Today we have released a joint advisory with the U.S. and international partners on the tactics, techniques and procedures recently used by Scattered Spider threat actors against the commercial facilities sector and subsectors.
Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks, typically to engage in data theft for extortion.
Scattered Spider threat actors use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA). They also engage additional malware and ransomware variants to steal data and encrypt victims’ systems. While some TTPs remain consistent, Scattered Spider often change their TTPs to remain undetected.
Critical infrastructure organisations and commercial facilities should implement the recommended mitigations outlined in this advisory to reduce the likelihood and impact of a cyber attack by Scattered Spider. Organisations should also review the Scattered Spider indicators of compromise (IOCs) and TTPs to determine whether they have been compromised.