MSPs & IT Vendors Targeted by Scattered Spider Threat Group
An analysis by the cybersecurity firm ReliaQuest has confirmed that the financially motivated threat group Scattered Spider (aka UNC3944, Octo Tempest, Starfraud, Muddled Libra) is targeting managed service providers (MSPs) and IT vendors. Scattered Spider is a native English-speaking threat group that has been active since at least 2022. Its members are believed to reside in the United States and the United Kingdom, and are thought to be aged between 19 and 22. Scattered Spider started out as a SIM swapping group targeting telecommunications-related organizations but has since evolved into a global threat engaging in other criminal activities, especially data extortion.
Scattered Spider actors are experts in social engineering and engage in phishing attacks, push bombing, and SIM swapping. Scattered Spider conducts ransomware attacks and is now an affiliate of the DragonForce cartel, and previously worked as an affiliate of the BlackCat/ALPHV and RansomHub groups. Last month, Scattered Spider conducted two DragonForce ransomware attacks on the UK retailers Marks & Spencer and Harrods.
While investigating the recent retail industry attacks, ReliaQuest identified some of the tactics used by Scattered Spider. Rather than attacking companies directly, the group relies on social engineering in attacks that exploit human trust, often conducting phishing campaigns using typosquatted domains that closely resemble the brands they impersonate. Scattered Spider actors are able to bypass multifactor authentication (MFA) using phishing tools such as Evilginx, a man-in-the-middle attack framework used for phishing login credentials and session cookies.
If phishing attacks are not successful, more personalized campaigns are conducted, harvesting information from platforms such as LinkedIn and ZoomInfo. The group has also been observed targeting helpdesk staff, impersonating high-level individuals such as the CFO, and requesting an urgent password reset or the registration of a new MFA. ReliaQuest analyzed more than 600 domains associated with the group, 81% of which impersonated technology vendors such as virtual private network (VPN) providers, identity providers (IdP), and single sign-on (SSO) services, with the domains and subdomains often including keywords such as “okta,” “vpn,” “helpdesk,” and “sso.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Scattered Spider has been targeting MSPs, IT vendors, and their IT support systems to obtain the high-value credentials of system administrators, CFOs, and CISOs. MSPs and IT vendors are attractive targets for threat actors, as a successful attack can provide the threat actor with access to the networks of many downstream clients, increasing the profitability of attacks with minimal effort. The attack on Marks & Spencer involved using compromised accounts from the IT contractor Tata Consultancy Services (TCS) to gain access to Marks & Spencer’s systems. Scattered Spider has also been observed targeting an MSP by exploiting SimpleHelp vulnerabilities, according to a report from Sophos last month. ReliaQuest expects the group to continue to evolve their tactics and embrace deepfake AI technology to improve the effectiveness of their social engineering campaigns.
While Scattered Spider has been attacking retailers recently, the group is considered to pose a threat to the healthcare sector, having conducted attacks on healthcare organizations in the past. The HHS Health Sector Cybersecurity Coordination Center (HC3) published a Scattered Spider threat profile in October 2024, warning the industry of the risk of Scattered Spider attacks and providing mitigation advice.
Since the group’s attacks are highly focused on social engineering, organizations should ensure they conduct regular security awareness training to improve awareness of social engineering and phishing, along with phishing simulations to test the effectiveness of training. Phishing-resistant MFA should be implemented where possible, and ReliaQuest recommends requiring MSPs, contractors, and privileged users to access high-value systems through secured jumpboxes with mandatory MFA for all RDP connections, and to and from the jumpbox. SharePoint permissions should also be restricted to limit access to sensitive files, with access limited to individuals who have a legitimate need to access those resources.
