Description
[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group that has been active since at least 2022.(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. Beginning in 2023, [Scattered Spider](https://attack.mitre.org/groups/G1015) expanded its operations to compromise victims in the gaming, hospitality, retail, MSP, manufacturing, and financial sectors.(Citation: MSTIC Octo Tempest Operations October 2023) During campaigns, [Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged targeted social-engineering techniques, attempted to bypass popular endpoint security tools, and more recently, deployed ransomware for financial gain.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: Crowdstrike TELCO BPO Campaign December 2022)
Techniques Used (TTPs)
- T1598 — Phishing for Information (reconnaissance)
- T1553.002 — Code Signing (defense-evasion)
- T1556.009 — Conditional Access Policies (credential-access, defense-evasion, persistence)
- T1580 — Cloud Infrastructure Discovery (discovery)
- T1003.003 — NTDS (credential-access)
- T1087.002 — Domain Account (discovery)
- T1484.002 — Trust Modification (defense-evasion, privilege-escalation)
- T1564.008 — Email Hiding Rules (defense-evasion)
- T1539 — Steal Web Session Cookie (credential-access)
- T1552.004 — Private Keys (credential-access)
- T1538 — Cloud Service Dashboard (discovery)
- T1486 — Data Encrypted for Impact (impact)
- T1133 — External Remote Services (persistence, initial-access)
- T1204 — User Execution (execution)
- T1556.006 — Multi-Factor Authentication (credential-access, defense-evasion, persistence)
- T1083 — File and Directory Discovery (discovery)
- T1219 — Remote Access Tools (command-and-control)
- T1657 — Financial Theft (impact)
- T1213.003 — Code Repositories (collection)
- T1098.003 — Additional Cloud Roles (persistence, privilege-escalation)
- T1621 — Multi-Factor Authentication Request Generation (credential-access)
- T1213.005 — Messaging Applications (collection)
- T1068 — Exploitation for Privilege Escalation (privilege-escalation)
- T1530 — Data from Cloud Storage (collection)
- T1217 — Browser Information Discovery (discovery)
- T1006 — Direct Volume Access (defense-evasion)
- T1136 — Create Account (persistence)
- T1018 — Remote System Discovery (discovery)
- T1567.002 — Exfiltration to Cloud Storage (exfiltration)
- T1598.004 — Spearphishing Voice (reconnaissance)
- T1074 — Data Staged (collection)
- T1021.007 — Cloud Services (lateral-movement)
- T1578.002 — Create Cloud Instance (defense-evasion)
- T1552.001 — Credentials In Files (credential-access)
- T1114 — Email Collection (collection)
- T1656 — Impersonation (defense-evasion)
Total TTPs: 36
Malware & Tools
Malware: BlackCat, WarzoneRAT