Scattered Spider: Kroll's Research on Cybercrime Cartel Tactics

Understanding Scattered Spider

• 🕷️ Scattered Spider, also internally tracked as KTA 243, is a group of cybercriminals known for their extensive use of social engineering tactics.
• 🌐 The group is loosely affiliated with an online community called "the comm," with many members recruited from platforms like Roblox and Minecraft.
• 💰 Their primary motivation is financial gain, though they also seek kudos within their community for successful attacks.

Evolving Tactics and Industry Targeting

• 🎯 Scattered Spider has demonstrated a trend of targeting one industry at a time, potentially due to shared third-party suppliers and interconnectedness within sectors.
• 📞 Their modus operandi often involves socially engineering help desk staff over multiple calls to reset passwords or change MFA methods, typically taking three to five calls.
• 💻 Once access is gained, they quickly exfiltrate data from cloud environments like SharePoint and S3 buckets before potentially deploying ransomware.
• 🛠️ They frequently leverage Remote Monitoring and Management (RMM) tools such as Anyesk and ConnectWise to blend in with existing environments and evade detection.

Group Structure and Capabilities

• 🤝 The group operates with a cartel-like model, described as a "group of groups" that share tactics, techniques, and procedures (TTPs) and malware.
• 🌍 Scattered Spider is known to be English-speaking, with members identified as British, US, and Canadian nationals, indicating a widespread, diffuse network.
• 📈 While not typically developing their own malware, they exhibit significant proficiency in targeting SaaS and cloud environments, moving rapidly to achieve their objectives.

Recommendations for Defense

• 🗣️ Train help desk staff to strictly adhere to established policies for password resets and MFA changes, as this is a common initial access vector.
• 📧 Educate general users on recognizing signs of phishing attempts and social engineering tactics to prevent credential compromise.
• 🔍 Implement robust detection capabilities for activities like token theft and instances where users may have submitted credentials after clicking malicious links.