The HHS’ Health Sector Cybersecurity Coordination Center (HC3) issued a warning about a financially driven threat group called Scattered Spider. Cybercriminal groups are mostly Russian-speaking and headquartered in Russia or the Commonwealth of Independent States. But Scattered Spider members speak native English and are thought to be mostly living in the U.S. or the U.K. The authorities in those countries have made four arrests of group members, but the group is still operating. Intelligence collected about the group indicates that members are mostly 19 to 22 years old.
Scattered Spider does not create and use their own malware payloads or attack tools. The group uses tools and malware created by other cyber criminals that are available to the public. For example, the group used remote monitoring and management tools, such as Connectwise Control, AnyDesk, ASG Remote Desktop, Splashtop, and Screenconnect. It also used LaZagne and Mimikatz for stealing credentials and Ngrok for building safe passage to remote web servers.
In the past, the group has used several malware variants for its operations including Atomic, VIDAR Stealer, Racoon Stealer, and Meduza Stealer. It also used the phishing kits EIGHTBAIT and Oktapus and the ransomware variants BlackCat and Ransomhub. It also worked together with the Qilin threat group.
Attackers commonly use information stealers to get credentials for preliminary access, and living-off-the-land techniques to elude security software as the group moves laterally inside the system, deactivating security programs and stealing sensitive information like PHI. Attacks frequently conclude with ransomware deployment.
Scattered Spider members are also known to use advanced social engineering tactics, smishing, spear phishing, and voice phishing. One campaign linked to Scattered Spider had used spear phishing voice techniques, which target members of the IT Help Desk over the telephone. The threat group posed as staff, sometimes assisted by artificial intelligence to imitate voices. The goal is to fool the IT Help Desk into executing password resets and enrolling the threat group member’s device to receive multifactor authentication codes. The Help Desk is given the personal data of the individual they are impersonating, including usernames and staff IDs acquired in earlier phases of its attacks. HC3 has already released a warning concerning this campaign because healthcare companies were included in the threat group’s victims.
Scattered Spider has been operating since around 2022 and was at first targeting customer relationship management (CRM), telecommunications, technology firms, and business process outsourcing (BPO). However, the group has shifted to a wider range of industries. Although the healthcare sector has not been greatly targeted, the group has attacked a few healthcare organizations. HC3 provided Scattered Spider’s threat actor profile with indicators of compromise and suggested steps to strengthen defenses.