Scattered Spider, also known as Muddled Libra, Octo Tempest, Scatter Swine and UNC3944, is a group of cybercriminals who specialize in using social-engineering tactics to trick companies into handing over user credentials and bypassing multifactor authentication, opening the door for the group to establish persistence, steal company data and demand ransom payments.
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday warned that Scattered Spider is deploying new techniques to launch attacks against multiple industries.
The group historically has focused on the hospitality, telecommunications and retail sectors, targeting multiple organizations within each sector before moving on to the next one.
Scattered Spider “represents a serious and ongoing threat to U.S. organizations, using sophisticated social engineering and intrusion tactics to disrupt operations and extort victims,” Chris Butera, acting executive assistant director for cybersecurity at CISA, said in a statement related to the advisory. “Their activities have impacted multiple sectors and underscore the continued risk ransomware poses to national security and economic stability.”
Researchers consider Scattered Spider unique within the cybercrime underground. The group consists largely of English-speaking young men, including many teenagers, from the U.S. and the U.K. Authorities estimate that it may have as many as 1,000 members.
The group is affiliated with an underground collective known as The Com, which experts have linked to a variety of crimes ranging from extortion and money laundering to predatory behavior involving minors, cryptocurrency theft and SIM swapping.
Scattered Spider does not operate as a consolidated, centralized unit, according to Palo Alto Networks, but rather in multiple subsets, each of which may have its own set of targets and collection of preferred techniques.
The hacker gang debuted on the scene in September 2023 with a headline-grabbing ransomware attack against hotel and casino giant MGM Resorts. The hackers disrupted operations at the property for several days, locking guests out of their rooms, shutting down elevators and disabling slot machines and ATMs. The attack cost the company more than $100 million.
Researchers also linked Scattered Spider to the 2023 hack of household-products giant Clorox, which forced the company to shut down many of its systems and led to months of product shortages. In a $380 million lawsuit filed earlier this month, Clorox alleged that its IT vendor, Cognizant, failed to uphold its duties by handing over credentials to the hackers without authenticating them.
Always on the run
In November 2024, the the U.S. Department of Justice charged five people with stealing millions of dollars by harvesting employee credentials through phishing texts. Security researchers have described that activity, which involved hacks of 45 companies from September 2021 through April 2023, as Scattered Spider’s initial crime spree.
Spanish authorities arrested one of the defendants, a 23-year-old British man named Tyler Buchanan, and extradited him to the U.S. in April. The indictment and extradition led some security experts to believe the authorities had successfully neutralized Scattered Spider.
But in April, the group launched a series of social-engineering attacks against three major British retail companies: Marks & Spencer, Harrods and Co-op. Two other major British companies may also have been hacked but have yet to admit it, Marks & Spencer’s chairman told British lawmakers earlier this month.
Scattered Spider’s latest attack spree, which began in April, cost an estimated 440 million British pounds, according to the U.K.-based Cyber Monitoring Centre.
Earlier this month, British authorities arrested four people in connection with Scattered Spider’s attacks. Police also seized a large trove of computer equipment and are analyzing it for evidence that could lead to additional arrests.
Meanwhile, in May, Scattered Spider turned its attention to the U.S., launching a round of attacks against major retailers and their vendors, including Victoria’s Secret, North Carolina-based Belk and Whole Foods distributor United Natural Foods.
UNFI warned earlier this month that its breach could cost it up to $400 million in lost sales.
Since June, Scattered Spider has shifted to new industries, targeting major insurance companies, airlines and other transportation companies. Recent victims have included Aflac, Allianz Life and Philadelphia Indemnity Insurance. Scattered Spider may also have been behind recent hacks of Hawaiian Airlines and Qantas.
