Scattered Spider
| Actor Type | Criminal Group |
|---|---|
| Directly Linked Intrusion Sets | Muddled Libra |
Scattered Spider is a group of criminal actors that have been observed targeting large companies using social engineering techniques and extorting them with ransomware.
Social engineering techniques used by the group include posing as IT helpdesk staff, 'push bombing' and SIM swapping.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
Scattered Spider Threat Reports
Report
Scattered Spider Advisory AA23-320A
This advisory from CISA outlines tactics, techniques and procedures used by the Scattered Spider threat actors, as observed by the FBI up until ...
References
MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1567.002 | Exfiltration to Cloud Storage | Exfiltration |
| T1486 | Data Encrypted for Impact | Impact |
| T1219 | Remote Access Software | Command and Control |
| T1530 | Data from Cloud Storage | Collection |
| T1114 | Email Collection | Collection |
| T1074 | Data Staged | Collection |
| T1213.002 | Sharepoint | Collection |
| T1213.003 | Code Repositories | Collection |
| T1021.007 | Cloud Services | Lateral Movement |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1018 | Remote System Discovery | Discovery |
| T1083 | File and Directory Discovery | Discovery |
| T1538 | Cloud Service Dashboard | Discovery |
| T1217 | Browser Information Discovery | Discovery |
| T1552.004 | Private Keys | Credential Access |
| T1552.001 | Credentials In Files | Credential Access |
| T1621 | Multi-Factor Authentication Request Generation | Credential Access |
| T1606 | Forge Web Credentials | Credential Access |
| T1578.002 | Create Cloud Instance | Defense Evasion |
| T1484.002 | Domain Trust Modification | Defense Evasion, Privilege Escalation |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1556.006 | Multi-Factor Authentication | Credential Access, Defense Evasion, Persistence |
| T1136 | Create Account | Persistence |
| T1204 | User Execution | Execution |
| T1648 | Serverless Execution | Execution |
| T1078.002 | Domain Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1199 | Trusted Relationship | Initial Access |
| T1566 | Phishing | Initial Access |
| T1585.001 | Social Media Accounts | Resource Development |
| T1583.001 | Domains | Resource Development |
| T1598 | Phishing for Information | Reconnaissance |
| T1589 | Gather Victim Identity Information | Reconnaissance |