COMMENTARY: Scattered Spider has certainly lived up to its name. Taking a “one sector at a time” approach while leveraging tools from Ransomware-as-a-Service (RaaS) provider DragonForce, the group targeted top brands in the telecom, finance, gaming, hospitality and retail industries before most recently creeping onto insurance companies and transportation industries. As a result, a long list of victims have found themselves caught in the cybercriminal group’s web:[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]The retail industry ranks in the Top 10 of verticals for breaches, and 85% of insurance companies have experienced a cyberattack within the past year. Adversaries find these and the other targeted sectors appealing because of their reliance on customer data, interconnected systems, and third-party partners-suppliers. Regardless of their respective industries, the corporate victims have faced potential fallout in the form of business/technology disruptions, sales losses, reputational damage and data compromises.So what can companies do to protect themselves and their customers? We recommend the following multi-layered plan for chief information security officers (CISOs) and their cyber threat intelligence (CTI) teams:-- Asset management: tags, classifies and prioritizes the assets within the organization that bring the most risks, while identifying who owns – and is accountable – for what.-- Exposure management: teams develop profiles of the estate/assets to distinguish the ones that are the most threat-relevant and exploitable.-- Defense management: aligns security controls and tools with the exposure profile to achieve ideal managed detection and response (MDR) and endpoint detection and response (EDR). As with the other two components, teams should ensure that continuous, automated processes support all required steps.It’s unclear where Scattered Spider will go next. And no sector should fool itself into thinking it’s immune. That’s why it’s essential to start with a comprehensive, threat-led strategy while staying on top of the most recent activity/patterns and practicing strong cyber hygiene. In doing so, Scattered Spider will find no opportunities to spin its web, and look elsewhere for new victims.Yuval Wollman, president, CyberProofSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- After initially focusing on telecommunications firms in 2022, Scattered Spider – also known as UNC3994 – went after two of the biggest names in the gaming sector: In September 2023, MGM Resorts International shut down several systems after a Scattered Spider hack. At about the same time, Caesars Entertainment was linked to an attack by the ransomware group. Ceasars reportedly paid off a $15 million ransom, while MGM opted to collaborate with law enforcement.
- During a wave of cyber attacks on UK retailers in the spring this year, fashion, beauty and home products company Marks & Spencer encountered disruptions in contactless payments and “click and collect” services, which let customers purchase items online for in-store pickups. After discovering that hackers compromised customer data – including contact details, dates of birth and online order histories – the company suspended all online orders as of April 25. Additional large-scale retailers such as Co-op and Harrods experienced cyber threats during this time period. Co-op took down parts of its IT systems in response, while Harrods restricted internet access throughout its stores. The National Crime Agency has indicated that Scattered Spider remains a key focus of investigations into the retail incidents.
- In June, the Google Threat Intelligence Group (GTIG) reported that “multiple” intrusions of insurers appear to be linked to the Scattered Spider operation. The disclosure followed attacks on Erie Insurance and, shortly after, Aflac announced it had contained an attack in which claims information, customer health histories, Social Security numbers and other data could have been exposed. This past Friday, GTIG said it was now aware of multiple incidents in the airline and transportation sector which resemble the operation of UNC3944, advising the that the industry take steps to immediately harden systems.
- Implement a threat-led strategy: A threat-led strategy should serve as the foundation for any monitoring/tracking and response plan; it includes these components:
- Gather trusted research and intelligence: Teams should monitor adversarial activity via readily available open source intelligence (OSINT) and the dark web, to track cyber criminals’ chatter in forums and review research about the latest indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs). Sharing threat intelligence within the greater industry community remains critical for advancing collective defense capabilities while staying ahead of evolving attacks.
- Practice time-proven cyber hygiene: This would include multi-factor authentication (MFA), routine audits of inventory/logs, network segmentation, scheduled backups/recovery processes, regular patch management, EDR updates, and the disabling of unused ports to limit potential exposures.
