Suspected Scattered Spider Leader Snagged in Law Enforcement's Web

Scattered Spider has made a name for itself in the ransomware space with high-profile attacks on companies including MGM Resorts, Caesars Entertainment, Twilio, LastPass, DoorDash, and Mailchimp. In June, Spanish police arrested a 22-year-old man suspected of being a leader of the group, Murcia Today reports.  

This arrest is one of many law enforcement actions taken against hacking and ransomware groups in recent months. What could this latest actions mean for the future of Scattered Spider?  

Scattered Spider Activity 

Scattered Spider, like many other threat actors, is a group known by many names: 0ktapus, UNC3944, Scatter Swine, and Muddled Libra among them. Scattered Spider was also affiliated with the BlackCat/ALPHV ransomware group, which left the scene in a suspected exit scam following its attack on Change Healthcare.  

Since then, some Scattered Spider activity has been linked with ransomware-as-a-service group RansomHub. “We saw actors that ... were using Scattered Spider tactics, using Scattered Spider tools, and that had previously attacked Scattered Spider victims, but now they were using RansomHub,” Jason Baker, senior threat intelligence consultant at GuidePoint Security, a cybersecurity consulting services company, tells InformationWeek. “We have at least one affiliate that … belonged to or at the bare minimum [had] been heavily inspired by Scattered Spider’s tactics that was now actively affiliated with the RansomHub group.”  

Related:10 Ways Employees Are Sabotaging Your Cybersecurity Stance

Scattered Spider uses multiple tactics to target its victims. The group initially garnered attention for its focus on identity and access management (IAM) systems, according to Baker. In addition to navigating and exploiting IAM systems, the group has successfully leveraged social engineering tactics. It has executed SIM swapping attacks and impersonated IT help desk staff to get access to credentials, according to the Cybersecurity and Infrastructure Security Agency (CISA).   

The group is associated with English-speaking threat actors. The individual recently arrested is from Scotland, according to Krebs on Security. “Because you’ve got actors with good English skills and American or Western accents, social engineering can be a lot more effective,” Baker points out.  

In addition to targeting help desk employees, Scattered Spider is looking outside of the corporate sphere. “What we’ve seen is Scattered Spider actually [taking] the attacks to the executives and to their families,” says Chris Pierson, PhD, founder, and CEO of cybersecurity company BlackCloak. “[It] isn't just the adult, spouse, husband, wife, significant other. It's also the kids.” 

Related:Snowflake Scrambles to Enforce MFA as Breaches Pile Up

The group has also skirted corporate controls, approaching its targets via their personal devices, email accounts, and phone numbers, according to Pierson.  

The Arrest 

The arrest of the suspected Scattered Spider leader was coordinated by Spanish police and the FBI, according to the Murcia Today report. The individual was attempting to board a flight to Italy when apprehended by law enforcement. 

“Across the globe, we are seeing better communication, better information sharing, and more coordination amongst law enforcement partners. And I think that's a result of cybercrime hitting everyone much harder,” says Pierson. 

This is not the first time that law enforcement has snagged a person associated with Scattered Spider. In January, a 19-year-old man was arrested in Florida for wire fraud and aggravated identity theft. He was a member of Scattered Spider, according to Krebs on Security.   

The Future of Scattered Spider 

Threat actor arrests have been made before, but the larger group often lives on to hack and extort another day. What kind of fallout could we expect for Scattered Spider? 

“We’re likely to see that Scattered Spider is a multi-headed hydra … chopping off one head will not stop it,” says Pierson.  

Related:Paris Olympics: Let the (Cyber Aggressor) Games Begin

It is possible that the group will enter a quiet period following the arrest as members assess their own level of risk and exposure. “What is their exposure if the individual cooperates? What is their exposure if the individual has data that might uncover them or if there's been already equipment, data, computers, communications that may have been uncovered?” says Pierson.  

Scattered Spider may dismantle its infrastructure for a period, take time to regroup, and emerge under new branding. Or the individuals involved could disperse and affiliate with other groups.  

“In the cases we've seen with prolific and advanced and capable actors, downfall does not happen all at once,” says Baker. “What we instead see is a gradual erosion of capability followed by movement of internal actors and affiliates either out of the game … or to other organizations.” 

While arrests do not necessarily foreshadow the downfall of an entire group, they could tarnish the appeal of cybercrime. Ransomware and other types of cybercrime are attractive because of the significant financial incentives and the perception of no consequences.  

“When you have arrests like this, especially against Western targets that are … in areas that you can be indicted and extradited from, it decreases the psychological safety that affiliates may have,” says Baker.  

Arrests may give pause to some active affiliates or would-be threat actors, but the cybercriminal ecosystem, with or without Scattered Spider, is still thriving. Enterprise leaders need to consider how to move forward in this reality.  

“Every single CISO has a duty and obligation right now to say, ‘What can I learn from these events, from these hacks?’,” says Pierson.  

Considering Scattered Spider’s past successes, other groups are likely to leverage those same tactics. That could mean enterprise security leaders carefully consider how to educate and protect help desk employees, executives, and their family members from exploitation.  

Additionally, enterprise leaders can consider their possible role as law enforcement continues to combat cybercrime groups.  

“Private sector partners, defenders, and leadership in the security realm are excellent sources of information of point-in-time details of threat actors that can be used to enhance law enforcement operations,” says Baker.