Bolster Defenses Against Scattered Spider Attacks, Experts Warn

Businesses face an urgent need to strengthen their cybersecurity posture against the sophisticated methods of the Scattered Spider hacking collective, as highlighted by experts at the recent Gartner Security & Risk Management Summit. This group has demonstrated a remarkable ability to breach major organizations, making a proactive defense strategy essential. The primary areas requiring immediate attention are identity management tools, security processes designed to counter social engineering, and robust third-party risk management frameworks.

From April to July 2025, this criminal group, which has ties to The Com network, successfully targeted a series of high-profile companies. Their campaign began with attacks on prominent retailers before shifting to the insurance and transportation sectors. Their consistent playbook involved gaining access to sensitive data and deploying ransomware. Alarmingly, the group has also been known to use threats of physical violence against executives as part of their extortion strategy. While law enforcement actions and internal disputes have reportedly reduced their activity recently, the tactics they pioneered remain a severe threat, especially as other groups like ShinyHunters adopt similar approaches. Evidence suggests possible collaboration between these entities, as seen in an attack on Jaguar Land Rover claimed by a group calling itself “Scattered Lapsus$ Hunters.”

A detailed case study presented by George Glass of Kroll illustrates how Scattered Spider operates. The attack began with a simple vishing call to an IT helpdesk, where the attacker impersonated a locked-out employee. After a password reset, they employed “push notification fatigue” to bypass multi-factor authentication, bombarding the user with approval requests until one was accidentally accepted. Once inside, the attacker swiftly changed MFA settings and used social engineering within platforms like Slack to move laterally. They deployed remote access tools and the AveMaria trojan to steal credentials, including a LastPass token that compromised eight secret keys. Kroll’s intervention stopped the attack just before the actors could access the victim’s AWS environment to exfiltrate data and deploy ransomware.

To defend against these methods, experts recommend a three-pronged approach. First, identity-based protection is critical. Since Scattered Spider’s entry point is often compromised credentials, moving beyond basic username and password authentication is vital. Organizations should connect all SaaS applications to a single sign-on (SSO) system and implement number matching MFA, which is more resistant to interception. Security teams must also monitor for unusual token usage to enable rapid detection and response.

Second, companies must update their internal processes to counter social engineering. This involves introducing deliberate friction into high-risk procedures. For example, requiring employees to verify their identity via a video call or in-person visit to the IT helpdesk for a password reset can effectively thwart impersonation attempts.

Finally, managing third-party risk is non-negotiable. Attackers frequently target technology vendors, such as identity providers, to gain a foothold. Building strong partnerships with vendors is essential, ensuring they will provide immediate alerts about potential breaches. As Debbie Janeczek of ING noted, having a vendor who will text about a breach is invaluable. Furthermore, organizations should continuously monitor disclosed incidents to understand emerging tactics and adapt their defenses accordingly, keeping a close watch on the evolving TTPs used by threat actors.

(Source: Info Security)