- Print
- DarkLight
July 2025 - A Look at How Scattered Spider Operates
Scattered Spider, also tracked under aliases like UNC3944 and 0ktapus, is a highly active and adaptive cyber threat group known for sophisticated social engineering campaigns. Initially linked to attacks on telecommunications and technology firms, the group has expanded its focus to include insurance providers and other sectors with valuable customer data and critical infrastructure.
Their tactics are notable for leveraging call center impersonation, SIM swapping, and legitimate remote access tools to gain initial access, making them especially dangerous to organizations with large support operations and dispersed workforces.
Attack Techniques and Tactics:
Scattered Spider is known for employing a blend of technical intrusions and human-centric deception. Their attacks typically unfold in the following manner:
- Social Engineering via Call Centers: As reported by Google’s Mandiant threat intelligence team, Scattered Spider operators often impersonate employees and contact corporate IT help desks or third-party call centers. They use pretexting to convince support personnel to reset MFA credentials or provide access to internal tools.
- SIM Swapping and MFA Bypass: In some campaigns, attackers used stolen employee credentials along with SIM swapping, (porting a victim’s phone number to an attacker-controlled device), to intercept one-time passcodes. This tactic allows them to bypass multi-factor authentication systems, especially SMS-based ones.
- Use of Legitimate Remote Access Tools: Scattered Spider frequently deploys commercially available remote desktop tools like AnyDesk and TeamViewer once they gain a foothold. These tools help maintain persistence and evade detection by blending in with routine IT activity.
- Data Theft and Extortion: Once inside, they move laterally across networks, exfiltrating data such as employee records, customer PII, or corporate intellectual property. In many cases, the group has collaborated with ransomware affiliates like ALPHV/BlackCat for double extortion, threatening to release stolen data unless a ransom is paid.
Scattered Spider represents a dangerous intersection of social engineering prowess and technical sophistication. Their ability to deceive frontline staff, exploit identity infrastructure, and operate under the guise of legitimate IT support makes them uniquely difficult to detect early. Companies must take proactive steps, including securing call center protocols, enforcing strict identity verification processes, and ensuring phishing-resistant MFA, to defend against this threat actor.
To mitigate these types of threats, BlackCloak recommends clients take immediate action to reduce personal exposure and harden their digital security posture.
- Close the social-engineering door at the help desk. Require on-camera or in-person ID checks (no public‐data questions) before anyone can reset passwords or MFA, and disable self-service resets during high-alert periods. Train staff that UNC3944 routinely targets IT and admin personnel, not just end-users.
- Adopt phishing-resistant MFA end-to-end. Eliminate SMS, voice and email factors; move privileged users first to FIDO2 security keys or passwordless authenticators, and lock MFA registration/changes to trusted IPs with conditional-access policies.
- Verify device health before access is granted. Enforce posture checks (EDR installed, OS up-to-date, host certificates present), hunt for rogue VMs or bastion hosts, and block SMB/RDP/WinRM on endpoints to choke lateral movement.
- Shrink and segment the attack surface. Run external scans for exposed IPs/domains, fence off “trusted service infrastructure” (backup, PAM, virtualization, network gear) behind dedicated segments or PAWs, and block TOR/VPS egress to cripple C2 channels.