Scattered Spider: where every click is one step closer to chaos

Scattered Spider (SS), a notorious cybercriminal group, continues to weave its intricate web to ensnare IT teams across Australia and New Zealand as it infiltrates company networks and tools through unsuspecting victims. Its damaging impact on major corporations such as Microsoft, Nvidia, Electronic Arts and prominent Las Vegas casinos highlights the need to strengthen detection and preventative controls against identity-targeted attacks.

The Office of the Australian Information Commissioner (OAIC) reported 527 data breaches between January and June 2024, marking a 9% increase from the second half of 2023. A substantial portion of these breaches involved identity-based attacks. The OAIC also noted that 67% of data breaches were due to malicious or criminal attacks, with many targeting identity information. Meanwhile, the Australian Cyber Security Centre (ACSC) noted a 13% increase in cybercrime reports, with identity theft being a significant contributor. These statistics raise the questions of how to move beyond inadequate security tools and compliance-driven activities to enhance preventative measures against sophisticated threats like SS.

Understanding Scattered Spider’s tactics with compromised identities

Known for its association with BlackCat/ALPHV, SS develops playbooks for highly successful, reproducible attacks, often using social engineering to gain access to identities. While a lot of attackers use identity, SS is notoriously slick at bypassing multifactor authentication (MFA) and infiltrating enterprises through cloud identities.

A typical identity attack involves hackers posing as IT helpdesk staff to obtain credentials or using SIM swap and MFA fatigue attacks to bypass two-factor authentication. Once inside, they conduct ‘living off the land’ attacks across the enterprise infrastructure, including the cloud and networks. SS hackers can infiltrate IT channels, monitor incident responders and test systems before launching bigger attacks.

From an identity attack to millions in ransomware and extortion

SS’s endgame isn’t pretty — the group operates on a ransomware strategy, focusing on denial of service and extortion for stolen data, causing significant operational disruptions until demands are met. For instance, in May 2022 a European government was reportedly held for a $5 million ransom to decrypt their locked systems.

SS is also known for their brazen tactics, such as directly contacting targets, setting up new employees in backend systems, or compromising HR systems without concern for being identified. They are adept at using mobile devices for infiltration and are resilient, continuing their operations through affiliations with RansomHub, a ransomware-as-a-service operator.

Prevention is the first step but do you know what to do next?

Organisations tend to believe that by stacking enough safeguards — like implementing privilege and MFA, micro-segmentation, and zero trust principles — they can create an impenetrable barrier against cyber threats. This is merely the preparation and prevention phase, similar to crafting the perfect crème brûlée.

However, the reality is far more complex. Cyber adversaries, such as SS, are like master chefs with a penchant for cracking the code. They wield sophisticated tools and social engineering tactics to bypass these defences, much like breaking through the hard caramelised crust of a crème brûlée. Once that initial layer is breached, the interior is exposed — soft, vulnerable and unprotected.

This analogy underscores a critical point: while the outer defences are essential, they are not infallible. The true challenge lies in what happens after the crust is cracked. Organisations must be prepared for the gooey inside, where attackers can move freely if not properly detected and contained. Robust detection and response strategies are crucial to ensure that even if the crust is compromised, the core remains secure.

Detection and response is crucial in mitigating SS attacks

Robust cybersecurity can be categorised into three Cs: coverage, clarity and control.

Coverage involves protecting all potential threat channels, including identities. Clarity requires clear observation of the network and infrastructure, utilising AI for precise and rapid insights. Control refers to the ability to respond quickly to shut down attacks.

Given the diverse and bold nature of SS attacks, it is essential to have a detection and response phase that identify deviations in user behaviour, pinpoints threat actors’ lateral movements, and provides visibility from the identity stage to the cloud and network components. Security platforms that integrate disparate signals into a clear, unified signal are key.

Additionally, user awareness training is critical. Employees must be vigilant and recognise suspicious activities, while cybersecurity teams must operate with heightened diligence. I strongly encourage organisations to practise incident response as part of their crisis management exercises.

Detect identity attacks anywhere in your network

In today’s hybrid enterprise environment, the nature of cyber attacks has also evolved to become hybrid, with a significant focus on identity-based threats. It is essential to integrate signals across the entire attack surface and consolidate them into a single, prioritised view. This approach enables defenders to swiftly investigate and respond, effectively mitigating these attacks before they reach a point of impact.

*Chris Fisher is Regional Director, Australia & New Zealand for Vectra AI. Chris is focused on ensuring Vectra’s customers have the security foundation required to embrace new technology and lines of business, allowing them to digitally transform while reducing business risk and improving their security posture. Chris has more than 20 years of cybersecurity experience, from practitioner through to strategic advisor for large organisations.

Top image credit: iStock.com/atakan