Threat Actor Spotlight: SCATTERED SPIDER
March 19, 2024
DarkOwl analysts regularly follow threat actors on the darknet who openly discuss cyberattacks and disseminate stolen information such as critical corporate or personal data. Such analysis helps DarkOwl’s collection team direct crawlers and technical resources to potentially actionable and high-value content for the Vision platform and its clients.
Introduction
In the digital age there are many groups of threat actors that operate in the cyber realm targeting different industries, countries and have different motivations. It is important to monitor these groups in order to identify who they are likely to target, what methods they are using and how they are operating. In this blog, we explore one such group known as SCATTERED SPIDER (SS) by security researchers.
Who is SCATTERED SPIDER?
SCATTERED SPIDER are assessed by cyber security researchers to be a cybercriminal group who have been known to target large companies and their supply chain. Reporting indicates that they have largely engaged in data theft, which they have then used for extortion purposes and have also been known to use ransomware which is associated with BlackCat/ALPHV. Although, cyber security researchers assess this activity to be attributed to several groups. All of these groups are part of a larger group known as the Com. In addition to conducting cyber attacks, SCATTERED SPIDER are also reported to be involved in violent activity, Doxing and Swatting.
Although the group appear to have been active since 2022, it is unclear who the individuals behind the activities are, how many individuals are involved, or how they select their victims. However, their motivations do appear to be for financial gain. There have been some indications that some of the individuals in the group may be based in the USA or the UK, but this has not yet been confirmed. The group have recently become the focus of US law enforcement investigations due to their high-profile activities.
Tactics, Techniques and Procedures (TTPs)
By analyzing TTPs, cybersecurity professionals can attribute attacks to specific threat actors or groups. Understanding the tactics used by these adversaries can provide insights into their motivations, capabilities, and potential targets. This information can be invaluable in understanding how attacks are executed and identifying potential vulnerabilities in an organization’s defense.
According to a threat alert from CISA, the group are known to use social engineering techniques including phishing, push bombing, and SIM swap attacks, which they use to obtain credentials, install remote access tools (RAT) and bypass multi-factor authentication (MFA).
Social engineering is a very effective way for threat actors to conduct attacks – they use information that is available through social media and other open sources in order to create attacks that look legitimate. They can also be used outside of the cyber realm to convince individuals to take an action. SCATTERED SPIDER have successfully posed as IT/helpdesk staff to convince employees to share credentials with them or to run RATs to enable initial access and share one-time passwords (OTP) to bypass MFA.
CISA reports that broad phishing attacks have been observed using domains associated with the target. They will then use SIM swapping against those individuals who respond to the phishing attack. Then, they will utilize this to conduct an account takeover.
SCATTERED SPIDER are also known to conduct Living off the Land (LotL) attacks. LotL attacks refer to a strategy employed by cyber attackers to carry out malicious activities using legitimate tools and resources already present on a compromised system, rather than relying on traditional malware. This approach makes LotL attacks harder to detect by security tools since they leverage trusted processes and utilities, blending in with normal system behavior. Researchers report that the group have adopted tools such as PowerShell to conduct reconnaissance as well as exploiting identity providers and modifying security systems to conduct their malicious activities.
According to CISA and FBI investigations the following legitimate tools have been used by the group to conduct malicious activities and the malware types.
| Tool | Intended Use |
| Fleetdeck.io | Enables remote monitoring and management of systems. |
| Level.io | Enables remote monitoring and management of systems. |
| Mimikatz | Extracts credentials from a system. |
| Ngrok | Enables remote access to a local web server by tunneling over the internet. |
| Pulseway | Enables remote monitoring and management of systems. |
| Screenconnect | Enables remote connections to network devices for management. |
| Splashtop | Enables remote connections to network devices for management. |
| Tactical.RMM | Enables remote monitoring and management of systems. |
| Tailscale | Provides virtual private networks (VPNs) to secure network communications. |
| Teamviewer | Enables remote connections to network devices for management. |
Table 1: Legitimate Tools Used by Scattered Spider; Source
| Malware | Intended Use |
| AveMaria (also known as WarZone) | Enables remote access to a victim’s systems. |
| Raccoon Stealer | Steals information including login credentials, browser history, cookies, and other data. |
| VIDAR Stealer | Steals information including login credentials, browser history, cookies, and other data. |
Table 2: Malware used by Scattered Spider
The group have also been reported to use extortion techniques, this is becoming a more and more popular method of attack for groups, particularly those associated with ransomware. The threat actor will steal data from the victim and then threaten to release the data if the victim does not pay a set amount of money. In the case of ransomware, the groups will often manage a “shame site” where they will publish a list of victims and sometimes provide them with a set amount of time that they have to pay the fee or the data will be released.
Researchers believe that SCATTERED SPIDER are an affiliate of the BlackCat/ALPHV ransomware group who are one of the most active groups and were subject to law enforcement action in late 2023. As an affiliate, SCATTERED SPIDER will have access to their ransomware binaries, support, negotiations, and leak site. It is worth noting that Russian ransomware-as-a-service operations do not usually allow affiliates from Western countries. The fact that they have in this case highlights the impact that this group are having and the success that they are having, meaning the ransomware group will be able to profit from their actions. It is worth noting that BlackCat/ALPHV appear to have recently conducted a exit scam. DarkOwl will continue to monitor to see if SS affiliates with another ransomware group in the wake of this.
Victims
SCATTERED SPIDER have targeted a number of different types of victims. According to MITRE, when they emerged in 2022 they targeted customer relationship management and business process outsourcing firms as well as telecommunications and technology companies. Recent activity has shown them targeting other sectors including critical infrastructure organizations.
In August 2022, the telecommunications company Twilio was a victim of SCATTERED SPIDER activities – their customer details were accessed as well as internal applications. This allowed SS to access a dashboard which gave them access to Okta authentication through SMS. It is likely that the group used this access to conduct other attacks.
In September 2023, MGM resorts in Las Vegas was the victim of a cyber attack that lead to computer shutdowns within the organization across the US. There were reports of empty casino floors and issues entering rooms and in the aftermath, MGM expected a $100 million hit to his 3rd quarter results. Soon after the attack, a post was made on the BlackCat/ALPHV leak site taking responsibility for the attack. However it was widely reported that it was actually an affiliate group that was responsible for the attacks – SCATTERED SPIDER.
Figure 1: BlackCat/ALPHV leak site statement on MGM
Cyber researchers from VX-Underground reported that SS were allegedly able to breach MGM by impersonating an employee in a phone call to the company’s helpdesk. It was also reported that they had successfully targeted Western Digital and Caesars Entertainment. In the latter case, it was reported that a $30 million ransom was paid to avoid customer data being shared. These high-profile attacks have lead the group to come under more scrutiny from law enforcement.
Online Communications
Actors assessed to be connected to this group are active on both Telegram and Discord where they interact with each other, boast about their activities, and share tools and techniques. There are many different channels and servers where these groups operate depending on who they are affiliated with and what activity they are seeking to discuss.
In an upcoming blog, we will review the activity on one of these Telegram channels and the main actors active on them. Subscribe to email to get that blog delivered straight to your inbox.
Conclusion
SCATTERED SPIDER have successfully targeted a number of high profile victims, drawing the attention of cyber security experts and law enforcement. They have secured a large sum of money from their victims and continue to adopt social engineering techniques to target their victims. The fact that they contact helpdesks highlights the need to ensure that those individuals working in these areas need to be trained on the threat. While companies often provide training around the risk of phishing emails, less attention has been paid to vishing, smishing and OTP techniques. It is imperative that this training is conducted widely.
It is also likely that the individuals perpetrating these crimes are young and Western based. While many assume that cyber criminals operate from Russia and Eastern Europe, this group shows that cybercrime in the Western world is also prevalent. However, this does leave them open to law enforcement action from the FBI or UK police. It is likely, given the attention they have recently received, that arrests will be forthcoming.
DarkOwl Sources
DarkOwl is an open-source intelligence (OSINT) platform that aggregates information from various underground sources to discern actionable and meaningful intelligence that can be utilized across multiple industry sectors including commercial applications, law enforcement, and national security initiatives.
Remembering the subtle differentiations between data, information, and intelligence, DarkOwl’s key sources of raw data are described here.
Don’t miss our continued research – subscribe to email.
