Scattered Spider Threat Actor Profile

Scattered Spider (also known as UNC3944 and Roasted 0ktapus) is a relatively new, financially motivated threat group that has been active since at least May 2022. The group is yet to receive a Microsoft designation but will fall into the Tempest (financially motivated) category once registered. The group commonly gains initial network access via stolen credentials obtained from SMS phishing operations and have been detected utilising Azure Serial Console to attain administrative console access to virtual machines (VMs) whilst executing a command prompt over the serial port.

Scattered Spider are reported to use a loader named ‘STONESTOP’ to install a malicious signed driver dubbed ‘POORTRY’, which is designed to terminate processes associated with security software and to delete files as part of a Bring Your Own Vulnerable Driver (BYOVD) attack. The group has been attributed to creating the STONESTOP and POORTRY toolkit to terminate security software.

Historically, Scattered Spider has mainly gained initial access to the victim environment via theft of administrative credentials by email and SMS phishing attacks or the use of stealware. Once credentials have been obtained, Scattered Spider use these to impersonate the admin and use sensitive data to gain access to the environment. Furthermore, they have also been observed continuing phishing attacks against other users, by leveraging the employee database. This is likely to maintain persistence and provides them with lateral movement within the network.

Targeted Sectors

Scattered Spider have targeted many sectors during their time in operation, including telecommunication, Business Process Outsourcing (BPO), Managed Security Service Provider (MSSP), financial services, cryptocurrency, entertainment, and transportation sectors.

Threat Actor Motivations

The motives of Scattered Spider can be evaluated by observing the strategies they apply within the context of their campaigns. Due to their target set, as well as the list of intrusion methods attributed to the group, it is highly likely Scattered Spider operations are motivated on the basis of financial gain.