Scattered Spider’s Relentless Campaign

The cybercrime group known as Scattered Spider (also tracked as UNC3944, Octo Tempest, Starfraud, and Muddled Libra) has maintained a rapid and aggressive operational tempo over the past 90 days.

The threat actor collective has continued to demonstrate a sophisticated blend of social engineering and technical prowess, pivoting between sectors and leaving a trail of compromised data and disrupted operations.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI, issued a joint Cybersecurity Advisory (AA23-320A) on November 16, 2023, detailing the tactics, techniques, and procedures (TTPs) of the Scattered Spider threat actors. This advisory, released nearly two years ago, provided an early warning to critical infrastructure sectors about the group's reliance on sophisticated social engineering, phishing, and SIM swap attacks to gain initial access and exfiltrate data.

Despite this proactive alert, Scattered Spider's momentum has only continued to accelerate, as evidenced by their recent high-profile campaigns against major retailers, insurance companies, and the aviation sector, demonstrating their persistent evolution and the ongoing challenge they pose to organizations worldwide.

What is Scattered Spider?

Scattered Spider is a financially motivated cybercriminal group that seemingly emerged in 2022, if not earlier.

Unlike many traditional ransomware groups, their primary strength lies in their exceptional social engineering skills. They are adept at manipulating individuals, often impersonating employees or contractors, to gain initial access to corporate networks.

Once inside, they move with remarkable speed, aiming for data exfiltration for extortion, and in many cases, deploying ransomware.

Targets and Tactics Over the Last 90 Days

Over the past three months, Scattered Spider has demonstrated a clear pattern of targeting and tactical evolution.

Retail (April-May 2025): The group initiated a significant wave of attacks against major UK retailers, including Marks & Spencer and Harrods, in late April 2025. These attacks often involved exploiting compromised accounts from IT contractors, and gaining access through social engineering tactics like "vishing" (voice phishing) to manipulate call center employees or IT help desks into resetting passwords or bypassing multi-factor authentication (MFA). Similar breaches were reported in the U.S. retail sector in May.

Insurance (June 2025): Following their retail spree, Scattered Spider quickly pivoted to targeting the insurance sector. Multiple U.S.-based insurance companies, such as Aflac, Erie Insurance, and Philadelphia Insurance Companies, reported suspicious activity and outages in June, bearing the hallmarks of Scattered Spider's activity. These incidents often resulted in significant operational disruptions.

Aviation (Late June - July 2025): Most recently, the FBI issued a formal warning that Scattered Spider was expanding its focus to include the airline industry. This warning coincided with confirmed cyber incidents at Hawaiian Airlines, WestJet, and Qantas, all exhibiting similar social engineering tactics targeting third-party customer service platforms. While these attacks have not impacted flight operations, they have resulted in the compromise of millions of customer records.

The group's preferred initial access vectors continue to involve highly sophisticated social engineering, often combined with phishing campaigns utilizing typosquatted domains (e.g., sso.company[.]com instead of sso-company[.]com) and tools like Evilginx to intercept credentials and session cookies.

Scattered Spider is also known for MFA fatigue attacks, where repeated MFA requests are sent to overwhelm users into approving a login. Once access is gained, the threat actors prioritize data exfiltration for extortion, and have been observed leveraging tools like Veeam for covert data transfer, and deploying ransomware variants such as DragonForce.

Domains attributed as IOCs to Scattered Spider by multiple OSINT sources include, but are not limited to:

Implications for Enterprises

Scattered Spider's rapid shifts in industry focus and their group’s reliance on human manipulation pose a significant challenge for all organizations. However, there are several recurring themes.

• Humans are the weakest link: Scattered Spider’s success underscores that even the most advanced technical defenses can be bypassed if employees are not adequately trained and vigilant against social engineering tactics.
• Third-party risk is paramount: The repeated targeting of IT vendors, managed service providers (MSPs), and call centers highlights the critical need for organizations to rigorously assess and continuously monitor the security posture of their entire supply chain.
• Speed equals success: Scattered Spider operates with extreme speed. Once initial access is gained, they can move laterally, escalate privileges, exfiltrate data, and deploy ransomware within hours, drastically reducing the window for detection and response.

Scattered Spider's playbook is a masterclass in exploiting trust and speed. They don't just breach; they infiltrate and accelerate.

Unmasking Scattered Spider with Network Insights

The relentless and adaptive nature of Scattered Spider's attacks, particularly their focus on social engineering and rapid lateral movement, demands a security solution that provides deep, real-time visibility across the entire network.

ExtraHop is uniquely positioned to detect the subtle indicators of compromise that often precede and accompany Scattered Spider's activities, even when they bypass traditional endpoint or network security controls.

ExtraHop provides:

• Comprehensive Network Visibility: ExtraHop delivers agentless visibility across hybrid and multi-cloud environments, including encrypted traffic, ensuring no blind spots for attackers exploiting vulnerabilities or using compromised credentials. This is vital for detecting multiple stages of attacks, including reconnaissance, lateral movement, and data exfiltration.
• Behavioral Anomaly Detection: ExtraHop uses advanced machine learning to detect anomalous behaviors on the network that indicate compromise, such as unusual access patterns to OT/ICS devices, unexpected remote access, or suspicious data transfers, even if the initial access method was a simple password brute-force.
• Real-time Threat Intelligence Integration: By correlating network activity with threat intelligence, ExtraHop; can flag known TTPs and IOCs, providing immediate context for security teams.
• Real-time Identity Insights: ExtraHop helps connect user identities to their behaviors and activities across a multi-cloud or hybrid network, enabling operations teams to investigate specific users and associated devices engaged in anomalous or malicious activity, thus accelerating investigations.
• Accelerated Incident Response: High-fidelity alerts with rich network context enable security teams to quickly understand the scope of an intrusion, identify affected assets, and accelerate containment and remediation efforts, minimizing the attacker's dwell time.

Scattered Spider's recent activities serve as a potent reminder that cyber defense is a dynamic challenge. Their agility in shifting targets and their mastery of social engineering mean that organizations cannot afford to overlook any part of their security posture, especially the human element and third-party risk.

Investing in modern network detection and response (NDR) solutions is no longer just about preventing known threats; it's about gaining the adaptive visibility and intelligence needed to detect and respond to the unknown, ensuring resilience against even the most sophisticated and rapidly evolving adversaries.

Endnotes:

1. "MSPs & IT Vendors Targeted by Scattered Spider Threat Group." The HIPAA Journal, June 10, 2025. https://www.hipaajournal.com/msps-it-vendors-targeted-scattered-spider/
2. "Scattered Spider suspected in surge of airline cyber attacks." TechInformed, July 2, 2025. https://techinformed.com/scattered-spider-suspected-in-surge-of-airline-cyber-attacks/
3. "Scattered Spider, fresh off retail sector attack spree, pivots to insurance industry." CyberScoop, June 16, 2025. https://cyberscoop.com/scattered-spider-pivot-insurance-industry/
4. "Scattered Spider: Rapid7 Insights, Observations, and Recommendations." Rapid7 Blog, July 3, 2025. https://www.rapid7.com/blog/post/scattered-spider-rapid7-insights-observations-and-recommendations/
5. "Scattered Spider Ransomware Group: Activity, TTPs, & More." BitSight Technologies Blog, June 24, 2025. https://www.bitsight.com/blog/who-is-scattered-spider-ransomware-group
6. "FBI raises alarm over Scattered Spider targeting airline sector with social engineering schemes." Industrial Cyber, July 2, 2025. https://industrialcyber.co/transport/fbi-raises-alarm-over-scattered-spider-targeting-airline-sector-with-social-engineering-schemes/
7. "Three airlines hit by cyberattacks in three weeks, Scattered Spider to blame: Qantas leads with most damage." The Economic Times, July 3, 2025. https://m.economictimes.com/news/international/us/three-airlines-hit-by-cyberattacks-in-three-weeks-scattered-spider-to-blame-qantas-leads-with-most-damage/articleshow/122213173.cms
8. "Scattered Spider weaves web of social-engineered destruction." CyberScoop, July 7, 2025. https://cyberscoop.com/scattered-spider-social-engineering-cybercrime/
9. "CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries." CrowdStrike Blog, July 2, 2025. https://www.crowdstrike.com/en-us/blog/crowdstrike-services-observes-scattered-spider-escalate-attacks/