Scattered Spider: Hacker Collective Ensnaring Industry-Specific Targets

Tiago HenriquesJune 17, 2025

Scattered Spider: Hacker Collective Ensnaring Industry-Specific Targets

A sophisticated threat actor group is systematically crawling from one industry to the next, wreaking havoc along the way.

Scattered Spider, a hacker collective named for its multifaceted and highly coordinated attack tactics, made headlines earlier this year with major attacks on retailers, including Marks & Spencer and Co-op supermarkets. Now, the group pivoted its attention toward the insurance industry.

On June 16, Google Threat Intelligence Group confirmed “multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity.” These attacks are likely linked to disruptions at Philadelphia Insurance Companies (PHLY) and Erie Insurance.

Scattered Spider is known to target large organizations and their IT help desks, employing a variety of tactics including social engineering, credential theft, double extortion, and supply chain extortion. Regardless of industry, businesses that rely on help desks, third-party vendors, or remote access systems are warned to be on high alert, as they may face many of the same vulnerabilities that Scattered Spider exploits.

Threat actor playbook: How Scattered Spider breaches businesses

Scattered Spider's sophisticated approach combines advanced social engineering with ransomware-as-a-service tools. Their success against well-resourced companies reinforces the fact that no business is too big, nor too small, to fall victim.

Social engineering

Social engineering is at the heart of Scattered Spider’s operation. The group manipulates business’ employees into granting access, rather than forcing their way in through technical exploits alone.

They often impersonate IT support staff over phone calls, emails, or text messages, sometimes even spoofing legitimate internal numbers and domains. Their goal is to convince employees to:

Divulge passwords or account details
Reset multi-factor authentication (MFA) protections
Approve fraudulent MFA prompts through “push bombing,” a tactic in which attackers flood a user’s device with access requests, hoping they’ll approve one out of frustration or confusion

This human-first approach gives Scattered Spider a foothold in even the most security-conscious organizations.

Scattered Spider is known to target large organizations and their IT help desks, employing a variety of tactics including social engineering, credential theft, double extortion, and supply chain extortion.

Credential theft & network infiltration

Once they’ve gained initial access, Scattered Spider prioritizes stealing credentials from privileged accounts, especially targeting IT administrators, vendor support teams, and accounts with remote access capabilities. With legitimate credentials in hand, they:

Move laterally through the network, blending in as a trusted user
Escalate privileges by identifying and compromising higher-level accounts
Disable security tools and audit logs to cover their tracks

This insider-like behavior makes detection difficult and allows them to position themselves for maximum disruption and data theft.

Double extortion

Scattered Spider isn’t content with encrypting systems alone. They employ a double extortion strategy:

Deploying ransomware (typically observed using Dragonforce ransomware) to encrypt key systems and bring business operations to a standstill
Exfiltrating sensitive data (customer information, financial records, or proprietary files, including calls they make to victims) and threatening to leak it publicly or sell it on underground forums if the ransom isn’t paid

This dual threat increases the pressure on businesses to pay quickly, as the damage extends beyond downtime to reputational and regulatory consequences.

Supply chain exploitation

Another signature tactic in Scattered Spider’s playbook is targeting third-party vendors, service providers, and shared IT platforms. By breaching a contractor or software supplier, they can gain indirect access to multiple organizations at once.

This tactic proved devastating during the Marks & Spencer breach, where attackers compromised a third-party contractor. The resulting fallout disrupted online ordering and exposed customer data, underscoring the widespread risks posed by interconnected business ecosystems.

Regardless of industry, businesses that rely on help desks, third-party vendors, or remote access systems are warned to be on high alert, as they may face many of the same vulnerabilities that Scattered Spider exploits.

What actions can businesses take right now?

Without knowing which industry Scattered Spider will target next, Coalition strongly urges all businesses to remain vigilant in their preparedness and deploy the following cybersecurity best practices:

1. Strengthen MFA protections

Scattered Spider heavily relies on stealing or bypassing MFA through social engineering and push fatigue attacks. What to do:

Replace basic push notifications with number-matching MFA or physical security keys that require the user to physically confirm the request
Disable legacy authentication protocols that don’t support modern MFA
Educate employees and contractors to never approve unexpected MFA prompts and to immediately report them to IT
Set up real-time alerts for repeated MFA request denials or approvals from new locations, devices, or IP addresses

2. Secure help desks and call centers

Help desks are a prime target for impersonation attacks, where fraudsters pose as staff to request password resets or system access. What to do:

Implement multi-step identity verification for any account changes or access requests
Require callers to confirm details like employee ID numbers, recent activity, or security questions before taking action
Create strict protocols for handling requests involving privileged accounts or remote access tools
Limit the number of staff authorized to reset passwords or disable MFA

3. Review and monitor third-party access

Many breaches, including Scattered Spider’s past attacks, originate from weakly secured third-party partners. What to do:

Conduct a full audit of third-party accounts and permissions
Remove unnecessary access and enforce least-privilege access principles
Mandate MFA and secure credential management for all vendor accounts with access to your network
Require all vendors to provide documentation of their incident response, access controls, and patch management processes as part of your contract or onboarding
Implement continuous monitoring of third-party access logs for unusual or after-hours activity

4. Invest in 24/7 threat detection and incident response

Nights, weekends, and holidays are prime time for cyber attackers (and not just Scattered Spider), offering the quiet hours they need to sneak in, explore, and disrupt before anyone detects them. What to do:

Deploy a managed detection and response (MDR) service capable of monitoring for credential misuse, lateral movement, and privilege escalation attempts in real-time
Ensure the MDR team has authority to contain threats immediately, including disabling compromised accounts or isolating affected systems
Run quarterly tabletop exercises and technical tests of your incident response plan, including scenarios involving double extortion, third-party breaches, and social engineering attacks

For additional guidance on authentication controls, MFA registration and modification, and access controls, please see security recommendations from Mandiant Incident Response.

Be prepared and stay proactive

Scattered Spider is an active and dangerous threat, already causing major disruptions globally. The group’s playbook is replicable, and other threat actor groups are undoubtedly paying close attention.

Large retailers and insurance firms may have been the first targets, but Coalition has reason to believe the tactics Scatter Spider uses will resurface in future campaigns. Even if your business operates in an industry that hasn’t yet been impacted, now is the time to strengthen your defenses, test your incident response capabilities, and educate your teams about this threat.

For more information on employee education and security awareness training, third-party risk monitoring, MDR services, and more, log in to Coalition Control®.