Scattered Spider: Hacker Collective Ensnaring Industry-Specific Targets
A sophisticated threat actor group is systematically crawling from one industry to the next, wreaking havoc along the way.
Scattered Spider, a hacker collective named for its multifaceted and highly coordinated attack tactics, made headlines earlier this year with major attacks on retailers, including Marks & Spencer and Co-op supermarkets. Now, the group pivoted its attention toward the insurance industry.
On June 16, Google Threat Intelligence Group confirmed “multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity.” These attacks are likely linked to disruptions at Philadelphia Insurance Companies (PHLY) and Erie Insurance.
Scattered Spider is known to target large organizations and their IT help desks, employing a variety of tactics including social engineering, credential theft, double extortion, and supply chain extortion. Regardless of industry, businesses that rely on help desks, third-party vendors, or remote access systems are warned to be on high alert, as they may face many of the same vulnerabilities that Scattered Spider exploits.
Threat actor playbook: How Scattered Spider breaches businesses
Scattered Spider's sophisticated approach combines advanced social engineering with ransomware-as-a-service tools. Their success against well-resourced companies reinforces the fact that no business is too big, nor too small, to fall victim.
Social engineering
Social engineering is at the heart of Scattered Spider’s operation. The group manipulates business’ employees into granting access, rather than forcing their way in through technical exploits alone.
They often impersonate IT support staff over phone calls, emails, or text messages, sometimes even spoofing legitimate internal numbers and domains. Their goal is to convince employees to:
Divulge passwords or account details
Reset multi-factor authentication (MFA) protections
Approve fraudulent MFA prompts through “push bombing,” a tactic in which attackers flood a user’s device with access requests, hoping they’ll approve one out of frustration or confusion
This human-first approach gives Scattered Spider a foothold in even the most security-conscious organizations.
Scattered Spider is known to target large organizations and their IT help desks, employing a variety of tactics including social engineering, credential theft, double extortion, and supply chain extortion.
Credential theft & network infiltration
Once they’ve gained initial access, Scattered Spider prioritizes stealing credentials from privileged accounts, especially targeting IT administrators, vendor support teams, and accounts with remote access capabilities. With legitimate credentials in hand, they:
Move laterally through the network, blending in as a trusted user
Escalate privileges by identifying and compromising higher-level accounts
Disable security tools and audit logs to cover their tracks
This insider-like behavior makes detection difficult and allows them to position themselves for maximum disruption and data theft.
Double extortion
Scattered Spider isn’t content with encrypting systems alone. They employ a double extortion strategy:
Deploying ransomware (typically observed using Dragonforce ransomware) to encrypt key systems and bring business operations to a standstill
Exfiltrating sensitive data (customer information, financial records, or proprietary files, including calls they make to victims) and threatening to leak it publicly or sell it on underground forums if the ransom isn’t paid
This dual threat increases the pressure on businesses to pay quickly, as the damage extends beyond downtime to reputational and regulatory consequences.
Supply chain exploitation
Another signature tactic in Scattered Spider’s playbook is targeting third-party vendors, service providers, and shared IT platforms. By breaching a contractor or software supplier, they can gain indirect access to multiple organizations at once.
This tactic proved devastating during the Marks & Spencer breach, where attackers compromised a third-party contractor. The resulting fallout disrupted online ordering and exposed customer data, underscoring the widespread risks posed by interconnected business ecosystems.
Regardless of industry, businesses that rely on help desks, third-party vendors, or remote access systems are warned to be on high alert, as they may face many of the same vulnerabilities that Scattered Spider exploits.
What actions can businesses take right now?
Without knowing which industry Scattered Spider will target next, Coalition strongly urges all businesses to remain vigilant in their preparedness and deploy the following cybersecurity best practices:
1. Strengthen MFA protections
Scattered Spider heavily relies on stealing or bypassing MFA through social engineering and push fatigue attacks. What to do:
Replace basic push notifications with number-matching MFA or physical security keys that require the user to physically confirm the request
Disable legacy authentication protocols that don’t support modern MFA
Educate employees and contractors to never approve unexpected MFA prompts and to immediately report them to IT
Set up real-time alerts for repeated MFA request denials or approvals from new locations, devices, or IP addresses
2. Secure help desks and call centers
Help desks are a prime target for impersonation attacks, where fraudsters pose as staff to request password resets or system access. What to do:
Implement multi-step identity verification for any account changes or access requests
Require callers to confirm details like employee ID numbers, recent activity, or security questions before taking action
Create strict protocols for handling requests involving privileged accounts or remote access tools
Limit the number of staff authorized to reset passwords or disable MFA
3. Review and monitor third-party access
Many breaches, including Scattered Spider’s past attacks, originate from weakly secured third-party partners. What to do:
Conduct a full audit of third-party accounts and permissions
Remove unnecessary access and enforce least-privilege access principles
Mandate MFA and secure credential management for all vendor accounts with access to your network
Require all vendors to provide documentation of their incident response, access controls, and patch management processes as part of your contract or onboarding
Implement continuous monitoring of third-party access logs for unusual or after-hours activity
4. Invest in 24/7 threat detection and incident response
Nights, weekends, and holidays are prime time for cyber attackers (and not just Scattered Spider), offering the quiet hours they need to sneak in, explore, and disrupt before anyone detects them. What to do:
Deploy a managed detection and response (MDR) service capable of monitoring for credential misuse, lateral movement, and privilege escalation attempts in real-time
Ensure the MDR team has authority to contain threats immediately, including disabling compromised accounts or isolating affected systems
Run quarterly tabletop exercises and technical tests of your incident response plan, including scenarios involving double extortion, third-party breaches, and social engineering attacks
For additional guidance on authentication controls, MFA registration and modification, and access controls, please see security recommendations from Mandiant Incident Response.
Be prepared and stay proactive
Scattered Spider is an active and dangerous threat, already causing major disruptions globally. The group’s playbook is replicable, and other threat actor groups are undoubtedly paying close attention.
Large retailers and insurance firms may have been the first targets, but Coalition has reason to believe the tactics Scatter Spider uses will resurface in future campaigns. Even if your business operates in an industry that hasn’t yet been impacted, now is the time to strengthen your defenses, test your incident response capabilities, and educate your teams about this threat.
For more information on employee education and security awareness training, third-party risk monitoring, MDR services, and more, log in to Coalition Control®.
SEE YOUR RISK. CONTROL YOUR RISK.
Detect, Assess & Mitigate Cyber Risk With Coalition Control
Sign up for Coalition Control today >