Scattered Spider is a native English-speaking cybercriminal group that has been active since at least 2022.[1][2] The group initially targeted customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. Beginning in 2023, Scattered Spider expanded its operations to compromise victims in the gaming, hospitality, retail, MSP, manufacturing, and financial sectors.[2] During campaigns, Scattered Spider has leveraged targeted social-engineering techniques, attempted to bypass popular endpoint security tools, and more recently, deployed ransomware for financial gain.[3][4][1][2][5]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .002 | Account Discovery: Domain Account |
Scattered Spider leverages legitimate domain accounts to gain access to the target environment.[3][2] |
.003 | Account Discovery: Email Account |
During C0027, Scattered Spider accessed Azure AD to identify email addresses.[5] |
||
.004 | Account Discovery: Cloud Account |
During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and to identify privileged users, along with the email addresses and AD attributes.[5] |
||
Enterprise | T1098 | .001 | Account Manipulation: Additional Cloud Credentials |
During C0027, Scattered Spider used aws_consoler to create temporary federated credentials for fake users in order to obfuscate which AWS credential is compromised and enable pivoting from the AWS CLI to console sessions without MFA.[5] |
.003 | Account Manipulation: Additional Cloud Roles |
During C0027, Scattered Spider used IAM manipulation to gain persistence and to assume or elevate privileges.[5] Scattered Spider has also assigned user access admin roles in order to gain Tenant Root Group management permissions in Azure.[2] During C0027, Scattered Spider used IAM manipulation to gain persistence and to assume or elevate privileges.[5] |
||
.005 | Account Manipulation: Device Registration |
During C0027, Scattered Spider registered devices for MFA to maintain persistence through victims' VPN.[5] |
||
Enterprise | T1217 | Browser Information Discovery |
Scattered Spider retrieves browser histories via infostealer malware such as Raccoon Stealer.[3] |
|
Enterprise | T1580 | Cloud Infrastructure Discovery |
Scattered Spider enumerates cloud environments to identify server and backup management infrastructure, resource access, databases and storage containers.[2] |
|
Enterprise | T1538 | Cloud Service Dashboard |
Scattered Spider abused AWS Systems Manager Inventory to identify targets on the compromised network prior to lateral movement.[3] |
|
Enterprise | T1136 | Create Account |
Scattered Spider creates new user identities within the compromised organization.[3] |
|
Enterprise | T1486 | Data Encrypted for Impact |
Scattered Spider has used BlackCat ransomware to encrypt files on VMWare ESXi servers.[3][2] |
|
Enterprise | T1530 | Data from Cloud Storage |
Scattered Spider enumerates data stored in cloud resources for collection and exfiltration purposes.[3] During C0027, Scattered Spider accessed victim OneDrive environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.[5] |
|
Enterprise | T1213 | .002 | Data from Information Repositories: Sharepoint |
During C0027, Scattered Spider accessed victim SharePoint environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.[5] |
.003 | Data from Information Repositories: Code Repositories |
Scattered Spider enumerates data stored within victim code repositories, such as internal GitHub repositories.[3][2] |
||
Enterprise | T1074 | Data Staged |
Scattered Spider stages data in a centralized database prior to exfiltration.[3] |
|
Enterprise | T1006 | Direct Volume Access |
Scattered Spider has created volume shadow copies of virtual domain controller disks to extract the |
|
Enterprise | T1484 | .002 | Domain or Tenant Policy Modification: Trust Modification |
Scattered Spider adds a federated identity provider to the victim’s SSO tenant and activates automatic account linking.[3] |
Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Scattered Spider has exfiltrated victim data to the MEGA file sharing site.[3][2] |
Enterprise | T1190 | Exploit Public-Facing Application |
During C0027, Scattered Spider exploited CVE-2021-35464 in the ForgeRock Open Access Management (OpenAM) application server to gain initial access.[5] |
|
Enterprise | T1068 | Exploitation for Privilege Escalation |
Scattered Spider has deployed a malicious kernel driver through exploitation of CVE-2015-2291 in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys).[4] |
|
Enterprise | T1133 | External Remote Services |
Scattered Spider has leveraged legitimate remote management tools to maintain persistent access.[4] During C0027, Scattered Spider used Citrix and VPNs to persist in compromised environments.[5] |
|
Enterprise | T1083 | File and Directory Discovery |
Scattered Spider Spider enumerates a target organization for files and directories of interest, including source code.[3][2] |
|
Enterprise | T1657 | Financial Theft |
Scattered Spider has deployed ransomware on compromised hosts for financial gain.[3][7] |
|
Enterprise | T1589 | .001 | Gather Victim Identity Information: Credentials |
During C0027, Scattered Spider sent phishing messages via SMS to steal credentials.[5] |
Enterprise | T1564 | .008 | Hide Artifacts: Email Hiding Rules |
Scattered Spider creates inbound rules on the compromised email accounts of security personnel to automatically delete emails from vendor security products.[2] |
Enterprise | T1656 | Impersonation |
During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.[5] Scattered Spider utilized social engineering to compel IT help desk personnel to reset passwords and MFA tokens.[3][2] During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.[5] |
|
Enterprise | T1105 | Ingress Tool Transfer |
During C0027, Scattered Spider downloaded tools using victim organization systems.[5] |
|
Enterprise | T1556 | .006 | Modify Authentication Process: Multi-Factor Authentication |
After compromising user accounts, Scattered Spider registers their own MFA tokens.[3] |
.009 | Modify Authentication Process: Conditional Access Policies |
Scattered Spider has added additional trusted locations to Azure AD conditional access policies. [2] |
||
Enterprise | T1578 | .002 | Modify Cloud Compute Infrastructure: Create Cloud Instance |
During C0027, Scattered Spider used access to the victim's Azure tenant to create Azure VMs.[5] Scattered Spider has also created Amazon EC2 instances within the victim's environment.[3] During C0027, Scattered Spider used access to the victim's Azure tenant to create Azure VMs.[5] |
Enterprise | T1621 | Multi-Factor Authentication Request Generation |
Scattered Spider has used multifactor authentication (MFA) fatigue by sending repeated MFA authentication requests to targets.[4] During C0027, Scattered Spider attempted to gain access by continuously sending MFA messages to the victim until they accept the MFA push challenge.[5] |
|
Enterprise | T1046 | Network Service Discovery |
During C0027, used RustScan to scan for open ports on targeted ESXi appliances.[5] |
|
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
During C0027, Scattered Spider obtained and used multiple tools including the LINpeas privilege escalation utility, aws_consoler, rsocx reverse proxy, Level RMM tool, and RustScan port scanner.[5] |
Enterprise | T1003 | .003 | OS Credential Dumping: NTDS |
Scattered Spider has extracted the |
.006 | OS Credential Dumping: DCSync |
During C0027, Scattered Spider performed domain replication.[5] |
||
Enterprise | T1069 | .003 | Permission Groups Discovery: Cloud Groups |
During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and their Active Directory attributes.[5] |
Enterprise | T1566 | .004 | Phishing: Spearphishing Voice |
During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls to direct victims to download a remote monitoring and management (RMM) tool that would allow the adversary to remotely control their system.[5] |
Enterprise | T1598 | Phishing for Information |
Scattered Spider has used a combination of credential phishing and social engineering to capture one-time-password (OTP) codes.[4] |
|
.001 | Spearphishing Service |
During C0027, Scattered Spider sent Telegram messages impersonating IT personnel to harvest credentials.[5] |
||
.004 | Spearphishing Voice |
During C0027, Scattered Spider used phone calls to instruct victims to navigate to credential-harvesting websites.[5] Scattered Spider has also called employees at target organizations and compelled them to navigate to fake login portals using adversary-in-the-middle toolkits.[2] During C0027, Scattered Spider used phone calls to instruct victims to navigate to credential-harvesting websites.[5] |
||
Enterprise | T1572 | Protocol Tunneling |
During C0027, Scattered Spider used SSH tunneling in targeted environments.[5] |
|
Enterprise | T1090 | Proxy |
During C0027, Scattered Spider installed the open-source rsocx reverse proxy tool on a targeted ESXi appliance.[5] |
|
Enterprise | T1219 | Remote Access Software |
During C0027, Scattered Spider directed victims to run remote monitoring and management (RMM) tools.[5] In addition to directing victims to run remote software, Scattered Spider members themselves also deploy RMM software including AnyDesk, LogMeIn, and ConnectWise Control to establish persistence on the compromised network.[3][7] During C0027, Scattered Spider directed victims to run remote monitoring and management (RMM) tools.[5] |
|
Enterprise | T1021 | .007 | Remote Services: Cloud Services |
During C0027, Scattered Spider used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.[5] Scattered Spider has also leveraged pre-existing AWS EC2 instances for lateral movement and data collection purposes.[3] During C0027, Scattered Spider used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.[5] |
Enterprise | T1018 | Remote System Discovery |
Scattered Spider can enumerate remote systems, such as VMware vCenter infrastructure.[3] |
|
Enterprise | T1539 | Steal Web Session Cookie |
Scattered Spider retrieves browser cookies via Raccoon Stealer.[3] |
|
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Scattered Spider has used self-signed and stolen certificates originally issued to NVIDIA and Global Software LLC.[4] |
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
Scattered Spider Spider searches for credential storage documentation on a compromised host.[3] |
.004 | Unsecured Credentials: Private Keys |
Scattered Spider enumerate and exfiltrate code-signing certificates from a compromised host.[3] |
||
Enterprise | T1204 | User Execution |
Scattered Spider has impersonated organization IT and helpdesk staff to instruct victims to execute commercial remote access tools to gain initial access.[3] |
|
Enterprise | T1078 | .004 | Valid Accounts: Cloud Accounts |
During C0027, Scattered Spider leveraged compromised credentials from victim users to authenticate to Azure tenants.[5] |
Enterprise | T1102 | Web Service |
During C0027, Scattered Spider downloaded tools from sites including file.io, GitHub, and paste.ee.[5] |
|
Enterprise | T1047 | Windows Management Instrumentation |
During C0027, Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.[5] |
|
Mobile | T1660 | Phishing |
Scattered Spider has sent SMS phishing messages to employee phone numbers with a link to a site configured with a fake credential harvesting login portal.[2] |