165/68 Tuesday, May 6, 2025
Despite law enforcement agencies in multiple countries identifying and arresting several members of the hacker group Scattered Spider, the group continues to launch cyberattacks against high-profile targets. Recent reports indicate that the group was behind an attack on the network of Marks & Spencer, a major British retailer, using the DragonForce ransomware, which is known for its ability to evade advanced security systems. Previously, Scattered Spider was responsible for breaching the systems of MGM Resorts and Caesars Entertainment in the United States, causing billions of dollars in damages in 2023.
Scattered Spider—also known by various aliases in the cybersecurity community such as UNC3944, Octo Tempest, and Muddled Libra—operates without a traditional hierarchical structure common to criminal organizations. Most of its members are English-speaking youths based in the U.S. and the U.K., with a high level of skill in social engineering techniques. These include impersonating support personnel to steal credentials, SIM-swapping, and MFA bombing attacks to trick users into approving unauthorized access. Although multiple arrests were made in early 2024, including the group’s alleged ringleader in Spain, the group’s operations have not been fully disrupted.
Security experts from Secureworks note that Scattered Spider’s strength lies in its adaptability—frequently changing tools and affiliations. This includes switching between ransomware variants such as ALPHV/BlackCat, RansomHub, and DragonForce, and leveraging dynamic DNS services to evade domain-based threat detection. Experts recommend that organizations adopt non-SMS-based authentication, stay vigilant against advanced social engineering attacks, and regularly audit domains associated with this threat actor. While tackling the group remains a challenge, there is hope that coordinated legal action in the group’s home countries may help reduce the long-term threat posed by Scattered Spider.
