials or one-time password codes to defeat multifactor authentication.

Once inside, the group — Star Fraud, UNC3944, and Octo Tempest — builds persistence in networks, living off the territory as some state-sponsored hackers do, before deploying ransomware, stealing data, and demanding ransoms from victims.

The Scattered Spider Phenomenon

1. Data Theft and Extortion

Scattered Spider’s modus operandi revolves around data theft. They infiltrate systems, exfiltrate sensitive information, and then hold it hostage for ransom. Their victims include high-profile organizations, and the stakes are high. The group’s ability to extract valuable data without detection is a testament to their skill.

2. BlackCat/ALPHV Ransomware

Scattered Spider doesn’t rely solely on traditional hacking methods. They’ve embraced ransomware, specifically the BlackCat/ALPHV variant. This malicious software encrypts victims’ files, rendering them inaccessible until a ransom is paid. The group’s proficiency in deploying ransomware underscores their adaptability.

The Social Engineering Twist

1. Human Manipulation

What sets Scattered Spider apart is their mastery of social engineering. They exploit human psychology to gain access to systems. Whether through phishing emails, impersonation, or psychological manipulation, they find the weakest link—the human element—and exploit it. Their ability to deceive and manipulate individuals is their secret weapon.

2. The Insider Threat

Scattered Spider often targets employees within organizations. An unsuspecting employee may unwittingly click a malicious link or share sensitive credentials. The group’s understanding of human behavior allows them to bypass technical defenses. Cybersecurity professionals must recognize this insider threat and educate employees accordingly.

The FBI’s Battle

1. Resource Allocation

The Federal Bureau of Investigation (FBI) is actively pursuing Scattered Spider. Their dedicated cybercrime units are tracking down group members. However, the group remains elusive, operating across borders and leaving minimal traces. The FBI’s challenge lies in balancing resources to combat this agile adversary.

2. Collaboration and Information Sharing

The FBI collaborates with international agencies, sharing intelligence and pooling resources. Scattered Spider’s attacks span continents, and global cooperation is essential. By working together, law enforcement agencies can build a comprehensive profile of the group and disrupt their operations.

Scattered Spider is a formidable adversary in the cybercrime landscape, and law enforcement agencies are actively working to counter their activities. For more information, check this advisory.