Cybersecurity agencies in the US, Australia, and Canada on Tuesday updated their joint advisory on Scattered Spider to share information on the latest TTPs associated with the financially motivated hacking group’s attacks.
Known to engage in data encryption and exfiltration, Scattered Spider, also known as Muddled Libra, Scatter Swine, Starfraud, and UNC3944, caused havoc recently by rapidly switching focus from UK retailers to US retailers, and then the insurance industry, and aviation.
Recent incidents attributed to the group have revealed the use of more sophisticated social engineering, and the deployment of new malware families, such as the DragonForce ransomware, CISA, the FBI, and Australian and Canadian government agencies noted in the updated joint advisory.
In line with a recent technical report from Google’s Threat Intelligence Group (GTIG), the updated advisory underlines the hackers’ targeting of help desk personnel to take over employee accounts, their use of RMM tools, and their targeting of VMware ESXi servers for encryption.
Scattered Spider, the government agencies say, was seen acquiring compromised credentials from hacking forums, targeting organizations’ Snowflake access to steal data, creating new user accounts backed by fake social media personas, exfiltrating data to MEGA[.]NZ and Amazon S3, and deploying RattyRAT, along with the DragonForce ransomware.
“Access to an organization’s Snowflake allows the group to run thousands of queries immediately and simultaneously, often deploying Dragonforce malware to encrypt target organizations’ servers. The potential for vast amounts of stolen data explains why they’ve been successful across multiple industries, from insurance to transportation to retail,” Swimlane’s Nick Tausek said in an emailed comment.
According to Google Cloud, Scattered Spider’s activity has dropped recently, but the same attack strategies have been observed in incidents attributed to other financially motivated threat actors.
“Since the recent arrests tied to the alleged Scattered Spider (UNC3944) members in the UK, Mandiant Consulting hasn’t observed any new intrusions directly attributable to this specific threat actor,” Mandiant Consulting CTO Charles Carmakal told SecurityWeek.
“We are actively seeing other threat actors, like UNC6040, successfully employing similar social engineering tactics as UNC3944. While one group may be temporarily dormant, others won’t relent,” Carmakal said.
In a fresh report, Google Cloud explains that financially motivated and advanced threat actors have been observed targeting backup systems to prevent data recovery, and employing sophisticated social engineering to steal credentials and tokens and to bypass MFA.
UNC2165, known to have used the RansomHub ransomware, UNC4393, associated with the Basta ransomware, and UNC2465, which used the Darkside and Lockbit ransomware, were seen targeting backup platforms, deleting backup routines, erasing data, and tampering with user permissions to prevent recovery.
“The scale and frequency of IT and cyber-related outages is continuing to rise. These incidents can carry cascading effects and recovery complexities when critical systems are impacted at scale,” Google Cloud told SecurityWeek.
Weak credentials and misconfigurations, Google Cloud says, remain the main entry points for attackers, followed by API/UI compromises. Leaked credentials, remote code execution (RCE), and other software vulnerabilities were also used for initial access.
“To counter threats like Scattered Spider, defenders must expand their view of the attack surface to include both technical systems and human behavior. These actors blend social engineering with technical skill, making identity-centric security, layered verification, and Zero Trust principles essential, even within internal environments,” Cynet Cyops head Ronen Ahdut said.
“Traditional controls like patching and segmentation remain important, but resilience increasingly hinges on anticipating and disrupting human-driven intrusion paths. The front line isn’t just code—it’s people, processes, and the policies that bind them,” Ahdut added.
Related: Scattered Spider Targeting VMware vSphere Environments
Related: Hawaiian Airlines Hacked as Aviation Sector Warned of Scattered Spider Attacks
Related: US Insurance Industry Warned of Scattered Spider Attacks
