SCATTERED SPIDER Hackers Attacking IT Support Teams and Bypass Multi-Factor Authentication

A sophisticated cybercriminal group known as SCATTERED SPIDER has emerged as one of the most dangerous threats facing organizations today, demonstrating an alarming ability to bypass multi-factor authentication through cunning social engineering tactics targeting IT support teams.

This threat actor, active since at least 2022, represents a significant evolution in ransomware operations by combining technical expertise with psychological manipulation to devastating effect.

Unlike traditional ransomware groups that rely heavily on automated exploits or mass phishing campaigns, SCATTERED SPIDER distinguishes itself through its use of native English speakers who possess deep cultural familiarity with Western corporate environments.

This linguistic and cultural fluency enables the group to execute highly convincing impersonation attacks against help desk personnel and IT support staff, often resulting in successful credential theft and system compromise within hours of initial contact.

SOSIntelligence analysts have identified SCATTERED SPIDER as operating primarily as an Initial Access Broker (IAB) and affiliate actor, working in partnership with the DragonForce ransomware-as-a-service operation.

The group’s financial motivation drives their aggressive tactics, which include threats to publicly leak sensitive data through dark web portals if ransom demands are not met.

Recent high-profile incidents attributed to the group include the 2023 MGM Resorts attack, which caused widespread IT disruption across casinos and hotels through a simple phone-based social engineering operation.

The group’s impact extends far beyond individual organizations, affecting critical sectors including hospitality, telecommunications, finance, and retail across both the United Kingdom and United States.

Their attacks have demonstrated the vulnerability of even well-defended organizations to human-centric intrusion strategies, challenging traditional cybersecurity frameworks that focus primarily on technical controls rather than human factors.

SCATTERED SPIDER’s operations represent a troubling shift toward professionalized cybercrime, where specialization and scalability have become the dominant operational models.

The group’s partnership with DragonForce RaaS allows them to focus on their core competency of gaining initial access while outsourcing encryption and extortion capabilities to dedicated ransomware developers.

Social Engineering and MFA Bypass Tactics

The most concerning aspect of SCATTERED SPIDER’s methodology lies in their sophisticated approach to circumventing multi-factor authentication systems through targeted social engineering.

The group employs a multi-stage process that begins with extensive reconnaissance using open-source intelligence (OSINT) to gather detailed information about target organizations and their personnel.

During the initial access phase, attackers frequently employ vishing (voice phishing) techniques, calling IT support teams while impersonating legitimate employees who claim to be locked out of their accounts.

These calls are carefully crafted to create urgency and pressure, with attackers requesting MFA resets or password changes while providing convincing personal details gathered during reconnaissance.

The group’s native English fluency and understanding of Western corporate culture make these impersonation attempts particularly effective.

Technical analysis reveals that SCATTERED SPIDER combines these social engineering tactics with SIM-swapping operations and MFA fatigue attacks to intercept or bypass two-factor authentication mechanisms.

Once initial access is achieved, the group rapidly deploys legitimate administrative tools such as PowerShell and PsExec for lateral movement, often using Living off the Land techniques that avoid traditional security detection methods.

The group’s targeting of identity infrastructure represents perhaps their most dangerous capability.

By focusing on systems like Okta, Active Directory, and Azure AD, SCATTERED SPIDER can gain control over the fundamental trust fabric of an organization, enabling widespread access and persistence that traditional endpoint security measures struggle to detect and contain.

Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests