Scattered Spider is an English-speaking cybercriminal collective composed primarily of young adults and teenagers. The group specializes in social engineering — particularly helpdesk impersonation, SIM swapping, and MFA fatigue attacks — to compromise identity providers like Okta and Azure AD. They formed a formal alliance with ALPHV/BlackCat ransomware in 2023.
| Attribute | Detail |
|---|---|
| Names | Scattered Spider / UNC3944 / Octo Tempest |
| Attribution | English-Speaking Cybercriminal Collective |
| Active Since | 2022 |
| Primary Focus | Social engineering specialists. SIM swapping, helpdesk social engineering, Okta/Azure AD targeting. |
Overview
Scattered Spider is an English-speaking cybercriminal collective composed primarily of young adults and teenagers. The group specializes in social engineering — particularly helpdesk impersonation, SIM swapping, and MFA fatigue attacks — to compromise identity providers like Okta and Azure AD. They formed a formal alliance with ALPHV/BlackCat ransomware in 2023.
Attribution
Scattered Spider / UNC3944 / Octo Tempest is attributed to English-Speaking Cybercriminal Collective, active since at least 2022. Social engineering specialists. SIM swapping, helpdesk social engineering, Okta/Azure AD targeting.
Notable Campaigns
- 0ktapus campaign — 130+ organizations phished via Okta impersonation (2022)
- MGM Resorts attack — $100M+ estimated losses (2023)
- Caesars Entertainment — $15M ransom paid (2023)
- Twilio, Mailchimp, Signal supply chain compromise
- Alliance with ALPHV/BlackCat for ransomware deployment
- Coinbase, Reddit social engineering attacks
MITRE ATT&CK Mapping
| Technique ID | Technique | Confidence |
|---|---|---|
T1566 | Phishing | High |
T1078 | Valid Accounts | High |
T1199 | Trusted Relationship | High |
T1486 | Data Encrypted for Impact | High |
T1621 | Multi-Factor Authentication Request Generation | High |
T1656 | Impersonation | High |
Detection & Defense
Monitor for the TTPs listed above using your SIEM and EDR platforms. Prioritize patching of internet-facing applications and enforce MFA on all remote access. Mjolnir Security provides continuous threat hunting and monitoring for Scattered Spider activity patterns.
Mjolnir Security — Threat Intelligence & Response
Mjolnir Security provides 24/7 threat monitoring, incident response, and threat intelligence services. Contact us for threat hunting specifically targeting Scattered Spider TTPs in your environment.
mjolnirsecurity.com — 24/7 Incident Response Hotline: +1 833 403 5875