Full Report
Along with other telemetry, Windows GDID makes online activity more traceable
Analysis Summary
# Threat Actor: Scattered Spider
## Attribution & Identity
* **Actor Name:** Scattered Spider
* **Known Aliases:** UNC3944, Starfraud, Roasted 0ktapus, Oktapus.
* **Identified Individuals:** Peter Stokes (arrested and extradited from Finland).
* **Associated Groups:** Allied with the **ALPHV/BlackCat** ransomware operation (as an affiliate).
## Activity Summary
Scattered Spider is a prolific criminal cyber-hacking group that specializes in social engineering and sophisticated identity-based attacks. The group has compromised more than 100 corporate networks by targeting employee accounts. Their primary objective is the exfiltration of sensitive data and the deployment of ransomware to extort victims. They are credited with obtaining over $100 million in ransom payments. Recent legal filings highlight a focus on activities occurring between 2024 and 2025, leading to the identification of members through Windows Global Device Identifiers (GDID).
## Tactics, Techniques & Procedures
* **Social Engineering:** Compromising employee accounts to gain initial access to corporate environments.
* **Data Exfiltration & Extortion:** Stealing sensitive data and encrypting systems for ransom (Ransomware-as-a-Service model).
* **Web Tunneling:** Use of **ngrok** to bypass network barriers and maintain persistent access to compromised servers.
* **Anonymization:** Use of VPN services (specifically **Tzulo**) to mask real IP addresses.
* **Persistence:** Use of persistent device-level identifiers (telemetry) within Windows environments, which, while intended for OS management, were used by investigators to track actor activity.
**MITRE ATT&CK IDs (Inferred from text):**
* **T1566 (Phishing/Social Engineering):** Implied via "compromising employee accounts."
* **T1572 (Protocol Tunneling):** Use of ngrok.
* **T1090 (Proxy):** Use of VPNs (Tzulo).
* **T1486 (Data Encrypted for Impact):** Ransomware activities.
## Targeting
* **Sectors:** Broad corporate targets, including hospitality and technology (implied by historical context of 100+ networks).
* **Geography:** Primarily entities in the **United States**. Actor-side geography includes **Estonia** (residence of Stokes) and **Finland** (location of arrest).
* **Victims:** Numerous large-scale US companies (specific names not detailed in this article, but historically include MGM Resorts and Caesars Entertainment).
## Tools & Infrastructure
* **Malware:** Ransomware (associated with BlackCat/ALPHV).
* **Utilities:** ngrok (tunneling), wlidsvc (Microsoft Account service), CDPSvc (Connected Devices Platform).
* **Infrastructure:**
* Tzulo (VPN Provider)
* ngrok\[.\]com
* dashboard\[.\]ngrok\[.\]com/signup
* login\[.\]live\[.\]com (Microsoft Authentication)
## Implications
The arrest of Stokes demonstrates a significant shift in the ability of law enforcement to bypass traditional anonymization tools (VPNs/Tunnels). By correlating service-level telemetry (GDIDs) with third-party application logs (ngrok/VPN timestamps), investigators can deanonymize actors even when they use virtual machines or tunneling services. This highlights that Windows telemetry (GDID) is a powerful forensic artifact for attribution in state-sponsored or high-end criminal investigations.
## Mitigations
* **Identity Security:** Implement strict Multi-Factor Authentication (MFA), specifically resistant to "MFA fatigue" or social engineering (e.g., FIDO2/Hardware keys).
* **Application Control:** Block or strictly monitor the use of web tunneling tools like **ngrok** and unauthorized VPNs within the corporate environment.
* **Endpoint Monitoring:** Monitor for suspicious registry modifications related to `UCDOStatus.GlobalDeviceId` or Windows persistent identifiers used by unrecognized accounts.
* **Telemetry Analysis:** Use EDR/XDR solutions to correlate login events with known malicious IP ranges associated with low-tier VPN providers like Tzulo.