When cybercrime makes headlines, the conversation usually turns to ransomware payloads, zero-days, or patching lapses. But in the case of Scattered Spider, the threat isn’t just technological; it’s psychological.
This group has elevated social engineering to a fine art, targeting the most vulnerable point in many entities: people.
Since 2022, Scattered Spider (also tracked as UNC3944, 0ktapus, Muddled Libra, Scatter Swine, Octo Tempest, and Storm-0875) has launched targeted, high-impact campaigns that have cost companies like Qantas, Harrods, MGM, and Marks & Spencer hundreds of millions in damages.
Their tactics rely less on technical exploits and more on strategic deception, identity abuse, and a deep understanding of operational cracks.
We asked a panel of experts to weigh in on what leaders can learn (and how they can respond).
A Financially Motivated Scourge
Ross Moore, an Information Security Researcher, says: “Scattered Spider is primarily financially motivated, so it makes sense that their targets are large organizations,” opens Moore. “Some of its large targets have been Marks & Spencer (M&S), Clorox, and MGM.”
Moore runs the numbers:
- Clorox lost about $49 million after a late 2023 breach.
- MGM suffered at least $110 million in damage when attackers used BlackCat ransomware to encrypt over 100 hypervisors.
- M&S experienced daily losses in the millions, with total damages reaching £300 million.
“These numbers aren’t isolated,” Moore explains. “That’s a lot of damage from just a few of the many attacks SS has made since they showed up on the scene in 2022. It’s worth paying attention to their tactics.”
Foundational Mitigations
And those tactics are telling. “Scattered Spider is known for its Initial Access techniques of phishing and impersonation. Looking at the MITRE ATT&CK Navigator, under Initial Access (Phishing and Trusted Relationships) we see several mitigations, most of which are foundational.”
Moore is blunt: these defenses aren’t groundbreaking, they’re basic. “MFA, account management, antimalware, configuration audits, and user training. Some of the more complex mitigations, like segmentation, are not out of reach for technical teams and are well worth implementing.”
But scale is a problem. “When a company has maybe up to 100 people, it’s easier to know coworkers by voice, maybe even have most of them in the office. But when orgs like Clorox employ around 8,000, Qantas has about 29,000, and Marks & Spencer over 66,000; it’s impossible to keep up with who’s who.”
That’s where Scattered Spider thrives. Moore emphasizes that employee empowerment is key. “Employees need to have a clear directive, backed by their managers, that they have the freedom to delay and report suspicious activity, and a quick and easy method to do so.”
He pushes for secure, documented procedures for high-risk actions like password resets. “It may seem that a few minutes of waiting or hassle is bad for business,” he says.
“But consider the alternative. If employees have an insecure and hassle-free experience for four years, and in year five that experience ends up costing $100 million, those previous four years mean nothing.” Ross Moore, Information Security Researcher
Keep it Simple
And for smaller organizations? Keep it simple. “Perhaps the two activities that would present the greatest leverage for defense for SMBs are MFA and education. Not just ‘beware criminals’, but what to look for in various forms of social engineering.”
Moore zeroes in on the front lines: “Customer and technical support staff are often the hardest hit. They’re put on the spot to provide the best customer experience. That makes them soft targets.” His question to leaders: “Are your employees prepared for those interactions?”
Breaching Trust
Chloé Messdaghi, Founder & Principal Advisor at Thornbridge Advisory, adds: “Scattered Spider attacks remind us that the weakest point in any security program is often the human element,” says Messdaghi.
“These adversaries aren’t just breaching networks, they’re breaching trust.”Chloé Messdaghi, Founder & Principal Advisor at Thornbridge Advisory
Where Moore focuses on scale and systems, Messdaghi zooms in on what she calls “the human layer of defense.”
“They exploit help desks, impersonate internal staff, and abuse access controls by leveraging public information, social engineering, and gaps in identity verification,” she explains. “Their tactics are patient, highly targeted, and disturbingly effective.”
She challenges the traditional security perimeter concept: “It’s no longer just your firewalls, endpoints, or threat detection tools. It’s your people, your internal workflows, and the ways in which trust and access are granted, often too easily.”
Messdaghi calls for tighter identity and access governance, strong MFA, and robust verification protocols, particularly for privileged users and support teams. But she’s quick to note: tools alone aren’t enough.
“Scenario-based, role-specific awareness training needs to move beyond check-the-box compliance,” she says. “Employees should be prepared to recognize and respond to real-world social engineering tactics — not just generic phishing emails.”
She points to recurring blind spots that Scattered Spider exploits again and again:
- Over-permissioned accounts
- Inconsistent offboarding
- Unmanaged third-party access
And she names the industries most exposed: telecom, gaming, healthcare, and financial services; sectors where trust is built into the service model, and where downtime is costly.
“The lesson is clear,” she warns. “We can’t afford to treat people, identity, and operational workflows as peripheral to cybersecurity. They are now central to both risk and resilience.”
An Interesting Challenge
Ian Thornton-Trump, CISO at Inversion 6, offers a wider-angle view; one that connects the threat to a larger social trend.
“Scattered Spider presents a really interesting challenge in a lot of different ways,” he says. “One of the first is the estimated raw number of operatives and the sudden realization that we actually have a youth cybercrime problem.”
He traces many members back to an underground group known as The Community, or “The Com.” He compares them to Anonymous in its early days: decentralized, motivated, skilled. “But where we are right now is different,” he says. “The good news? Lots of Scattered Spider members are getting arrested. The bad news? There’s no end in sight.”
Why? Because this is fast money. “Senior members of the organization are aggressively grooming juniors. And many of these recruits come from areas deprived in terms of opportunity. Police are struggling with that uncomfortable reality.”
“This is a Supply Chain”
He emphasizes that this is a supply chain, and breaking one link won’t stop the others. “Even though we can celebrate the victory of the four arrests in relation to Scattered Spider, it’s a reminder that for each one arrested, many others are ready to take their place.”
Back on the corporate side, he identifies a recurring theme: weak help desk verification. “We’re seeing real difficulties in outsourcing help desk procedures or even having internal ones that are light on verification of identity. That’s a problem.”
But it’s not all bad news. “Some companies succeeded. Harrods announced they successfully identified and fought off the attack. Co-op didn’t fare as well, but certainly wasn’t impacted to the extent Marks & Spencer was. There is hope.”
Technically, Thornton-Trump notes a shift in focus. “They’re not spending much time living off the land on endpoints. They’re moving quickly into cloud-based environments, especially the ESXi hosting layer. That’s where the crown jewels are.”
He explains the broader playbook: “Where Scattered Spider stops, ransomware-as-a-service like DragonForce comes into play. The access specialists pass the baton to those who do the encryption and destruction. It’s a collaboration.”
“We’re maybe at the walk stage when it comes to endpoint protection, but browser security, cloud segmentation, identity hygiene, those are still lagging. And that’s exactly where attackers are going.” Ian Thornton-Trump, CISO at Inversion 6
Make Hesitation Part of the Process
Scattered Spider is a threat group, sure, but it’s also a case study in how gaps in culture, communication, and trust can be weaponized. These attackers don’t need to hack your systems, they just need to manipulate your people.
The real lesson here? If you want to reduce risk, look inward. Train your teams. Tighten your workflows. Make hesitation part of the process, not a career risk.
Because in a world where attackers call the help desk pretending to be your CTO, your best defense might just be someone who knows it’s okay to say, “I’m not sure, let me check.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.