BusinessCybersecurityNewswireTechnology

Scattered Spider Operates as a Cybercrime Collective

▼ Summary

– Scattered Spider is now classified as a decentralized cybercrime collective of independent clusters, not a single organized group.
– Group-IB’s analysis challenges the view of coordinated operations, noting multiple actors share tactics and tools but act separately.
– The decentralized structure explains why Scattered Spider activity persists despite arrests and disruption efforts targeting members.
– Social engineering, such as impersonating IT or HR teams to steal credentials, remains a common tactic across all clusters.
– Group-IB recommends organizations defend against shared tactics like identity-based attacks, as individual arrests won’t eliminate the broader threat.

Security researchers have redefined Scattered Spider as a decentralized cybercrime collective made up of independent clusters, rather than a single, unified threat group.

A detailed analysis from Group-IB, released on June 7, pushes back on the conventional understanding that this activity is one coordinated campaign. Instead, the firm argues that multiple actors share similar tactics, tools, and communities but operate separately. This structure helps clarify why Scattered Spider related activity has persisted even after arrests and disruption efforts targeted specific alleged members.

The group, known by various names across the security industry including 0ktapus, Muddled Libra, Octo Tempest, and UNC3944, has been tied to a string of high-profile breaches since 2022.

A Collective Defined by Tactics, Not Hierarchy

Group-IB’s research concludes that Scattered Spider lacks a central hierarchy or shared leadership. Instead, it functions as a collection of smaller clusters linked by common techniques, tools, and online forums. The report compares this structure to the Anonymous hacktivist collective, where separate groups act under a shared identity without direct coordination.

Importantly, the analysis suggests that some incidents previously blamed on Scattered Spider may have been the work of unrelated actors. Group-IB specifically separates its 0ktapus tracking from the cluster responsible for attacks on Marks & Spencer and Co-op, stating there is no evidence the same individuals were involved.

Across the observed clusters, Group-IB identified recurring targeting patterns:

  • Employees at technology and communications firms used as initial access points
  • Mobile carrier staff targeted for SIM swapping
  • Cryptocurrency users hit by fraud campaigns
  • Enterprises compromised for extortion and ransomware

Social Engineering Remains the Core Tactic

Despite the decentralized nature of the clusters, social engineering remains a universal thread. Attackers routinely impersonate IT, security, or HR teams to trick employees into handing over credentials or access. The research notes that phishing pages often mimic identity providers like Okta, Microsoft, Citrix, and Google.

Group-IB also observed some clusters blending enterprise compromises with cryptocurrency theft. Attackers used stolen credentials, SIM swaps, and phishing to target crypto users while simultaneously compromising organizations to gather intelligence on potential victims. Some clusters have also deployed commercial remote access tools such as AnyDesk and recruited insiders at telecom companies to facilitate unauthorized access.

Group-IB concludes that Scattered Spider’s decentralized model means arrests of individual members are unlikely to dismantle the broader threat. The real defense, the firm argues, lies in organizations protecting against the shared tactics used across all clusters, especially identity-based attacks and social engineering campaigns.

(Source: Infosecurity Magazine)

Topics

decentralized cybercrime 95% group-ib analysis 92% threat group structure 90% shared tactics and tools 88% social engineering attacks 87% phishing campaigns 85% targeting patterns 83% sim swapping operations 80% cryptocurrency theft 79% extortion and ransomware 78%