Full Report
Hackers associated with Scattered Spider tactics have expanded their targeting to the aviation and transportation industries after previously attacking insurance and retail sectors [...]
Analysis Summary
# Threat Actor: Scattered Spider (UNC3944/Muddled Libra/0ktapus/Starfraud/Scatter Swine/Octo Tempest)
## Attribution & Identity
* **Identification:** A classification of threat actors adept at social engineering, phishing, MFA bombing, and SIM swapping.
* **Known Aliases:** UNC3944, Muddled Libra, 0ktapus, Starfraud, Scatter Swine, Octo Tempest.
* **Associations:** A loose-knit community of English-speaking threat actors known as the "Com," frequently utilizing hacker forums, Telegram channels, and Discord servers. Also known to partner with Russian-speaking ransomware gangs (e.g., BlackCat).
## Activity Summary
Scattered Spider employs a sector-by-sector approach to its operations.
* **Previous Targets:** Targeted the retail sector (e.g., M&S, Co-op in the UK) and US retail chains, followed by the insurance sector (e.g., Aflac, Erie Insurance, Philadelphia Insurance Companies).
* **Recent Campaigns:** Recently shifted focus to the aviation and transportation industries.
* Attributed to the cyberattack against Canadian airline **WestJet** (June 12), which disrupted internal services and mobile apps. Access reportedly gained via a self-service password reset allowing MFA registration.
* Impacted **Hawaiian Airlines**, although attribution was not initially certain.
* Mandiant is aware of multiple incidents in the airline and transportation sector resembling their operations.
## Tactics, Techniques & Procedures
* **Initial Access:** Highly adept at social engineering, phishing, multi-factor authentication (MFA) bombing (fatigue attacks), and SIM swapping.
* **Identity Attacks:** Regularly target help desks to execute self-service password resets, allowing them to register their own MFA and gain remote access (e.g., via Citrix). This tactic is a hallmark associated with the group.
* **TTPs Mentioned:**
* Social engineering attacks (sophisticated and targeted).
* Suspicious MFA reset requests.
* Self-service password resets to register new MFA.
* Gaining remote network access.
* (No specific MITRE ATT&CK IDs were provided in the text.)
## Targeting
* **Sectors:** Aviation, Transportation, Insurance, Retail.
* **Geography:** Mentioned activity in the United Kingdom, the United States, and Canada (WestJet).
* **Victims:** M&S, Co-op, Aflac, Erie Insurance, Philadelphia Insurance Companies, WestJet. (The article also lists past victims associated with the "0ktapus" branding, including Okta, Twilio, Coinbase, DoorDash, Caesars, MailChimp, Riot Games, and Reddit).
## Tools & Infrastructure
* **Malware Families Used:** Associated with ransomware gangs (partnering with groups like BlackCat). Identified victim, Co-op, was linked to **DragonForce** ransomware claims.
* **Infrastructure (C2, domains, IPs):**
* Compromised Microsoft Cloud environment (in the WestJet incident).
* Infrastructure used for phishing/MFA attacks leveraging Okta infrastructure (historical context).
* *No specific external IPs or C2 domains were defanged in the provided text.*
## Implications
Scattered Spider represents a continuous and evolving threat due to its reliance on human vulnerabilities (social engineering) rather than just technical exploits. Their focus shift to critical infrastructure sectors like aviation and transportation poses significant operational risks. The use of identity platform weaknesses (help desks, self-service portals) allows for highly effective, low-friction initial access, often leading to subsequent disruptive attacks (potentially ransomware cooperation).
## Mitigations
* **Identity System Hardening:** Gain complete visibility across infrastructure, identity systems, and critical management services.
* **Help Desk Security:** Secure self-service password reset platforms and help desk operations.
* **Verification:** Tighten help desk identity verification processes meticulously before allowing changes such as adding new phone numbers to accounts, resetting passwords, adding MFA devices, or releasing employee information.
* **Awareness:** Organizations should be on high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests. Follow hardening recommendations released by Google Threat Intelligence Group (GTIG) and Palo Alto Networks.