CyberWire Daily: Creeping Like a Spider [Research Saturday] – July 19, 2025

Hosted by N2K Networks

Introduction

In the latest episode of CyberWire Daily, host Dave Bittner delves into the evolving landscape of cyber threats with a focus on a notorious cybercrime group known as Scattered Spider. Joining him is George Glass, Associate Managing Director of Kroll's Cyber Risk Business, who provides in-depth analysis and insights into the group's activities, methodologies, and impact on various industries.

Understanding Scattered Spider

George Glass begins by outlining the history and evolution of Scattered Spider, internally referred to as KTA243.

"We've been tracking Scattered Spider for a number of years now. We refer to them internally as KTA243. We track it more as an associated group of individuals that tend to use social engineering."
[02:23]

Scattered Spider has been active since at least 2023, initially making headlines with attacks on the UK retail sector. Over time, their focus has expanded to include the insurance and aviation industries, indicating a strategic shift in their targeting approach.

Modus Operandi and Objectives

When questioned about their general goals, George Glass emphasizes that Scattered Spider primarily aims for financial gain, though there's also an element of seeking recognition within the cybercrime community.

"Yeah, I would say on the whole it's for financial gain. I think there is also a certain amount of kudos within the community..."
[04:25]

Their tactics involve sophisticated social engineering techniques, particularly targeting help desk personnel to reset passwords and bypass multi-factor authentication (MFA). This method allows them to gain unauthorized access to user accounts without deploying malware immediately.

"The modus operandi hasn't really changed too much from the attacks that we saw on the UK retail sector. So that is essentially socially engineering a help desk person to reset a password change, an MFA method..."
[05:56]

Targeting the Insurance Industry

Focusing on the insurance sector, George Glass details how Scattered Spider adapts their strategies to infiltrate organizations. Their approach involves multiple stages of social engineering calls to extract necessary information from help desk employees, eventually leading to business email compromise (BEC).

"From there, once they've exfiltrated as much data as they can, they may move to deploying ransomware... leveraging the access that they've already managed to get and blend in with the environment..."
[07:17]

Once inside, they excel at data exfiltration, rapidly accessing and downloading sensitive information from platforms like SharePoint and S3 buckets. The deployment of ransomware typically occurs as a final step after significant data has been compromised.

Tools and Techniques

Unlike more sophisticated threat groups, Scattered Spider relies on commodity malware and living off the land strategies. They utilize readily available tools such as PowerShell, AnyDesk, ConnectWise, and ScreenConnect. This approach allows them to evade detection by blending in with legitimate activities within an organization's IT environment.

"They're using commodity malware when they do need to use malware... mostly they're living off the land using things like PowerShell if they do need to touch an endpoint..."
[12:57]

Their proficiency in targeting SaaS and cloud environments enables them to swiftly pivot and exploit vulnerabilities, making them a persistent and adaptable threat.

Comparison to Other Threat Groups

When comparing Scattered Spider to other cyber threat actors, George Glass notes that while they may not develop their own sophisticated malware, their proficiency in exploiting cloud infrastructures and their rapid response tactics make them highly effective.

"I think because the group is so widespread, it's hard to give them a sort of a sophistication score... they've shown huge amounts of proficiency in targeting SaaS environments and cloud environments especially."
[08:12]

This combination of speed and adaptability positions Scattered Spider as a formidable player in the cybercrime arena, capable of executing complex attacks with relative ease.

Organizational Structure and Community

Describing the group's structure, George Glass likens Scattered Spider to a cartel, consisting of multiple loosely affiliated subgroups that share tactics, techniques, and procedures (TTPs).

"They're using Dragon Force. That's following a cartel model where it's a group of groups... the community in Scatter spider is more closely knit than that, but certainly not as tight as other threat groups..."
[11:25]

This decentralized structure makes it challenging for law enforcement to dismantle the group entirely, as there are no clear leaders or central figures driving their operations.

Defensive Recommendations

To combat threats from Scattered Spider, George Glass offers several key recommendations:

1. Enhance Help Desk Security: Implement strict policies and monitor interactions to prevent social engineering attempts targeting support personnel.

   "First of all that's going to be talking to your help desk staff... monitoring that policy is kept to and adhered to is very, very important..."
   [14:23]

2. Employee Training: Regularly train employees to recognize signs of phishing and social engineering, empowering them to report suspicious activities.

3. Detection Mechanisms: Invest in systems that can identify anomalies such as token theft or suspicious login activities, enabling rapid response to potential breaches.

Law Enforcement and Future Operations

Addressing the impact of law enforcement actions, George Glass expresses cautious optimism. While arrests have been made, the group's diffuse and decentralized nature means that they can continue to operate despite setbacks.

"Any law enforcement action against this group is welcome, and I hope that more of them can be brought to justice... it's a case of being able to identify when one of these individuals makes an operational security mistake..."
[15:55]

The absence of identifiable leaders within Scattered Spider complicates efforts to fully eradicate the group, suggesting that they may continue to evolve and adapt in response to external pressures.

Conclusion

In this episode of CyberWire Daily, George Glass provides a comprehensive analysis of Scattered Spider, highlighting their methodologies, targets, and the challenges they pose to cybersecurity defenses. The discussion underscores the importance of robust training, stringent security policies, and advanced detection systems in mitigating the risks posed by such adaptable and persistent threat actors.

For more detailed research and insights, listeners are encouraged to follow the provided links in the show notes.

This summary captures the key points and discussions from the "Creeping Like a Spider [Research Saturday]" episode of CyberWire Daily, providing a comprehensive overview for those who have not listened to the full episode.