Dubbed as disparate furtive spiders by the FBI, the Scattered Spider threat group is testing cybersecurity vigilance to the limits

A notorious cybercriminal group, Scattered Spider (SS, Starfraud, Scatter Swine, Muddled Libra, Octo Tempest or UNC3944), has weaved an intricate web to ensnare IT teams across the Asia Pacific region as it infiltrates company networks and tools through unsuspecting victims.

Its damaging impact on major corporations and prominent Las Vegas casinos highlights the need to strengthen detection and preventative controls against identity-targeted attacks.

Known for their association with BlackCat/ALPHV, SS develops playbooks for highly successful, reproducible attacks, often using social engineering to gain access to identities. While many attackers use identity pathways, SS is notoriously slick at bypassing multi-factor authentication and infiltrating enterprises through cloud identities.

Attack pathways
A typical identity attack involves hackers posing as IT helpdesk staff to obtain credentials or using SIM swap and multi-factor authentication fatigue attacks to bypass two-factor authentication.

Once inside, they conduct “living off the land” attacks across the enterprise infrastructure, including the cloud and networks. SS hackers can infiltrate IT channels, monitor incident responders, and test systems before launching bigger attacks.

The group operates on a ransomware strategy, focusing on denial-of-service and extortion threats for stolen data, causing significant operational disruptions until demands are met.

SS is also known for brazen tactics such as directly contacting targets, setting up new employee accounts in backend systems, or compromising HR systems without concern for being identified. They are adept at using mobile devices for infiltration and are resilient, continuing their operations through affiliations with RansomHub, a ransomware-as-a-service operator.

Prevention is the first step

Organizations tend to believe that by stacking enough safeguards — like implementing privileged access management and phishing-resistant multi-factor authentication, micro-segmentation, and zero trust principles — they can create an impenetrable barrier against cyber threats. However, this is merely the preparation and prevention phase.

The reality is, cyber adversaries such as SS wield sophisticated tools and social engineering tactics to bypass these defenses. Once an initial layer is breached, the interior is exposed. Therefore, the critical point is that, while the outer defenses are essential, they are not infallible. The true challenge lies in what happens after the crust is cracked:

  • Organizations must be prepared for the post-intrusion activities inside the network, where attackers can move freely if not properly detected and contained. Robust detection and response strategies are crucial to ensure that even if the crust is compromised, the core remains secure.
  • Robust cybersecurity against SS can be categorized into three C’s: coverage, clarity, and control.

✔ 64% of respondents in APAC agree that social listening is a key component in strategic planning. A majority indicated they use social listening to better understand their target audience or to manage brand reputation.

✔ Clarity requires clear observation of the network and infrastructure, utilizing AI for precise and rapid insights.

✔ Control refers to the ability to respond quickly to shut down attacks.

  • Given the diverse and bold nature of SS attacks, it is essential to have a detection and response phase that identifies deviations in user behavior, pinpoints threat actors’ lateral movements, and provides visibility from the identity stage to the cloud and network components. Security platforms that integrate disparate signals into a clear, unified signal are key.
  • Additionally, user awareness training is critical. Employees must be vigilant and recognize suspicious activities, while cybersecurity teams must operate with heightened diligence. Incident response exercises should be part of crisis management 101 to test readiness for identity compromises.

Be always vigilant to identity attacks

In today’s hybrid enterprise environment, the nature of cyberattacks has evolved in tandem to become hybrid, with a significant focus on identity-based threats.

It is therefore essential to integrate signals across the entire attack surface and consolidate them into a single, prioritized observability regime. This approach enables defenders to swiftly investigate and respond, effectively mitigating these attacks before they reach a point of impact.