Full Report
Google’s Threat Intelligence Group (GTIG) has observed a decline in activity from UNC3944—also known as Scattered Spider—a financially... The post Mandiant links DragonForce ransomware attacks on UK retailers to UNC3944 tactics, highlighting links to RansomHub appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: UNC3944
## Attribution & Identity
**Threat Actor Name:** UNC3944
**Aliases:** Scattered Spider
**Known Associations:** Has been identified as a RansomHub affiliate in 2024, following the shutdown of ALPHV (Blackcat) RaaS. The group's connection to the DragonForce ransomware operators is suggested by recent activity, though not independently confirmed by GTIG.
## Activity Summary
UNC3944 is a financially motivated threat actor known for persistent social engineering. Activity has recently seen a decline following 2024 law enforcement actions. Historically, the group targeted telecommunications organizations for SIM swap operations. Since early 2023, they shifted focus to ransomware and data theft extortion, impacting a broader range of industries. They have conducted targeted waves against specific sectors, including financial services (late 2023) and food services (May 2024). Recent reports suggest tactics consistent with Scattered Spider were used to target a UK retail organization deploying DragonForce ransomware. The group is noted for targeting prominent brands, likely seeking prestige.
## Tactics, Techniques & Procedures
- Persistent use of social engineering, including impersonating users to exploit help desks.
- Exploiting help desks by impersonating users for account changes.
- Leveraging phishing messages, fake IT support calls, and impersonation via collaboration tools.
- Conducting MFA fatigue attacks.
- Employing data theft extortion and ransomware deployment (e.g., DragonForce deployment reported).
- Targeting specific sectors in waves (e.g., financial services, food services, retail).
- **Potential MITRE ATT&CK IDs:** Techniques revolve around social engineering and initial access, likely including techniques related to [T1566 Phishing] and adversary-in-the-middle/impersonation for help desk exploitation.
## Targeting
**Sectors:** Telecommunications (historically), Financial Services, Food Services, Retail (recent focus), Healthcare (implied by reference to external reporting on AI social engineering).
**Geography:** United Kingdom (recent retail attacks noted).
**Victims:** Prominent brands (for prestige), UK retail organizations (recent DragonForce deployment).
## Tools & Infrastructure
**Malware Families Used:** DragonForce ransomware (associated with recent activity).
**Infrastructure (C2, domains, IPs):** Not explicitly detailed in the provided context, only mention of RansomHub (RaaS). No specific URLs or IPs were provided to defang.
## Implications
UNC3944 is resilient, potentially capable of rapid recovery due to connections with a broader cybercriminal network. Their reliance on targeting high-profile brands and aggressive social engineering tactics poses a significant risk to organizations with large volumes of PII/financial data, like the retail sector. Their shift to RaaS affiliation (RansomHub) indicates flexibility in monetization strategies.
## Mitigations
- **Identity & Access:**
- Implement strict segregation of identities and strengthen authentication requirements.
- Enforce robust identity controls for password resets and MFA registration.
- Disable or enhance self-service password resets during suspected compromises.
- Require strong authentication before allowing changes to authentication methods (e.g., MFA registration).
- Use trusted locations, out-of-band verification, and alerts for security changes; avoid using publicly available PII for verification.
- **Social Engineering Defense:**
- Provide comprehensive employee training on recognizing social engineering tactics (phishing, fake IT support, MFA fatigue).
- Train help desk staff extensively on identity verification (in-person/on-camera checks, ID verification, challenge-response questions) before granting account changes, especially for privileged accounts.
- **Authentication Security:**
- Eliminate the use of SMS, phone calls, and email for authentication; implement phishing-resistant methods.
- Monitor Microsoft Entra ID for changes to Trusted Named Locations/Conditional Access Policies, especially user/device exclusions.
- Monitor for suspicious token usage and enforce mechanisms to prompt reauthentication upon unusual activity.
- Secure admin accounts and regularly review domain federation settings.
- **Monitoring:**
- Achieve complete visibility across infrastructure, identity systems, and critical management services.
- Monitor for high-risk authentication behaviors (infrequent locations, proxy/VPN use, changes to authentication methods) indicating social engineering.
- Monitor for impersonation attempts via platforms like Teams (e.g., external accounts using 'help' or 'support' in usernames).