Produced by Financial Services ISAC, Information Technology ISAC, Food and Agriculture ISAC, Health ISAC, Aviation ISAC, Automotive ISAC, Retail and Hospitality ISAC, the Maritime Transportation System ISAC, Electricity ISAC, and the National Council of ISACs, with contributions from Communications ISAC private sector partners
Members of the National Council of ISACs (NCI) assess with high confidence that the threat actor group Scattered Spider presents a real threat, and that its ability to exploit human vulnerabilities through social engineering makes the group a significant risk to organizations.
This analysis details Scattered Spider’s activity based on its observed tradecraft across sectors as of May 2025, providing:
🔹 Background on Scattered Spider so that firms can better scope their threat surface
🔹 Technical procedures and cultural practices to thwart Scattered Spider attacks
🔹 Analysis of Information Sharing and Analysis Center (ISAC) member and FBI intelligence and corresponding MITRE ATT&CK® mitigations
The recommended measures have proven effective against Scattered Spider and similar threat actors, according to expert assessment of intelligence. The mitigations incorporate the baseline necessities of FS-ISAC’s cyber fundamentals, keyed to Scattered Spider TTPs (tactics, techniques, and procedures) based on known threats.
However, threat actors such as Scattered Spider are constantly innovating, so organizations must be diligent in continually monitoring their processes and identities to look for new exploits.
These findings were produced collaboratively by the Financial Services, Information Technology, Food and Agriculture, Health, Aviation, Automotive, Retail and Hospitality, and Maritime Transportation System ISACs, and the NCI. The NCI comprises 28 organizations and is designed to maximize information flow across private sector critical infrastructures and government agencies.
Scattered Spider is a financially – rather than ideologically – motivated group of young independent operators in the UK, US, and Canada. According to researchers, Scattered Spider is part of a larger hacking community known as The Community or The Com, which organizes via online platforms, including Discord and Telegram group chats. Scattered Spider uses highly effective social engineering techniques and credential theft to gain entry to target networks, then monetizes its attacks through data theft, extortion, or affiliate ransomware operations. The group is known for its extensive reconnaissance that identifies personas to adopt or employees to target. Much of Scattered Spider’s success is attributed to its speed and low-effort, adaptable targeting.
*****
The threat actors frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses. This is sometimes achieved by creating new identities in the environment and is often upheld with fake social media profiles to backstop newly created identities.” Cybersecurity Advisory: Scattered Spider – a joint Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) advisory
*****
Active since early 2022, Scattered Spider was initially observed targeting telecommunications and business process outsourcing (BPO) entities, likely as a springboard for social engineering operations to gain unauthorized access to other targets and their stakeholders. Since then, the group has been linked to over 100 attacks across multiple market verticals, but tends to target one sector at a time. Scattered Spider is notorious for the 2023 compromise of Caesars Entertainment and MGM Resorts and the 2022 attack on Twilio, which resulted in a supply chain attack that impacted the Signal messaging app. It targeted US and UK retailers in April and May 2025, then shifted its focus to the financial sector, particularly insurance firms, and the aviation sector.
Initial access obtained through:
>Social engineering attacks
>MFA fatigue attacks
Captures admin privileges by:
3. Persistence obtained by:
>Scheduled tasks
>Malicious services
>Local user creation
>Cloud persistence mechanisms
4. Defense evasion enabled by:
>Disabling AV/EDR
>Altering Windows GPOs
>Disabling Defender, logging, or telemetry
>Removing EDR drivers
5. Lateral movement via:
>PsExec
>PowerShell remoting
>WMI
>Legitimate VPN or Citrix connections
A typical tactic is to persuade IT helpdesk agents to perform self-service password resets (SSPRs) for targeted accounts. Scattered Spider’s techniques include the use of short message service (SMS) messages — i.e., texting — and voice phishing (smishing and vishing) to capture credentials for single sign-on (SSO) dashboards, Microsoft Office 365/Azure, VPNs, and edge devices.
The group is also known to hijack multifactor authentication (MFA) via subscriber identity module (SIM)-swapping. Then it defeats MFA via notification fatigue or convinces helpdesk agents to reset the MFA method of targeted accounts.
After successfully compromising a user’s account, Scattered Spider operatives register other devices under the account. When it can gain administrative privileges, it creates attacker-controlled accounts within the victim’s environment. Then the threat actor establishes persistence for unauthorized access to the victim’s environment and builds in redundancy to thwart attempts to remove malware or access.
Subsequent reconnaissance activity includes attempting to discover corporate platforms – including Windows, Linux, Google Workspace, Microsoft Entra ID (formerly Azure Active Directory), Microsoft 365, AWS, and other tools hosted within cloud infrastructure – and moving laterally, downloading the appropriate tools to exfiltrate sensitive data.
*****
Health-ISAC received intelligence linking the Amadey botnet to Scattered Spider attacks. The Amadey botnet has been used by ransomware actors such as BlackSuit, BlackBasta, and Akira to drop malware loaders into victim networks. The botnet has evaded law enforcement action against malware-as-a-service (MaaS) platforms, allowing it to evolve since 2018.
*****
This deep understanding of the victim’s native infrastructure enables Scattered Spider to execute nefarious follow-on activities. It is through this deep understanding – e.g., its ability to execute living-off-the-land techniques – that the group can evade standard detection methods. The threat group can also deploy malware that drops malicious signed drivers designed to terminate processes associated with security software and delete files.
Scattered Spider uses recently registered and highly convincing phishing domain names that mimic legitimate login portals, especially Okta authentication pages. These domains have a short lifespan or uptime, making detection difficult.
Since 2023, Scattered Spider has been observed using five distinct phishing kits, as the group’s deployment strategies have evolved to include Dynamic DNS providers. Additionally, the group has included the Spectre remote access trojan (RAT) into its attack chain for malware deployment on compromised systems to gain persistent access. This malware includes mechanisms for remote uninstallation and brokering connections to additional command and control (C2) servers, suggesting the group may be using C2 infrastructure to conduct post-exploitation actions on victim networks.
*****
|
Known Domain Names Used by Scattered Spider
|
|
|
|
|
|
Scattered Spider Cybersecurity Advisory produced jointly by the FBI, CISA, Royal Canadian Mounted Police, Australian Signals Directorate’s Australian Cyber Security Centre, Australian Federal Police, Canadian Centre for Cyber Security, and United Kingdom’s National Cyber Security Centre
*****
The following recommendations have proven effective for ISAC members. Many are drawn from FS-ISAC’s cyber fundamentals, a risk-based, defense-in-depth approach of baseline cybersecurity necessities applicable to organizations at any level of cyber maturity.
Use a multi-channel verification process — No organization should rely on a single channel of communication for employees’ password changes or MFA-reset requests. Some firms may benefit from using a predetermined list of questions that only the employee could answer to initiate password and MFA resets. And IT employees should always feel empowered to challenge any other employee’s verification request.
Require two employees to approve certain types of requests — such as large financial transfers — or requests from employees with a high level of privileges.
Focus on Social Engineering Tactics — Scattered Spider relies on social engineering exploits and is very creative in its use of phishing, vishing, and smishing. The threat group often instills a sense of urgency in its lures and preys on victims’ fears, empathy, and respect for authority. Include those TTPs in simulations and test employees’ responses to them.
Review Social Media Profiles of Admins, Particularly Cloud Admins Admins’ social media profiles and posts can inadvertently display job-related information – i.e., responsibilities, work history, colleagues, daily routine – that threat actors use to tailor attacks (e.g., leveraging travel itineraries to establish credibility or urgency in a vishing campaign). Cloud administrators are particular targets. Obtaining their access privileges would provide threat actors with access to and control over valuable cloud resources and the ability to cause widespread damage. Firms should institute social media policies that describe the information threat actors exploit and prohibit such information in social media posts. Regularly review admins’ social media – especially cloud admins’ posts – for alignment to the social media policy.
Assess Helpdesk Access Rights – Helpdesk rights can drift over time, sometimes giving privileges to all admin consoles, such as mail flow, security controls, etc. Auditing helpdesk access rights ensures alignment with operational needs, while preventing unauthorized access that could be exploited by threat actors like Scattered Spider. Automated management systems enhance oversight.
Monitor Virtual Machines in Cloud Environments – Implement monitoring tools to provide alerts on unauthorized virtual machine (VM) activities such as suspicious services, abnormal resource usage, and privilege escalation attempts, with protocols to isolate and shut down suspicious VMs swiftly. This rapid response capability is crucial to identifying suspicious activity, preventing potential breaches, and mitigating threats.
Review Security Controls of Virtual Desktop Infrastructure – Ensure virtual desktop infrastructure (VDI) environments are secured with MFA, and continuously monitor user activities.
Identify Access Points and Block High-Risk Access – Many organizations must permit employees, regulatory agencies, third-party vendors, and others access to their digital infrastructures. Safeguard all entry points – especially the high-risk ones – with controls or blocks, and assume that all managed service providers are compromised.
Audit Permissions Granted to HR – Strictly aligning HR permissions with operational necessities protects sensitive employee and financial data.
Research Data Movement Utilities in SaaS Applications – Monitoring and tracking data movements within SaaS (Software-as-a-Service) systems (e.g., Salesforce or ServiceNow) is critical because SaaS applications often have (third-party) Data Movement Utilities available for various purposes and can contain sensitive information.
Review Trusted IP Addresses Exempt From MFA – Organizations may lower MFA rigor regarding requests from a trusted network, such as a VPN, office network, etc. Minimizing these MFA exemptions strengthens network access controls, a vital step in securing financial and sensitive data.
Recognize the Insider Threat Posed by Customer Service Representatives — Scattered Spider often obtains initial access to business systems by tricking customer service representatives – but it also recruits them. Scan for potentially malicious activity regularly.
Scattered Spider Tactics and Mitigations
The following table includes ISAC cybersecurity experts’ analysis of intelligence shared by thousands of member organizations. Many of the tactics were discovered by the FBI during investigations of Scattered Spider, which are outlined in the joint CISA and FBI Scattered Spider cybersecurity advisory. The MITRE ATT&CK mitigations are drawn from its analysis of TTPs, based on the organization’s real-world observations.
The Health-ISAC 2025 Health Sector Cyber Threat Landscape highlights a continued escalation of cyberattacks. Key findings include a surge in ransomware attacks, with increasingly sophisticated techniques employed by threat actors.
The report also emphasizes the growing threat of nation-state actors and cyber-espionage, targeting sensitive patient data and intellectual property. Furthermore, the rise of Internet of Medical Things (IoMT) devices has introduced new vulnerabilities, while the evolving threat landscape necessitates continuous adaptation of security measures for health sector organizations globally.
anorama de Ameaças Cibernéticas O P do Setor de Saúde do Health-ISAC 2025 destaca uma escalada contínua de ataques cibernéticos. As principais conclusões incluem um aumento nos ataques de ransomware, com técnicas cada vez mais sofisticadas empregadas por agentes de ameaças.
O relatório também enfatiza a crescente ameaça de agentes estatais-nação e da ciberespionagem, visando e da ciberespionagem, visando dados sensíveis de pacientes e propriedade intellectual. Além disso, o surgimento de dispositivos de Internet das Coisas Médicas (IoMT) introduziu novas vulnerabilidades, enquanto o cenário de ameaças em evolução exige a adaptação contínua de medidas de segurança para organizações do setor de saúde em todo o mundo.
Inclui o seguinte, além de insights importantes extraídos dos dados da pesquisa:
Rapid response is especially critical when dealing with breaches involving unsupported technology. The recently proposed HIPAA rule requires healthcare organizations to restore systems within 72 hours. Errol Weiss, the chief security officer at Health-ISAC, said these three areas below are key.
|
|---|
|
|---|
Following the tragic shooting of the UnitedHealthcare CEO in New York City on December 4, Health-ISAC issued an alert to Members on December 9 identifying eleven precautionary actions health sector organizations should take.
Health-ISAC has received reports of multiple on-line postings threatening executives within the health sector. Forums have been identified as a source of threats targeting CEOs in the healthcare industry, particularly those leading major health insurance companies and pharmaceutical firms. Health-ISAC has issued a threat bulletin to inform the global health sector on what to be aware of and recommend mitigation steps for organizations to take immediately. Please read and share within the health sector.
These threats, which range from general intimidation to specific calls for violence, have emerged in the wake of the recent killing of a UnitedHealthcare CEO. It is important to note that the perpetrator of this recent assassination has not yet been apprehended, and the investigation into the possible motives is still ongoing.
While these circulating threats have not been verified, Health-ISAC recommends heightened security awareness among healthcare executives and more stringent security measures to ensure safety.
Calls for violence may extend to the cyber domain, leading hacktivists to carry out DDoS and other disruptive attacks on the health sector. Health-ISAC recommends that members remain vigilant about safeguarding all infrastructure and that organizations share any specifics they can about threats to executives so we can keep the community informed.
As the healthcare industry becomes more reliant on interconnected digital systems the importance of robust vulnerability management has never been more pronounced. A recent report by Health-ISAC, Vulnerability Metrics and Reporting, sheds light on best practices and strategies to strengthen cybersecurity in health systems.
Read the full article in HealthSystemCIO.com Click Here
This white paper presents an analysis of a survey conducted among Health-ISAC Members by the Cyber Threat Intelligence (CTI) Program Development Working Group. The survey aimed to provide critical insights into the current state of CTI programs across the health sector, identifying strengths and opportunities for growth.
Purpose
The survey results were instrumental in guiding the Working Group’s efforts to prioritize high-value deliverables and foster collaboration within the Health-ISAC community. These findings have informed the development of practical resources designed to support and advance CTI initiatives.
Key Findings
The paper explores 9 key findings from the survey, which have directly influenced the creation of resources and tools tailored to the needs of Health-ISAC members. These findings serve as the foundation for an innovative resource suite named CTI in a Box. This comprehensive resource organizes essential tools, strategies, and best practices to empower Health-ISAC Members in strengthening their CTI programs. Members can access CTI in a Box through the Health-ISAC Threat Intelligence Portal (H-TIP).
Purpose-built solution enables healthcare security teams with healthcare-specific threat feeds and automated response capabilities.
Errol Weiss, Chief Security Officer at Health-ISAC and Cyware customer, expressed the critical need for this innovation: “Healthcare is one of the most targeted sectors by cybercriminals. Having a threat intelligence platform that’s designed specifically for our industry will allow healthcare organizations to quickly access relevant, actionable insights that can make a tangible difference in defending against sophisticated attacks.”
Rachel James, Health-ISAC Threat Intelligence Committee member, noted, “In an environment where time is critical, healthcare security teams need tools that allow them to do more with less effort but with greater accuracy. Cyware’s Healthcare Threat Intelligence Platform is designed to quickly identify and respond to healthcare-specific threats, empowering organizations to stay ahead of attacks without being overwhelmed by complexity.”
Read the full press release in BusinessWire:
In today’s always-on interconnected world, vulnerability management is a foundational process for all organizations. Metrics and reporting play a critical role in monitoring the services we provide, implementing detection capabilities, and remediation efforts of application or technology teams. Effective storytelling with metrics and reporting can help showcase improvements or the effectiveness of our technology support personnel. The vulnerability management team should have a scoring system to reflect the organization’s remediation timelines.
