Scattered Spider Explained: Threat Tactics and Defense Strategies for IT Teams

Scattered Spider was first identified in early 2022. Since then, it has quickly established itself as one of the most advanced eCrime groups operating today. The group poses a serious threat to enterprise security teams because of their highly targeted attacks and adept use of social engineering.

Scattered Spider is particularly dangerous because of their ability to bypass traditional security measures through sophisticated social engineering and their exceptional skill at evading detection while moving laterally through networks to reach critical systems.

Scattered Spider, also known as UNC3944, Octo Tempest, and Scatter Swine, is a financially motivated threat actor known for executing highly targeted, technically advanced attacks against enterprise environments.

Group Characteristics and Structure

Scattered Spider operates with a level of technical sophistication that sets them apart from many other threat actors. The group demonstrates advanced social engineering capabilities, combining technical expertise with psychological manipulation.

Their operational structure is believed to include English-speaking members, many likely based in the United States and United Kingdom, which assists in their social engineering attacks against Western companies.

Unlike traditional nation-state actors, Scattered Spider appears to operate as a financially motivated criminal enterprise with a well-organized structure and specialized roles. Their ability to quickly adapt tactics indicates a nimble organizational hierarchy.

Primary Motivations

Scattered Spider's motivations appear to be primarily financial, though their attacks often result in significant operational disruption. Their tactics suggest they're focused on:

• Extracting ransoms from compromised organizations

• Stealing sensitive data for extortion purposes

• Gaining persistent access to valuable networks

• Monetizing access to compromised environments

Target Selection and Industry Focus

Scattered Spider demonstrates a clear preference for targeting:

• Customer relationship management (CRM) companies

• Business process outsourcing (BPO) providers

• Telecommunications companies

• Technology firms

• Gaming and casino operators

This targeting appears strategically calculated, as these industries share characteristics that make them attractive targets: high-value data repositories, critical infrastructure access, financial operations, complex supply chains, and 24/7 operational requirements.

Scattered Spider combines deep social engineering expertise with technical exploitation to breach enterprise environments. Their attack chain is marked by detailed reconnaissance, credential compromise, and persistent access.

Social Engineering and Reconnaissance Techniques

Scattered Spider excels at detailed reconnaissance and social engineering. Before launching technical attacks, they meticulously research their targets, gathering information about organizational structure, employee details, and technical controls. Their social engineering approach typically includes:

• Collecting employee information from LinkedIn and other public sources

• Identifying key IT support staff and understanding help desk protocols

• Developing detailed scripts for vishing calls with company-specific terminology

• Calling targets while impersonating IT or security team members

The group is known for persistence and uses "SIM swapping" to intercept SMS-based verification codes.

MFA Fatigue and Bypass Methods

Scattered Spider frequently bypasses multi-factor authentication (MFA), often exploiting user behavior rather than technical flaws.

Their MFA bypass arsenal includes:

• Triggering repeated MFA prompts to induce user approval (“MFA fatigue”)

• Coaching users during vishing calls to accept login attempts

• Exploiting conditional access policies in identity providers

• Intercepting SMS codes via SIM swapping

Their attack on MGM Resorts in 2023 showcased this approach, where the group bypassed identity controls after gaining help desk access through social engineering.

Initial Access and Privilege Escalation

Once MFA is bypassed, the group rapidly escalates privileges and establishes persistence. Tactics include:

• Using stolen VPN or remote desktop credentials

• Targeting IT staff and administrators for elevated access

• Exploiting misconfigured permissions

• Performing password spraying and credential harvesting from endpoints

Lateral Movement and Persistence

Inside the network, Scattered Spider leverages “living off the land” techniques to evade detection. They move laterally using:

• Built-in administrative tools and remote access software

• Trusted system relationships and stolen authentication tokens

• Custom backdoor accounts and modified authentication flows

• Scheduled tasks and cloud-based persistence mechanisms

1. MGM Resorts International Breach (2023)

In September 2023, MGM Resorts suffered a major cyberattack attributed to Scattered Spider that crippled operations for over a week. The intrusion began with a phone call to the company’s IT help desk, where the attackers impersonated an employee and requested password assistance.

After gaining initial access, they moved laterally through the network, accessing the Okta identity management platform and eventually deploying ransomware affecting MGM's properties across Las Vegas and beyond.

Estimated losses exceeded $100 million, including remediation costs, lost revenue, and reputational harm. While MGM responded quickly—isolating systems and maintaining transparent communication—the incident exposed critical weaknesses in help desk authentication and identity infrastructure.

2. Caesars Entertainment Compromise

Around the same time, Scattered Spider targeted Caesars Entertainment. The group gained access by compromising an outsourced IT support vendor, again using social engineering to bypass defenses.

The attackers exfiltrated sensitive data from the company’s loyalty program database, exposing records for approximately 65 million customers. Caesars opted to pay a $15 million ransom to prevent further disruption and public data leakage.

While this approach limited operational fallout, it sparked debate around ransomware payments and the risk of incentivizing future attacks. The incident also underscored the importance of securing third-party vendor access.

3. Snowflake and Okta Incidents

Scattered Spider also targeted technology companies like Snowflake and Okta, demonstrating their versatility.

In January 2023, Snowflake experienced a security incident when attackers compromised a third-party IT service provider and used that access to target specific Snowflake employees via sophisticated social engineering. The breach allowed access to Snowflake's internal support systems, highlighting supply chain risks.

Similarly, Okta faced multiple incidents involving Scattered Spider, including the compromise of a third-party customer support contractor's system and the direct social engineering of Okta employees. These incidents were particularly significant because Okta's services are specifically designed to prevent unauthorized access, demonstrating that even security-focused companies can fall victim to well-executed social engineering.

Scattered Spider is known for blending into legitimate IT activity, making their operations hard to detect without a close eye on specific behaviors and tool usage. Security teams should monitor for both technical artifacts and subtle behavioral anomalies across identity systems, endpoints, and networks.

Tools and Malware Signatures

Scattered Spider extensively relies on legitimate tools repurposed for malicious activities. This technique is known as "Living off the Land." According to CISA's advisory, the group commonly utilizes remote access tools like TeamViewer, ScreenConnect, Splashtop, and Pulseway.

They also deploy information-stealing malware, including AveMaria (also known as WarZone), Raccoon Stealer, and VIDAR Stealer, to harvest credentials and authentication data.

Network and Behavioral Indicators

Key network-based indicators of compromise include the use of Ngrok for tunneling, deployment of VPN services and proxies, connections to uncommon external domains, unusual authentication patterns, and abnormal lateral movement.

Behavioral indicators include:

• Multiple failed MFA attempts

• Targeting of privileged access management systems

• Social engineering activities directed at IT personnel

• Unusual access to identity platforms

Authentication from unexpected locations, sudden creation of administrative accounts, and data staging activities.

MITRE ATT&CK Mapping

Scattered Spider's tactics align with several MITRE ATT&CK framework categories, including the following:

• Initial Access (social engineering, valid accounts)

• Execution (command scripting)

• Persistence (valid accounts, account creation)

• Privilege escalation

• Defense evasion (living off the land binaries)

• Credential access (MFA interception),

Defending against Scattered Spider requires a multi-layered approach focusing on their specific tactics across three critical areas: proactive security measures, detection capabilities, and incident response planning.

Strengthen Your Preventive Controls

Scattered Spider thrives on weak identity controls and human error. Locking down the basics—MFA, user training, and access governance—can dramatically reduce your exposure.

First, implement enhanced MFA tools. Here’s how:

• Adopt Phishing-Resistant MFA: Use hardware security keys or biometric factors.

• Eliminate SMS-Based MFA: Transition away from easily intercepted SMS codes.

• Implement Adaptive Authentication: Use context-aware policies for authentication attempts.

Second, introduce your employees to social engineering defense training. Some ideas for doing so include:

• Regular Employee Training: Educate staff on recognizing sophisticated social engineering attempts.

• Simulated Phishing Exercises: Conduct regular drills to reinforce training.

• Help Desk Protocols: Implement strict verification processes for password resets.

Lastly, implement zero trust architecture.

• Limit Access Privileges: Apply the principle of least privilege across systems.

• Continuous Verification: Require authentication and authorization before granting access.

• Micro-Segmentation: Isolate critical systems to prevent lateral movement.

Detection Capabilities and Monitoring Strategies

Strong detection capabilities can mean the difference between catching Scattered Spider early and reacting too late.

Start by monitoring authentication logs for unusual patterns—like repeated MFA prompts or access attempts at odd hours. Privileged accounts should be closely watched for signs of misuse or escalation. Set up alerts for known indicators of compromise (IOCs), including tools and behaviors associated with the group’s tactics.

Automated threat hunting is essential for surfacing subtle signs of intrusion. Here are some ways to do it:

• Leverage AI and machine learning to detect behavioral anomalies that may not trigger traditional alerts.

• Integrate threat intelligence feeds to stay current on Scattered Spider’s evolving tactics, techniques, and procedures (TTPs).

• Deploy endpoint detection and response (EDR) tools across the environment to provide real-time visibility and support rapid containment.

Behavioral analytics adds another critical layer. User behavior analytics (UBA) helps identify deviations from normal usage patterns, while network traffic analysis can uncover unexpected data flows or unusual connections between systems. Anomaly detection systems—especially those focused on identity platforms—can flag lateral movement and access abuse that traditional tools miss.

Incident Response Playbook

When facing a group as agile as Scattered Spider, every minute counts. If compromise is suspected, isolate infected systems immediately to contain the threat. Activate your incident response team and inform internal stakeholders without delay.

From a communications standpoint, prepare for regulatory reporting by confirming jurisdiction-specific breach notification requirements. Be transparent with customers if their data is affected, and coordinate closely with public relations and legal teams to manage external messaging.

Recovery should be handled with care. Restore systems from verified, clean backups only after confirming attacker access has been cut off. Conduct a full post-incident analysis to identify root causes and process failures. Most importantly, feed those insights back into your defenses—closing gaps and refining procedures to prepare for the next attack.

Scattered Spider continues to evolve—refining its techniques, expanding its targets, and adapting to new technologies. Security teams need to stay one step ahead.

Tactical Evolution and Future Targets

Based on Scattered Spider's operational history, we can anticipate increased sophistication in bypassing multi-factor authentication, greater focus on exploiting trusted vendor relationships, enhanced evasion techniques, and expanded targeting across sectors.

The group may soon leverage emerging technologies like AI-generated content for more convincing social engineering or exploit vulnerabilities in rapidly adopted cloud services and IoT infrastructure.

Proactive Defense Strategies

Organizations should consider implementing advanced authentication frameworks beyond traditional MFA, enhanced security awareness training, threat-hunting protocols for Scattered Spider's TTPs, strict vendor access management, and tabletop exercises simulating their attack scenarios.

Implementing zero-trust architecture principles becomes increasingly important as the group has repeatedly demonstrated its ability to compromise legitimate credentials.

Regulatory and Compliance Considerations

Following a Scattered Spider breach, organizations face significant regulatory challenges that vary by jurisdiction. Key considerations include mandatory reporting timelines that differ across regions, potential legal liability for inadequate security measures, insurance coverage questions, and data sovereignty issues when compromised systems span multiple countries.

Organizations should develop breach response protocols that specifically account for Scattered Spider's tactics and include processes for meeting various regulatory obligations simultaneously.

Defending against sophisticated threat actors like Scattered Spider requires a multi-layered approach that evolves with their tactics.

Here are some ways you can start building your layers of security:

1. Implement Phishing-Resistant MFA: Move beyond SMS-based MFA to hardware tokens or passkeys.

2. Enhance Social Engineering Training: Regularly train employees to recognize sophisticated vishing techniques.

3. Adopt Zero Trust Architecture: Limit access to critical systems based on strict verification.

4. Secure Your Identity Infrastructure: Regularly audit and harden identity management systems.

5. Establish Robust Incident Response Plans: Create detailed playbooks for identity-based attacks.

Tap into community intelligence—ISACs, peer orgs, and threat intel feeds—to stay ahead. And don’t just plan—test. Simulate real-world attacks to pressure-test your defenses.

Want to see how Abnormal helps you stay ahead of modern threat actors? Schedule a demo today!