On July 29, 2025, the Cybersecurity & Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation, Canadian Centre for Cyber Security, Royal Canadian Mounted Police, the Australian Cyber Security Centre’s Australian Signals Directorate, and the Australian Federal Police and National Cyber Security Centre, issued an updated advisory on threat actor Scattered Spider, which is presently “targeting commercial facilities sectors and subsectors.”
The advisory includes actions “to take today” to mitigate an attack from threat actors:
1. Maintain offline backups of data that are stored separately from the source systems and tested regularly.
2. Enable and enforce phishing-resistant multifactor authentication (MFA).
3. Implement application controls to manage and control software execution.
According to the advisory, Scattered Spider is engaged in data theft for extortion and uses various ransomware variants, including DragonForce. Scattered Spider threat actors have continuously changed their tactics, techniques, and procedures (TTPs) “to remain undetected.”
The threat actors associated with Scattered Spider have targeted “large companies and their contracted information technology (IT) help desks.” The methods used include:
- Posing as company IT and/or helpdesk staff using phone calls or SMS messages to obtain credentials from employees and gain access to the network.
- Posing as company IT and/or helpdesk staff to direct employees to run commercial remote access tools enabling initial access.
- Posing as IT staff to convince employees to share their one-time password (OTP), an MFA code.
- Posing as employees to convince IT and/or helpdesk staff to provide sensitive information, reset the employee’s password, and transfer the employee’s MFA to a device they control on separate devices.
- Sending repeated MFA notification prompts leading to employees pressing the “Accept” button (also known as MFA fatigue).
- Convincing cellular carriers to transfer control of a targeted user’s phone number to a SIM card in their possession, gaining control over the phone and access to MFA prompts.
- Monetized access to targeted organization’s networks in numerous ways including extortion enabled by ransomware and data theft.
The impersonation of company employees or IT professionals continues to be a successful way for threat actors, including Scattered Spider, to attack. It is important that employees are wary of requests from IT staff and to be highly suspicious of any request for credentials. It is critical that help desk staff and subcontractors who staff the help desk after hours are aware of the methods threat actors are using against them.
CISA and its partners provided the most recent TTPs of Scattered Spider, including that it is targeting the “organization’s Snowflake access to exfiltrate large volumes of data in a short time, often running thousands of queries immediately.” In addition, they create “new identities in the environment … often upheld with fake social media profiles to backstop newly created identities. Scattered Spider threat actors consistently use proxy networks and rotate machine names to further hamper detection and response.” Scary stuff.
A recent mitigation includes, “Look for ‘risky logins’ within environments where sign-in attempts have been flagged as potentially compromised due to suspicious activity or unusual behavior.”
The advisory is full of useful information and mitigations that are worthy of urgent consideration.