CISA warns Scattered Spider ransomware group is stepping up with more sophisticated attacks

The US cybersecurity watchdog on Tuesday released an updated advisory for the Scattered Spider ransomware group, detailing even more sophisticated social engineering techniques and new ransomware variants.

The latest advisory is in response to the gang’s most recent activity against critical infrastructure and the commercial facilities sectors and subsectors as of June 2025, the FBI said. It's now the third advisory on the gang since November 2023.

Scattered Spider – also known as UNC3944, Scatter Swine, Oktapus, Octo Tempest, Storm-0875, and Muddled Libra –primarily targets large organizations with phishing-inspired social engineering attacks, preying on the victim’s third-party information technology (IT) help desk vendors.

The US Cybersecurity and Infrastructure Security Agency (CISA), which prepared the updated advisory with the FBI and the national cyber authorities of the UK, Canada, and Australia, is warning of new tactics, techniques, and procedures (TTPs) being used by the cybercriminal group, such as push bombing and SIM swapping attacks.

According to outside sources, this further includes additional malware and ransomware variants – such as the deployment of DragonForce ransomware – to exfiltrate data and encrypt victim systems.

“While some TTPs remain consistent, Scattered Spider threat actors often change TTPs to remain undetected,” the advisory states.

🕷️🚨 Scattered Spider threat actors are using social engineering techniques like phishing, push bombing & SIM swap attacks to target #CriticalInfrastructure orgs & commercial facilities. Check out our updated joint advisory for recommended mitigations. 👉https://t.co/Orks7C7lPX pic.twitter.com/h2QELMQhJI

undefined CISA Cyber (@CISACyber) July 29, 2025

Nick Tausek, Lead Security Automation Architect at Swimlane said the advisory highlights two major things - first, Scattered Spider’s ability to exfiltrate large amounts of data, and second, the diligence exhibited by the group to carry out its attacks – both raising a lot of red flags.

Scattered Spider and evolving TTPs

According to FBI investigators, the group varies its use of social engineering techniques to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA).”

In push bombing or MFA fatigue attacks, the group bombards the user with verification requests until the user accepts the request. This allows the attackers to bypass multifactor authentication (MFA) and gain access to the system without alerting security teams.

By comparison, a subscriber identity module (SIM) swapping or hijacking attack tricks the user's cellular carrier to transfer the victim's phone number to a SIM card controlled by the attacker, allowing the bad actor to intercept any text message containing one-time passwords (OTPs) used for two-factor authentication.

The attacker can use the access to bypass MFA, reset passwords, take over other online accounts, and install remote access tools to infiltrate the network further.

In the most updated tactics, Scattered Spider was reported posing as the victim company’s employee and tricking the IT and/or helpdesk staff “to provide sensitive information, reset the employee’s password, and transfer the employee’s MFA to a device they control on separate devices.”

Previously known social engineering tactics used by Scattered Spider have focused on impersonating the IT help desk worker to trick unsuspecting company employees, including by:

• Posing as a company IT and/or helpdesk staff using phone calls or SMS messages to obtain credentials from employees and gain access to the network.
• Posing as company IT and/or helpdesk staff to direct employees to run commercial remote access tools enabling initial access
• Posing as IT staff to convince employees to share their one-time password (OTP), an MFA authentication code.

The threat actor often gains personal information on the targeted employees by scouring social media sites and the web for open-source information, searching business-to-business websites, or purchasing employee or contractor credentials on illicit marketplaces such as Russia Market, the FBI said.

This is all besides the financial extortion carried out by the ransomware group once it has either exfiltrated or encrypted a victim’s sensitive data or blocked network access.

In the latest instances, Scattered Spider was able to gain access to the targeted organizations through their Snowflake Cloud accounts, exfiltrating large volumes of data in a short period of time, often running thousands of queries immediately, the advisory states.

Tausek said the access to an organization’s Snowflake “allows the group to run thousands of queries immediately and simultaneously, often deploying Dragonforce malware to encrypt target organizations’ servers.”

“The potential for vast amounts of stolen data explains why they’ve been successful across multiple industries, from insurance to transportation to retail, Tausek said.

To help combat this threat, Snowflake announced in May that it would be blocking all single sign-on access for all customer accounts and, starting in August, enforcing the use of MFA for all password-enabled accounts.

In the latest instances, Scattered Spider has additionally been observed searching a targeted organization’s Slack, Microsoft Teams, and Microsoft Exchange Online for emails or conversations regarding the threat actors’ intrusion and any security response.

The group will set up fictitious identities, complete with fake yet convincing social media profiles, often using proxy networks and rotating machine names to evade detection.

At that point, using the fake profiles, the group will even take part in company teleconferences and remediation and response calls, “likely to identify how security teams are hunting them and proactively develop new avenues of intrusion,” the FBI said.

Tausek believes Scattered Spider’s ability to enter the incident remediation and response calls while remaining undetected and then adapting its tactics accordingly "is a clever strategy to remain ahead.”

“Listening in on these calls gives them access to information like how they’re being hunted, and what adjustments security teams will make to prevent future attacks,” Tausek explained.

Tausek said if ransomware does breach a company’s security defenses, “organizations should administer application controls that can prevent remote access authorization, such as virtual private networks or virtual desktop interfaces."

To further beef up defenses, the advisory urges companies to maintain and regularly test offline data backups (stored separately from the source systems), enable and enforce phishing-resistant MFA, and implement application controls to manage and control software execution.

"Additionally, organizations should severely limit the use of Remote Desktop Protocol (RDP), and implement recovery plans," Tausek said.

Scattered Spider cost victims hundreds of millions

First observed in May 2022, Scattered Spider targets a wide range of sectors with a notable focus on technology, telecommunications, financial services, business process outsourcing (BPO), gaming, hospitality, retail, and media & entertainment, according to a bulletin on the group published July 2nd by Google’s threat intel unit, Mandiant.

Several arrests have been made in connection with the Scattered Spider attacks over the past two months, with four suspected group members arrested in the UK on June 17th, and another UK national arrested in Spain this month, all between the ages of 17 and 22 years old.

Earlier this year, the Scattered Spider gang successfully set its sights on the UK retail sector with big-name victims including Marks & Spencer (M&S), Co-Op, and Harrods, in a coordinated effort with the DragonForce ransomware group.

The group is believed to have gained access to M&S systems by using the login credentials of two employees from its third-party IT vendor and business partner, Tata Consultancy Services (TCS), which also happens to be the contracted IT vendor for Co-op.

Charles Carmakal, CTO at Mandiant Consulting - Google Cloud told Cybernews, "Since the recent arrests tied to the alleged Scattered Spider (UNC3944) members in the UK, Mandiant Consulting hasn't observed any new intrusions directly attributable to this specific threat actor."

The CTO went on to say that even though there’s been a drop in Scattered Spider activity, it is still critical for organizations to adapt their defenses and policies against these types of attacks now.

“This presents a critical window of opportunity that organizations must capitalize on to thoroughly study the tactics UNC3944 wielded so effectively, assess their systems, and reinforce their security posture accordingly,” Carmakal said.

Urging organizations to keep their guard up, Carmakal explains that Mandiant is still “actively seeing other threat actors, like UNC6040, successfully employing similar social engineering tactics” that mimic those used by Scattered Spider.

“While one group may be temporarily dormant, others won't relent," Carmakal added.

Known for attacking large enterprise organizations in predominantly English-speaking nations primarily for higher impact and ransom demands, the group has recently expanded to target companies in Singapore and India, the research shows.

Mandiant warned only weeks ago that the English-speaking threat actor had recently switched gears and is now targeting North American airline carriers and the transportation industry as a whole, kicking off its campaign with a massive breach of Hawaiian Airlines in June.

And, earlier this month, American bleach maker Clorox filed a lawsuit against its tech vendor, Cognizant, for alleged security failures leading to a massive 2023 breach claimed by the ransomware group.

Both the M&S and Clorox attacks have reportedly cost the companies upwards of $400 million each in lost revenue and restoration efforts.

Scattered Spider is also known for working with the now-defunct ALPHV/BlackCat ransomware group to carry out the widely publicized attacks on the MGM Resorts International and Caesars Palace in Las Vegas back in 2023.

You can read the fully updated CISA advisory here.