This makes Scattered Spider a highly dangerous cyber threat to North American critical infrastructure. It’s better known by its various other aliases, 0ktapus, Muddled Libra, Octo Tempest, and UNC3944. The group has become infamous for planning complex ransomware attacks against industries such as retail, airlines, and transportation. They employ dark double-funnel social engineering techniques that are their primary mode of attack. This strategy allows them to manipulate victims and achieve initial entry into their ecosystems in lieu of taking advantage of software vulnerabilities.
In a recent alert, Google’s Mandiant team emphasized the devastating speed and accuracy of Scattered Spider’s attacks. The perpetrator use a “living-off-the-land” (LotL) tactic, using trusted administrative tools to advance their goals. They exploit their control of Active Directory to access VMware vSphere. This environment is the lifeblood of many organizations’ IT infrastructures.
Phased Attack Strategy
Scattered Spider’s attack chain is broken down into five clear phases, allowing them to conduct their operations in an incredibly efficient manner. The opening act is the use of cutting-edge social engineering tactics to penetrate the infrastructure of targeted institutions. Then, they use administrative tools and settings to their advantage, enabling them to gain a permanent presence in the victim’s network.
The most impressive part of their approach is this: they use widely expected naming patterns for their malicious domains. For instance, they employ domains such as victimname-sso.com and victimname-servicedesk.com. Not only do such tactics make it easier for them to get in, they make it harder for security systems to detect them.
The attack often concludes with the siphoning of terabytes of data. In one high-profile example, Scattered Spider was able to exfiltrate over 100 GB of data in just two days. The group’s capability to rapidly weaponize new exploits against critical infrastructure presents a serious threat, especially now that they are actively targeting VMware ESXi hypervisors.
“Ransomware aimed at vSphere infrastructure, including both ESXi hosts and vCenter Server, poses a uniquely severe risk due to its capacity for immediate and widespread infrastructure paralysis,” – Google
Technical Exploitation of VMware Systems
Scattered Spider’s exploitation of VMware systems is marked by a handful of advanced techniques. They disable vSphere lockdown mode in order to increase accessibility. They implement policy such as execInstalledOnly and deploy vSphere VM encryption to further safeguard their operations. One particularly concerning technique involves shutting down a Domain Controller (DC) virtual machine and removing its virtual disk. They can mount the virtual disk against an unmonitored VM under their control. This action allows them to duplicate sensitive files like the NTDS.dit.
These types maneuvers make it clear that organizations can no longer afford to take a reactive approach to cybersecurity. Google’s Mandiant team emphasizes the call for traditional defenses to pivot with the times. As they argue, threats from adversors like Scattered Spider demand a more proactive campaign.
“The actors are aggressive, creative, and particularly skilled at using social engineering to bypass even mature security programs. Their attacks are not opportunistic but are precise, campaign-driven operations aimed at an organization’s most critical systems and data,” – Google’s Mandiant team
Recommendations for Organizations
Organizations are encouraged to return to the drawing board and reevaluate their security architectures with these changes in mind. Google warns that failure to proactively address interconnected risks may leave organizations vulnerable to targeted attacks that could cripple entire virtualized infrastructures. Considering VMware vSphere 7 will reach its end-of-life in October 2025, this becomes a critical situation where enterprises need to prioritize and apply required mitigations.
Specifically, organizations need to improve their defenses against social engineering tactics used by Scattered Spider. This means scrutinizing multi-factor authentication (MIAs) protections and segregating infrastructure underpinning our identity from exploitations.
“Failure to proactively address these interconnected risks by implementing these recommended mitigations will leave organizations exposed to targeted attacks that can swiftly cripple their entire virtualized infrastructure, leading to operational disruption and financial loss,” – Google
