Skip to main content

Scattered Spider Unmasked: How an identity-focused APT is redefining cyber threats

Published Date
Author Andy Thompson

How an identity-focused APT is redefining cyberthreats

Scattered Spider has emerged as one of the most disruptive advanced persistent threats in recent years, breaching major organizations across telecom, gaming, transportation, and retail. In the last few months, the group has escalated its activity—targeting financial services and launching coordinated ransomware campaigns that have crippled operations and exposed sensitive data.

By exploiting identity systems and human workflows rather than software flaws, Scattered Spider is forcing security teams to rethink how they protect access and privilege. What follows is a breakdown of the group’s high-profile campaigns, evolving tactics, and the controls organizations can implement to help defend against identity-centric attacks.

Who (or what) is Scattered Spider?

Since at least mid-2022, Scattered Spider (also tracked as UNC3944, Storm-0875, Oktapus, among other aliases) has been a financially motivated advanced persistent threat (APT) that combines native-English social engineering with precise technical know-how. Its operators are predominantly young adults based in Western countries fluent in local dialects, enabling them to impersonate employees, support staff, and executives convincingly.

Their modus operandi revolves around targeting identity systems:

  1. Help desk exploitation: Convincing IT support to reset passwords or multi-factor authentication (MFA) settings through phone calls and other psychological manipulation techniques.
  2. SIM swapping and MFA fatigue: Hijacking SMS one-time passwords (OTPs) and pressuring users with push notifications until they give in and approve access.
  3. Phishing and credential harvesting: Registering victim-specific domains to capture live credentials or session cookies.
  4. Cloud identity abuse: Registering rogue devices or adding a malicious federated identity provider (IdP) to legitimate single sign-on (SSO) configurations.

Rather than exploiting software vulnerabilities directly, Scattered Spider excels at “hacking the person” and then “living off the land and cloud” by abusing built-in admin tools, SaaS services, and identity workflows.

Scattered spider excels

Recent high-impact campaigns

A global telecom company breach (late 2022)

In late 2022, Scattered Spider targeted a global telecom company, using phishing and SIM swap fraud to compromise help desk credentials. They intercepted customer support sessions, reset MFA, and exfiltrated subscriber data. This initial success demonstrated their ability to exploit telecom workflows and set the stage for later high-profile intrusions.

MGM Resorts and gaming sector attacks (mid-2023)

In late 2023, Scattered Spider targeted MGM Resorts and other global gaming operators by identifying high-privilege employees through open-source intelligence (OSINT), then launching social engineering attacks to dupe help desks into resetting the MFA of highly privileged IT users.

With valid credentials, the group exfiltrated terabytes of customer and employee data and used hypervisor-level ransomware to encrypt VMware ESXi hosts—crippling operations for days and costing them hundreds of millions of dollars.

A major UK transportation agency intrusion (Sept. 2024)

A major UK transportation agency confirmed a cyber incident in early September 2024. The attackers (later confirmed to be Scattered Spider) used help desk social engineering to bypass the MFA of highly privileged users again and then exfiltrated employee data, including financial records and other PII. As a precaution, the transportation agency disabled online account management portals and required tens of thousands of forced password resets, causing service and administrative disruptions for weeks.

UK retail ‘cyber hurricane’ (April 2025)

In April 2025, a coordinated campaign hit several UK retailers. After exfiltrating data via cloud storage services, the actors deployed a new ransomware strain weeks later.

Retailers reported millions in daily revenue losses, supply chain disruptions, and significant brand impact. National cybersecurity agencies warned that vertical-hopping APTs like Scattered Spider would continue targeting diverse sectors, which quickly proved to be accurate.

Financial services CFO account takeover (May 2025)

In May 2025, attackers compromised a CFO’s credentials via credential stuffing, then socially engineered IT support multiple times to change MFA devices—each rotation transferring privileged tokens to attacker-controlled endpoints.

Once inside, they intercepted session proxy communications and harvested vault credentials for persistent access and large-scale data exfiltration.

How Scattered Spider evolves: tactics, techniques, and procedures (TTPs)

Scattered Spider’s toolkit has matured significantly since their early days. Key TTPs include:

1. Help desk and IT support scams

  • Impersonation calls: Posing as employees or IT staff with plausible backstories to reset MFA or passwords.
  • Session proxy interception: Abusing session proxy services to capture temporary tokens during help desk resets and replaying them later for elevated access.

2. SIM swapping and MFA fatigue

  • SIM port-out fraud: Hijacking SMS-based OTPs via mobile carrier social engineering.
  • Push bombing: Flooding authenticator apps with push requests until a user inadvertently approves access.

3. Phishing and cookie theft

  • Victim-specific domains: Registering look-alike URLs (e.g., company-sso-example.com) to harvest credentials and session cookies.
  • Adversary-in-the-middle kits: Using phishing infrastructures to steal live tokens and bypass MFA protections.

4. Cloud identity and federation abuse

  • Rogue IdP insertion: Adding malicious SAML/OpenID Connect providers to corporate SSO, granting backdoor entry even after password resets.
  • Audit log tampering: Filtering or altering cloud audit logs (e.g., AWS CloudTrail) to erase evidence of unauthorized trust relationships.

5. Living off the land (and cloud)

  • Built-In tool abuse: Leveraging native administration utilities (PowerShell, Task Scheduler) to avoid introducing external binaries.
  • SaaS service leverage: Using legitimate cloud management consoles and SaaS services (e.g., cloud file storage, notebook platforms) for persistence and data exfiltration instead of deploying custom malware.
  • Vulnerable driver exploits: Loading signed but outdated drivers to disable security software.

6. Virtualization and ransomware deployment

  • Hypervisor encryption: Accessing virtualization admin interfaces to encrypt entire ESXi clusters simultaneously.
  • Double extortion: Exfiltrating sensitive data to cloud storage platforms before triggering ransomware for maximum leverage.

Vulnerabilities vs. abuse: Why it’s not a PAM software flaw

Despite abusing privileged access controls, to our knowledge, these breacheshave not  involved direct exploitation of vulnerabilities in privileged access management (PAM) software. Scattered Spider’s successes appear to stem fromhuman and process weaknesses—social engineering and improper identity workflows—rather than from software bugs in vaults or proxies. This suggests the solution lies inprocess hardening, not product patching.

Mitigation tactics mapped to TTPs

To defend against identity-centric APTs like Scattered Spider, organizations should implement these controls:

1. Endpoint hardening

  • Remove local admin rights: Enforce standard user privileges on endpoints; elevate only authorized processes.
  • Command elevation control: Use application allowlists and block unauthorized driver installations to prevent sideloaded exploits.

2. Browser isolation

  • Prevent cookie theft: Deploy an isolated browser environment for corporate web sessions that blocks malicious scripts from exfiltrating authentication cookies.

3. Credential tiering and segmentation

  • Tier 0, 1, 2 controls: Classify accounts by criticality—Tier 0 for identity and domain controllers, Tier 1 for servers, Tier 2 for workstations.
  • Zero standing privileges (ZSP) and just-in-time (JIT) access: Adopt a model where no user holds persistent high-level rights; instead, require on-demand elevation for specific tasks that automatically expire afterward. This decreases standing credentials and reduces the attack surface during dormant periods.

4. Session isolation

  • Stream privileged sessions: Proxy all administrative connections through a secure session broker that streams display only, preventing direct remote desktop access.
  • Monitor proxy abuse: Alert on session interceptions, unusual session recordings, or replay attempts.

5. Multi-factor and authentication assurance

  • Authentication assurance level 3 (AAL 3) refers to the highest standard of MFA, typically involving hardware security keys or cryptographic app-based authenticators with user verification (e.g., PIN or biometric). AAL 3 methods are resilient against SIM swapping, push bombing, and phishing. Require AAL 3 for all domain admins, identity administrators, and other highly privileged users.

6. Service account rotation

  • Automated rotation: Employ tools to regularly rotate service account credentials in Active Directory and cloud environments, invalidating stolen keys or passwords.

7. Directory mapping and access management

  • Dedicated admin accounts: Map identity and vault administration roles to individual user accounts—not groups—and ensure each has separate MFA enrollment at AAL 3.
  • Protect service accounts: Use automated rotation and strict monitoring to detect any unauthorized use.

8. Data exfiltration controls and network segmentation

  • Egress monitoring: Inspect outbound traffic for large data transfers to cloud storage or anonymizing services.
  • Micro-segmentation: Isolate identity systems, virtualization management, and backup networks into separate zones.

9. Secure remote access

  • Full-tunnel virtual private network (VPN) with device authentication: Require device certificates plus user MFA to access sensitive resources, ensuring that only compliant workstations can connect.

Identity is the new perimeter

Scattered Spider’s advanced social engineering, session proxy abuse, and cloud identity subversion again demonstrate that identity is the perimeter. Organizations must reinforce session isolationleast privilege credential tiering, and robust MFA at the highest levels of assurance.

By treating identity processes as critical infrastructure and hardening human workflows, security leaders can significantly reduce the risk posed by this sophisticated APT.

TL;DR: Assume breach. Verify identity.

Andy Thompson is a senior offensive research evangelist at CyberArk Labs.