Scattered Spider: Kroll Discusses Cybercrime Group's Tactics and Targeting of Insurance Companies

Understanding Scattered Spider

• 🎯 Scattered Spider, also tracked as KTA243, is a group of cyber actors known for their use of social engineering tactics.
• 🌐 The group is loosely affiliated with an online community called 'the comm', and many members are recruited from gaming platforms like Roblox and Minecraft.
• 💰 Their primary motivation is financial gain, though they also seek kudos within their community for successful attacks.
• 📈 The group has evolved, now readily employing ransomware and demonstrating increased effectiveness in social engineering, particularly targeting call centers for password resets.

Industry-Targeted Approach

• 🏭 Scattered Spider often targets one industry at a time, a strategy possibly driven by shared operational similarities, third-party suppliers, and affiliations within those sectors.
• 📰 This focused approach may also be influenced by current events, quarterly reporting cycles, and the availability of purchased or provisioned access.
• ✈️ While recently focusing on the insurance industry, the group has also made significant impacts on UK retail and the aviation sector.

Modus Operandi: Social Engineering and Access

• 📞 The group's modus operandi often involves socially engineering help desk staff to reset passwords or change Multi-Factor Authentication (MFA) methods, typically requiring multiple calls.
• 🔑 Once initial access is gained through a compromised user account, they quickly search for information on VPNs and remote login protocols to further their attack.
• 💻 They frequently use Remote Monitoring and Management (RMM) tools like AnyDesk and ConnectWise to blend in with normal network activity and evade detection.

Data Exfiltration and Ransomware Deployment

• 📤 A primary goal is to exfiltrate as much data as possible, including information from SharePoint, S3 buckets, and cloud environments.
• 🔒 After data exfiltration, they may deploy ransomware, often as a final step before encryption.
• ⚡ Their attacks are identity-based, allowing them to move quickly and pivot within an environment, leveraging existing access rather than immediately deploying malware.

Recommendations for Defense

• 🛠️ Organizations should focus on hardening their environments, starting with training help desk staff on policies and monitoring adherence to prevent initial access.
• ⚠️ General users also require training to recognize signs of social engineering, phishing attempts, and credential harvesting.
• 🔍 Detecting activity such as token theft and successful phishing attempts is crucial for proactive defense.

Group Structure and Evolution

• 🤝 Scattered Spider operates with a diffuse structure, often referred to as a cartel, with loose affiliations and a broad collection of individuals, potentially hundreds, learning and adapting over time.
• 🌍 The group is widespread, with members identified as British, US, and Canadian nationals, and they are known for being English-speaking.
• 🔍 While law enforcement actions are welcome, the group's decentralized nature and ability to evolve make them a persistent threat, often identified by their observed Tactics, Techniques, and Procedures (TTPs) rather than specific individuals.