USD 
GBP 
CAD 
INR 
AUD 
SGD 
Learn How Scattered Spider is Reshaping Modern Cyberattacks and How to Defend Against It
If you’ve been following major cybersecurity incidents over the past couple of years, chances are you’ve come across the name Scattered Spider. From massive casino breaches to healthcare system outages, this threat actor has become a name that CISOs don’t take lightly. But what is Scattered Spider, really? And why is this group of cybercriminals getting so much attention?
Scattered Spider is a financially motivated group that came into focus around 2022. What makes them unusual is their heavy reliance on social engineering. They don’t just phish; they impersonate employees, call IT help desks, and bypass MFA by exploiting human error. Their targets? Fortune 1000 companies, especially in industries like telecom, finance, and healthcare.
They’re also fast. Once inside a network, they move laterally with purpose, often deploying commercial remote access tools rather than custom malware, making detection harder. Some reports link them to aliases like UNC3944 or 0ktapus, suggesting a loosely affiliated, possibly English-speaking group that’s both persistent and opportunistic. Their ability to blend technical skill with psychological manipulation makes them especially dangerous to large enterprises.
Scattered Spider Attack Methods: How They Breach Enterprise Systems
When it comes to intrusion methods, Scattered Spider hackers operate differently from most financially motivated actors. Instead of relying on malware payloads or zero-day exploits, they combine deep tactics with legitimate tools already present inside enterprise environments. According to CrowdStrike, which tracks them under the name UNC3944, their behavior often mirrors that of nation-state actors, despite being financially driven.
Here’s how they break in and stay in:
SIM Swapping and Social Engineering
Scattered Spider is particularly effective at SIM swapping, convincing telecom carriers to port a victim’s phone number to a SIM they control. This allows them to intercept one-time passwords, MFA prompts, and sensitive notifications. But the real strength lies in their social engineering.
They often impersonate internal IT support, sometimes using leaked employee data to sound credible. In known incidents, they’ve phoned help desk staff posing as locked-out employees, referencing ticketing systems and requesting MFA resets. Their impersonation techniques are not random – they study company lingo, reference real tools in use (like Okta or Slack), and mimic internal workflows with unsettling accuracy.
MFA Fatigue and Push Bombing
Another go-to tactic is MFA fatigue, also called push bombing. By repeatedly triggering Multi-Factor Authentication prompts on a user’s device, they create enough annoyance or confusion that the user eventually accepts. But this isn’t passive. Scattered Spider operators often call the user mid-attack, posing as IT and instructing them to approve the request “to resolve a login issue.”
It’s this layering of psychological pressure with technical persistence that makes the method effective, especially in fast-paced work environments where people prioritize convenience over caution.
Exploiting Okta, Azure AD, and RDP
Identity providers like Okta and Azure AD are prime targets. Once the group gains credentials, they exploit misconfigurations, bypass conditional access rules, or hijack legitimate sessions. These platforms are central to enterprise access, and once compromised, they give attackers control across cloud environments.
They also abuse Remote Desktop Protocol (RDP), often tunneling through VPNs or existing connections, allowing hands-on access to internal systems with minimal detection.
Living-off-the-Land (LotL) Tactics
Scattered Spider doesn’t bring noisy tools into the network. Instead, they rely on LotL techniques using tools like PowerShell, cmd, WMIC, and rundll32 that are native to the operating system. These are chained with scheduled tasks, remote scripting, or even built-in backup utilities to move laterally or persist quietly.
Because these tools are signed and trusted, they often bypass traditional antivirus or EDR unless finely tuned.
Timeline of Major Scattered Spider Cyberattacks
Scattered Spider has been linked to several high-profile cyberattacks across critical sectors, including hospitality, healthcare, and retail. Below is a timeline of confirmed and attributed attacks, including details on impact, methods, and response.
Caesars Entertainment
In August 2023, Caesars Entertainment disclosed a security incident later attributed to Scattered Spider, allegedly involving social engineering of an IT support contractor to gain access to the company’s systems. The attackers exfiltrated sensitive data, including loyalty program details.
Caesars reportedly paid a ransom estimated at $15 million to prevent the data from being leaked. The attackers were believed to have targeted Okta authentication flows, a known vector in multiple Scattered Spider campaigns.
MGM Resorts
Just days after the Caesars incident, MGM Resorts experienced a massive cyberattack that caused widespread outages across hotel check-ins, digital room keys, slot machines, and POS systems. CrowdStrike attributed the attack to Scattered Spider (UNC3944), who used vishing and help desk impersonation to compromise an Okta super administrator account.
This breach became a case study in identity-based lateral movement and operational disruption, reportedly costing MGM over $100 million in direct losses.
Change Healthcare
In 2024, Change Healthcare, a subsidiary of UnitedHealth Group, suffered a major cyberattack that crippled U.S. healthcare payment systems for weeks. While the ALPHV/BlackCat ransomware gang took public credit, reports from Reuters and HealthITSecurity indicated that Scattered Spider was involved in the initial access stage, likely via social engineering and credential theft.
The incident affected millions of patients and providers, with long-term implications on medical claims and prescription processing nationwide.
UK Retail Sector
In April and May 2025, a coordinated cyberattack campaign disrupted major UK retailers including M&S, Co-op, and Harrods. The attacks forced systems offline, disabled contactless payments and click-and-collect services, ultimately leading to temporary suspension of online sales. While the DragonForce ransomware group later claimed responsibility for the M&S breach; early TTP analysis raised the possibility of Scattered Spider involvement, given the use of identity compromise and remote access tools.
The UK’s National Cyber Security Centre (NCSC) confirmed it was assisting affected retailers. With multiple targets hit in succession, the incident highlights a growing trend of region-wide, high-impact attacks on retail infrastructure.
[Sources: The Guardian, NCSC UK, TechCrunch]
Why Scattered Spider Is Difficult to Detect and Stop
Scattered Spider isn’t just another ransomware crew following a script. What sets them apart is their ability to move through systems like they belong there. They rely less on malware and more on stealth, trust abuse, and identity manipulation.
Rather than breaching firewalls or exploiting zero-days, they often enter through the front door using stolen credentials, SIM swapping, or help desk impersonation. Once inside, their behavior blends in with legitimate users: logging in through real VPNs, opening corporate apps, and avoiding anything noisy that might set off alarms. Their use of remote management tools like AnyDesk or ScreenConnect, combined with a deliberate avoidance of malware, lets them bypass EDR detection and maintain persistence while blending in.
What further complicates detection is their language fluency and cultural familiarity. Many members are fluent English speakers and understand Western enterprise IT structures well; some are believed to be based in the U.S. or U.K. This gives them a clear advantage in crafting convincing social engineering campaigns that mimic internal communication with alarming accuracy.
Their tactics also don’t fit the usual ransomware model. In some cases, there’s no encryption at all – just data theft, followed by private extortion threats. This tactic aligns more with data extortion groups than traditional ransomware operators. That unpredictability makes it harder for defenders to spot a pattern or know when data has actually been compromised.
Law enforcement has made some progress. A few arrests have been reported, and the FBI has said it’s working toward charges. But breaking up a loosely connected group like this, especially one spread across multiple countries, isn’t quick work. For now, Scattered Spider remains active, adaptable, and hard to pin down.
How to Protect Against Scattered Spider and Similar Threat Actors
As threat groups like Scattered Spider evolve, defenders need to step up from reactive security to proactive defense. Here’s how to start:
Use Strong MFA
Scattered Spider has repeatedly bypassed SMS-based MFA through SIM swapping attacks. To counter this, adopt more secure methods such as TOTP apps, hardware tokens (YubiKeys), or FIDO2/WebAuthn-based authentication. These mechanisms are resistant to interception and much harder to socially engineer.
Lock Down Identity Providers
Identity platforms are a favorite entry point. Audit overprivileged accounts, enforce conditional access policies, and disable unused integrations. Several Scattered Spider breaches exploited weak configurations in Okta or Azure Active Directory to move laterally once initial access was gained.
Monitor for Anomalous Login Behavior
Because this group often uses legitimate credentials, traditional alerting systems may not trigger. Implement User Behavior Analytics (UBA) to flag subtle anomalies like unusual login hours, impossible travel logins, or unexpected MFA resets. Even minor signals such as repeated push requests or a new MFA device enrollment should be investigated.
Adopt a Zero Trust Security Model
Zero Trust isn’t optional anymore. Segment internal networks, enforce least privilege at every level, and validate user identity and device health continuously, not just at login. Scattered Spider’s lateral movement tactics thrive in flat network environments where implicit trust still exists.
Elevate Security Awareness Training
Social engineering remains central to Scattered Spider’s playbook. Go beyond one-size-fits-all training. Implement role-specific simulations, especially for IT help desk and administrative teams. Use real-world examples, such as the MGM breach, to teach staff how attackers operate and what red flags to report. Encourage a security-first culture where users feel confident flagging suspicious behavior early.
Leverage Threat Intelligence from CISA and CrowdStrike
Both CISA and CrowdStrike have published guidance on identifying and mitigating threats tied to Scattered Spider. Their advisories include known TTPs, IOCs, and hardening recommendations. Regularly consult these resources and update internal playbooks accordingly.
Final Thoughts
Scattered Spider has demonstrated that modern cyberattacks are no longer just about malware or brute-force exploits. They walk in using valid credentials, exploit trust, and move quietly through systems designed to let them in. The lesson here is clear that securing infrastructure isn’t enough if identity remains exposed. As identity becomes the new perimeter, defending it requires the same level of rigor as any traditional network or endpoint.
Infrastructure can’t protect you if identity is compromised. Scattered Spider isn’t an anomaly, but the future of targeted cybercrime. And stopping it requires security teams to evolve faster than the attackers do.
Explore SSL2BUY’s Trust and Security Solutions to strengthen your digital identity and stay ahead of modern threats.
