Decentralised and Dangerous: How Scattered Spider are causing chaos with UK Retailers

Scattered Spider, the threat actor believed to be behind the recent Marks and Spencer attack, is a decentralised cybercriminal collective that has gained notoriety for targeting major enterprises across industries, including hospitality, telecoms, and critical infrastructure. Also tracked as UNC3944, Muddled Libra, Starfraud, Scatter Swine, and Octo Tempest, the group operates more as a loose coalition of skilled individuals than a formal organisation. Many members are young, English-speaking, and coordinate via online platforms such as Telegram and Discord. This loose-knit organisational structure can make profiling the techniques and tactics used by Scattered Spider challenging. In contrast Russian ransomware groups have, in the past, produced entire standardised training manuals for their members. 

While law enforcement has made several arrests linked to suspected members of Scattered Spider, the group’s decentralised structure and fluid affiliations have made broader disruption efforts difficult. Arrests have not significantly reduced the collective’s operational tempo, highlighting the resilience of its networked model and the financial incentives driving members to commit crimes. 

The Evolution of Scattered Spider

Initially focused on credential theft and fraud involving telecom companies, Scattered Spider has rapidly grown into a highly disruptive and capable threat group. Over time, their operations have escalated from basic phishing tactics to more advanced campaigns involving data exfiltration, ransomware deployment, and even coercion through threats of physical harm.

Their progression includes a shift toward working with Ransomware-as-a-Service (RaaS) operations. Intelligence from CISA indicates that the group has frequently carried out data extortion activities and, in some cases, deployed the BlackCat/ALPHV or Qillin ransomware alongside their usual toolset. This strategic pivot has broadened both the scale and impact of their operations, enabling lucrative double extortion attacks across a wider range of industries and geographies.

Since 2023, Scattered Spider has acted as affiliates for groups including RansomHub, Qilin, and most recently, DragonForce (a ransomware operation launched in late 2023 that is expanding its offerings and reach within the cybercriminal underground).

Scattered Spider’s Key Tactics, Techniques and Procedures (TTPs)

Scattered Spider is recognised for its highly aggressive, adaptable and innovative approach to initial access, leveraging a blend of technical proficiency and psychological manipulation.  

Through the sophisticated and strategic use of social engineering, the group employs a diverse range of methods to penetrate targeted environments, often with remarkable precision and reach. Their tactics include: 

• Phishing and Smishing: Targeted credential theft via email, SMS, and fake websites 
• Helpdesk Impersonation: Convincing IT staff to reset passwords or provide Multi-Factor Authentication (MFA) codes 
• SIM Swapping: Hijacking mobile numbers to intercept authentication tokens 
• MFA Fatigue: Bombarding users with MFA prompts until access is granted 
• Fake domains and social media profiles to support impersonation and targeted phishing 

Once initial access is gained, they: 

• Deploy commercial remote access or administration tools (e.g., TeamViewer, ScreenConnect, Ngrok) 

• Escalate privileges through stolen credentials using tools like Mimikatz 

• Create persistence mechanisms using newly created user accounts and enrolling rogue devices to MFA systems 

• Exploit cloud infrastructure and enumerate assets across Active Directory 

• Use off the shelf malware such as Raccoon Stealer, VIDAR, and BlackCat ransomware 

• Exfiltrate sensitive data, targeting email accounts, SharePoint, and file servers 

• Monitor employee communication platforms such as Teams in compromised organisations and even join calls and chats relating to incident response 

Recommendations

Since emerging in 2022, Scattered Spider has been linked to a series of high-profile cyber-attacks across multiple sectors. In early 2023, the group orchestrated phishing and credential theft campaigns against companies including Mailchimp, Twilio, and DoorDash. This was followed by a wave of increasingly disruptive activity targeting the hospitality sector. 

In September 2023, Scattered Spider members were behind the breach of MGM Resorts, where threat actors impersonated an employee in a phone call to the IT helpdesk, enabling them to deploy BlackCat ransomware and encrypt over 100 VMware ESXi servers. Around the same time, Caesars Entertainment confirmed a breach involving the exfiltration of sensitive customer data, reportedly impacting more than 65 million loyalty programme members.  

Scattered Spider also compromised Riot Games, stealing source code for League of Legends and Teamfight Tactics and issuing a $10 million extortion demand.  

Beyond these high-profile cases, the group has maintained persistent access within several telecom and BPO environments, even reversing security mitigations to regain entry. Most recently, Scattered Spider has been linked to a cyber-attack on Marks & Spencer, indicating the group’s continued focus on large, well-established organisations across diverse industries. 

How to Mitigate Your Organisation’s Risk

Based on the reported TTPs associated with Scattered Spider, Adarma recommends you take the following actions to mitigate your risk: 

• Train IT helpdesk and support staff to recognise social engineering attempts and enforce strict procedures for verifying the identity of anyone requesting support. 

• Enforce MFA wherever possible. 

• Implement defence-in-depth-layer preventative security controls with monitoring, detection and response. Examples include detection and response on endpoints paired with SIEM monitoring and network segmentation. 

• Implement a least privilege policy for Active Directory. All users should log on with a user account that has the minimum permissions necessary to complete their current task. 

• Detect or block unauthorised remote access tools like TeamViewer or AnyDesk at the network level. 

• Regularly audit networks for unmonitored or unauthorised Remote Desktop Protocol usage, and apply strict account lockout policies after a small number of failed login attempts. 

• Maintain and regularly test offline backups of critical data. 

• Apply patches promptly and ensure operating systems, firmware, and especially internet-facing devices and services are up to date. 

• Prioritise ESXi server security by ensuring they are running the latest version of VMware ESXi software, and classify them as critical assets for access control, patching, and vulnerability management. 

If you would like to learn more about Scattered Spider you can listen to our Cyber Insiders episode The Helpdesk Hustle: How Scattered Spider Cons Its Way Inside here, featuring Cian Heasley, Threat Lead at Adarma.