Defending Against Scattered Spider: A Cyber Security Guide
CybaVerse are committed to equipping organisations with the knowledge and tools to combat sophisticated cyber threats. One such threat is Scattered Spider, a financially motivated hacking group known for its advanced social engineering tactics and ransomware attacks.
Drawing from the National Cyber Security Centre’s (NCSC) Threat Hunting Guide on Scattered Spider (Version 1.0, dated 03/05/2025), this blog post outlines the group’s tactics, techniques, and procedures (TTPs) and provides actionable strategies to detect and mitigate their activities.
This guide is adapted to help UK businesses, particularly in retail, finance, and telecom, stay resilient against this evolving threat.
Note: This post is based on the NCSC’s publicly available guidance, classified as TLP:GREEN, which permits sharing within the cyber security community for defensive purposes. For full details, refer to the original NCSC document and the TLP definitions here.
Who is Scattered Spider?
Scattered Spider, also known as UNC3944, Octo Tempest, or Muddled Libra, is a loosely affiliated group of hackers, primarily young native English speakers from the UK and US. Unlike traditional ransomware gangs, their fluency in English allows them to execute highly convincing social engineering attacks, often impersonating IT staff or employees to gain unauthorised access. According to the NCSC, Scattered Spider has been linked to over 100 attacks across sectors like retail, telecom, finance, and gaming, with recent open-source reports highlighting their targeting of major UK retailers.
The group specialises in credential theft, privilege escalation, and ransomware deployment, using tools like ALPHV/BlackCat, Ransom.Hub, Qilin/Agenda, and, as of early 2025, DragonForce ransomware-as-a-service (RaaS). Their ability to rapidly adapt tools and tactics makes them a persistent threat requiring proactive defense measures.
Scattered Spider’s Tactics, Techniques, and Procedures (TTPs)
The NCSC guide details how Scattered Spider operates across three key phases: initial access, privilege escalation, and lateral movement/ransomware deployment. Below is a summary of their TTPs:
1. Initial Access via Social Engineering
Scattered Spider excels at social engineering to breach systems:
- Phishing (SMS/Email): They deploy fake HR or IT messages, often using updated “Oktapus” phishing kits, to trick users into visiting credential-stealing sites.
- Vishing (Voice Phishing): Attackers impersonate IT staff or users, sometimes using AI-generated voices, to manipulate help desks into resetting credentials or bypassing multi-factor authentication (MFA).
- MFA Fatigue Attacks: Repeated MFA prompts overwhelm users, leading to accidental approval of unauthorized access.
- SIM Swapping: Attackers transfer victims’ phone numbers to intercept MFA codes.
Indicators to Watch:
- Lookalike domains (e.g., corp-asurion.com, klvl.it.com).
- Unsolicited calls or MFA prompts.
- Sudden account lockouts or unusual login patterns from unfamiliar geographies or devices.
2. Privilege Escalation & Credential Theft
Once inside, Scattered Spider escalates privileges to gain deeper access:
- Credential Dumping: Tools like Mimikatz, secretsdump, or ntdsutil are used to extract credentials and hash databases (e.g., NTDS.dit).
- Cloud Credential Theft: Tools such as Microburst and LaZagne target secrets in Azure or local storage.
- Reconnaissance: Attackers map sensitive systems like backup servers or point-of-sale infrastructure, often triggering audit log events for suspicious replication or directory access.
Indicators to Watch:
- Unusual process executions (e.g., lsass.exe dumps, mimikatz.exe).
- Audit log events showing suspicious directory access or replication.
- Multiple accounts accessed from a single system or widespread use of one account.
3. Lateral Movement & Ransomware Deployment
Scattered Spider blends into environments using legitimate tools and deploys ransomware:
- Living-off-the-Land Tools: They leverage remote management software (e.g., AnyDesk, TeamViewer), Windows utilities (PsExec, PowerShell), and VPNs to move laterally.
- Security Evasion (BYOVD): Malicious drivers (e.g., POORTRY via STONESTOP) disable antivirus and endpoint detection and response (EDR) systems.
- Data Exfiltration: Tools like Raccoon stealer, 7-Zip, and cloud drives facilitate data theft.
- Ransomware Deployment: Encryptors like DragonForce or ALPHV/BlackCat target virtualized infrastructure (e.g., ESXi, Hyper-V), often shutting down VMs before encryption.
Indicators to Watch:
- Unauthorised remote tool installations.
- Suspicious scheduled tasks or services.
- Large data transfers or compressed file creation (e.g., .7z/.zip files).
How to Hunt for Scattered Spider Activity
To detect Scattered Spider’s presence, security teams must proactively hunt for signs of compromise. Below are practical recommendations adapted from the NCSC guide:
- Monitor Identity & Authentication Logs
- Query MFA Activity: Check identity provider logs (e.g., Azure AD, Okta) for repeated MFA push denials or resets, indicating MFA fatigue attacks.
- Track Unusual Logins: Use SIEM tools to identify logins from unfamiliar geographies or devices, especially if followed by privileged actions.
- Review Help Desk Tickets: Investigate password reset or account lockout requests, particularly those approved via phone, and cross-check for subsequent suspicious activity.
- Check Endpoints for Credential Theft
- LSASS Access: Use EDR alerts or PowerShell scripts to detect processes accessing lsass.exe memory, a sign of tools like Mimikatz.
- Registry and File System Artifacts: Search for vssadmin executions or NTDS.dit copies, which indicate attempts to steal Active Directory credentials.
- Impacket Residue: Monitor SMB connections for DRSUAPI interface calls (e.g., DSGetNCChanges) or unusual admin$ share access.
- Hunt for Persistence Mechanisms
- Unauthorised Remote Tools: Scan for tools like AnyDesk.exe or TeamViewer_Service.exe on servers and workstations using EDR or PowerShell’s Get-WmiObject.
- Scheduled Tasks & Services: Check for suspicious tasks (e.g., “Updater” or “Monitor” with unusual EXE paths) using schtasks or EDR queries.
- Cloud Persistence: Review Office 365/Azure for unrecognised OAuth consents, app registrations, or mailbox forwarding rules.
- Detect EDR/AV Tampering
- Driver Installations: Query Windows Event ID 7045 for unusual driver or service installations, such as those exploiting vulnerable Intel drivers (e.g., iqvw64e).
- AV Shutdowns: Check AV/EDR logs for unexpected agent shutoffs or telemetry gaps.
- Group Policy Changes: Verify GPO settings for unauthorised changes to Windows Defender or firewall configurations.
- Monitor Network and Exfiltration
- DNS and Proxy Logs: Filter for queries to suspicious domains (e.g., twitter-okta[.]com) or dynamic DNS providers like klvl.it.com.
- Data Transfer Spikes: Use NetFlow or firewall logs to detect large egress traffic, especially after file compression activities.
- Infrastructure IOCs: Block or alert on known Scattered Spider domains and IP ranges (e.g., Azure, Cloudflare, Akamai Linode ASNs), while avoiding false positives.
Evicting Scattered Spider from Your Environment
If you detect Scattered Spider activity, immediate and thorough action is critical to evict the attackers and prevent re-entry. Here’s a condensed remediation plan based on NCSC’s recommendations:
- Contain and Isolate Affected Systems
- Disconnect compromised machines from the network using network access controls.
- Disable remote access to critical systems (e.g., ESXi hosts) showing signs of ransomware preparation.
- Secure Privileged Accounts
- Reset passwords for all high-privilege accounts (e.g., domain admins, cloud global admins) and suspected compromised accounts.
- Invalidate active sessions and tokens in Office 365/Azure AD, and re-establish MFA with new secrets.
- Eradicate Persistence Mechanisms
- Uninstall unauthorised remote tools (e.g., AnyDesk, TeamViewer).
- Remove malicious scheduled tasks, services, or startup entries.
- Rebuild critical systems like domain controllers if deeply compromised, and verify cloud admin settings for rogue OAuth apps or device registrations.
- Remove Privilege Escalation Artifacts
- Block vulnerable drivers using tools like Windows Defender Application Control.
- Remove unauthorised admin accounts and restore disabled security tools.
- Patch exploited vulnerabilities in domain controllers, VPNs, and hypervisors.
- Verify Cleanliness with a Second Threat Hunt
- Run updated AV scans and IOC searches (e.g., Yara rules for Spectre RAT).
- Monitor authentication logs for signs of re-entry, such as renewed MFA fatigue attacks.
- Block known phishing domains and test for callbacks to malicious hosts.
- Restore Operations and Strengthen Defenses
- Restore systems from clean, verified backups.
- Deploy EDR agents and enable robust logging (e.g., CISA’s Logging Made Easy).
- Enforce least privilege, adopt phishing-resistant MFA (e.g., FIDO2 keys), and ensure offline backups are tested.
- Communicate and Collaborate
- Report incidents to the NCSC via report.ncsc.gov.uk and coordinate with law enforcement (e.g., National Crime Agency).
- Share IOCs with the NCSC’s Cyber Security Information Sharing Partnership (CISP).
- Communicate transparently with staff and customers, following NCSC guidance.
Staying Ahead of Scattered Spider
Scattered Spider’s persistence and adaptability demand constant vigilance. Regularly update your threat intelligence feeds to track their evolving TTPs and maintain strong security hygiene. At CybaVerse, we recommend integrating advanced threat detection tools, employee training to counter social engineering, and robust backup strategies to mitigate ransomware risks.
For further details, consult the NCSC’s Scattered Spider Threat Hunting Guide (Version 1.0, 03/05/2025) and adhere to TLP:GREEN sharing restrictions. Contact the NCSC at ncscinfoleg@ncsc.gov.uk for FOIA queries or incident reporting.
By staying proactive and informed, UK organisations can defend against Scattered Spider and other sophisticated threats. Let’s secure the digital landscape together.
Disclaimer: This blog post is an adaptation of the NCSC’s guidance for educational and defensive purposes. The original document is exempt under the Freedom of Information Act 2000 (FOIA). CybaVerse accepts no liability for any errors or omissions in this adaptation, as per the NCSC’s disclaimer.