ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Subgroup: Scattered Spider

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Subgroup: Scattered Spider

NamesScattered Spider (CrowdStrike)
UNC3944 (Mandiant)
0ktapus (Group-IB)
Muddled Libra (Palo Alto)
Scatter Swine (Okta)
Storm-0875 (Microsoft)
Octo Tempest (Microsoft)
LUCR-3 (Permiso)
Star Fraud (self given)
Country[Unknown]
MotivationFinancial gain
First seen2022
DescriptionAn affiliate group of ALPHV, BlackCat Gang

(Mandiant) UNC3944 is a financially motivated threat cluster that has persistently used phone-based social engineering and SMS phishing campaigns (smishing) to obtain credentials to gain and escalate access to victim organizations. At least some UNC3944 threat actors appear to operate in underground communities, such as Telegram and underground forums, which they may leverage to acquire tools, services, and/or other support to augment their operations. This activity overlaps with activity that has been reported in open sources as '0ktapus,' 'Scatter Swine,' and 'Scattered Spider.' Since 2022 and through early 2023, UNC3944 appeared to focus on accessing credentials or systems used to enable SIM swapping attacks, likely in support of secondary criminal operations occurring outside of victim environments. However, in mid-2023, UNC3944 began to shift to deploying ransomware in victim environments, signaling an expansion in the group's monetization strategies. These changes in their end goals signal that the industries targeted by UNC3944 will continue to expand; Mandiant has already directly observed their targeting broaden beyond telecommunication and business process outsourcer (BPO) companies to a wide range of industries including hospitality, retail, media and entertainment, and financial services.
ObservedCountries: Worldwide.
Tools usedADRecon, AnyDesk, DCSync, FiveTran, FleetDeck, gosecretsdump, Govmomi, Hekatomb, Impacket, LaZagne, LummaC2, Mimikatz, Ngrok, PingCastle, ProcDump, PsExec, Pulseway, Pure Storage FlashArray, RedLine, Rsocx, RustDesk, ScreenConnect, SharpHound, Socat, Spidey Bot, Splashtop, Stealc, TacticalRMM, Tailscale, TightVNC, VIDAR, WinRAR, WsTunnel, Living off the Land.
Operations performedSep 2023MGM Resorts shuts down IT systems after cyberattack
<https://www.bleepingcomputer.com/news/security/mgm-resorts-shuts-down-it-systems-after-cyberattack/>
<https://www.databreaches.net/alphv-responds-to-mgm-incident-and-sloppy-reporting/>
Sep 2023Caesars Entertainment confirms ransom payment, customer data theft
<https://www.bleepingcomputer.com/news/security/caesars-entertainment-confirms-ransom-payment-customer-data-theft/>
<https://www.darkreading.com/attacks-breaches/-scattered-spider-mgm-cyberattack-casinos>
Sep 2023Hackers who breached casino giants MGM, Caesars also hit 3 other firms, Okta says
<https://www.reuters.com/technology/hackers-who-breached-casino-giants-mgm-caesars-also-hit-3-other-firms-okta-says-2023-09-19/>
Sep 2023‘Scattered Spider’ group launches ransomware attacks while expanding targets in hospitality, retail
<https://therecord.media/scattered-spider-ransomware-attacks-hospitality-retail>
Sep 2023Luxury Hotels Remain Major Target of Ongoing Social Engineering Attack
<https://cofense.com/blog/luxury-hotels-remain-target-of-social-engineering-attack/>
Jan 2024Muddled Libra’s Evolution to the Cloud
<https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/>
Counter operationsJun 2024Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested
<https://krebsonsecurity.com/2024/06/alleged-boss-of-scattered-spider-hacking-group-arrested/>
Jul 2024Walsall teenager arrested in joint West Midlands Police and FBI operation
<https://www.westmidlands.police.uk/news/west-midlands/news/news/2024/july/walsall-teenager-arrested-in-joint-west-midlands-police-and-fbi-operation/>
Information<https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware>
<https://unit42.paloaltonetworks.com/muddled-libra/>
<https://thehackernews.com/2023/10/lucr-3-scattered-spider-getting-saas-y.html>
<https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/>
<https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a>
<https://www.reliaquest.com/wp-content/uploads/2023/11/231121_EXTERNAL_ScatteredSpiderThreatReport.pdf>
<https://therecord.media/scattered-spider-challenge-for-FBI>
<https://www.guidepointsecurity.com/blog/worldwide-web-an-analysis-of-tactics-and-techniques-attributed-to-scattered-spider/>
<https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications/>
<https://www.bleepingcomputer.com/news/security/microsoft-links-scattered-spider-hackers-to-qilin-ransomware-attacks/>
Playbook<https://pan-unit42.github.io/playbook_viewer/?pb=muddled-libra>

Last change to this card: 27 August 2024

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents
Telephone +66 (0)2-123-1227
E-mail [email protected]