1. Overview
Scattered Spider, also tracked as Octo Tempest by Microsoft, is a financially motivated threat actor that has rapidly gained prominence for its use of advanced social engineering, SIM swapping, and multi-stage extortion campaigns. First observed in 2022, the group has successfully infiltrated major companies across multiple sectors, including telecommunications, technology, hospitality, and critical infrastructure.
Despite being a relatively young threat group, Scattered Spider has demonstrated capabilities often associated with state-backed actors, particularly in its use of multi-factor authentication bypass and identity-based attacks. It operates independently but has collaborated with known ransomware affiliates, including those using ALPHV (BlackCat) payloads.
2. Origin and Evolution
Scattered Spider emerged from underground communities traditionally associated with SIM swapping and account takeovers, particularly in the United States and UK. The group transitioned from individual fraud and credential theft into full-scale enterprise intrusion and extortion, with operations increasing significantly in 2023 and 2024.
It is considered one of the few English-speaking threat groups operating at a high level of maturity, blending technical skill with strong social engineering tactics. Microsoft tracks it as Octo Tempest and notes its connection to ransomware deployment under the ALPHV banner, among others.
The group often targets helpdesk staff, identity management systems, and mobile carriers to compromise corporate accounts and deliver payloads.
3. Tactics, Techniques, and Procedures (TTPs)
Scattered Spider relies heavily on identity compromise and is among the most sophisticated threat groups using social engineering. Its tactics include:
- Initial access
Uses phishing, vishing, and impersonation to gain access to helpdesk systems or user accounts (T1566.001, T1586). Often initiates contact via text, email, or phone to trick support staff into issuing password resets or MFA tokens. - SIM swapping and phone-based takeover
Clones employee mobile numbers via social engineering of telecom providers, allowing the group to intercept MFA tokens and bypass login protections (T1110.003). - MFA fatigue and push bombing
Sends repeated MFA requests to employees in the hope they accept out of frustration or confusion (T1621). - Credential access and lateral movement
After gaining initial access, uses tools such as Mimikatz and RDP to escalate privileges and move laterally (T1003, T1021). - Data exfiltration and ransomware
Deploys ransomware payloads, including those associated with ALPHV/BlackCat. Encrypts systems and steals data for double extortion (T1486, T1041). - Cloud abuse
Targets identity platforms like Okta, Azure AD, and Duo. Gains persistence by registering rogue devices, setting up new accounts, or using OAuth token abuse.
4. Targeting Profile
Scattered Spider targets large enterprises with complex identity infrastructures and valuable data. Key sectors include:
- Telecommunications and mobile carriers
- Financial services and fintech firms
- Technology and cloud service providers
- Hospitality and travel
- Critical infrastructure, including power and healthcare
The group has targeted organisations in North America and Europe, including UK-based entities with global operations. Companies with outsourced helpdesks, federated identity systems, or high-value customer databases are at particular risk.
5. Notable Campaigns and Victims
Scattered Spider has been linked to several high-profile breaches, including:
- The 2023 attack on MGM Resorts, which led to widespread outages in hotels and casinos
- A similar campaign against Caesars Entertainment, resulting in reported ransom payment
- Phishing campaigns targeting telecom employees to facilitate SIM swapping
- Intrusions into identity providers and SSO systems to escalate access across cloud environments
- Attempts to compromise critical services by gaining access to internal support and reset portals
The group’s attacks are notable for the speed at which they escalate from initial compromise to ransomware deployment and public extortion.
6. Technical Indicators
Scattered Spider’s operations evolve quickly, but common technical indicators include:
- Unusual mobile number changes or device registrations within identity platforms
- High volumes of MFA push notifications and repeated reset attempts
- Phishing pages mimicking identity providers such as Okta, Microsoft, and Google
- Ransomware binaries using ALPHV payloads and encrypted file extensions
- Cloud audit logs showing creation of new admin users, device trust manipulation, or OAuth token issuance
Security teams should monitor for identity misuse patterns, especially outside of normal working hours.
7. Defensive Measures and Recommendations
To defend against Scattered Spider:
- Enforce phishing-resistant MFA, such as hardware tokens or passkeys
- Monitor helpdesk activity, especially for password resets or mobile number changes
- Implement alerts for SIM swap attempts and high-risk identity changes
- Restrict privileged access and enforce just-in-time access for admins
- Educate staff on vishing and impersonation threats
- Review cloud identity logs for signs of abuse, including rogue app registrations and session hijacking
- Implement anomaly detection for login patterns and device enrolments
High-risk sectors should consider red teaming and identity-focused threat simulations.
8. Attribution and Alliances
Scattered Spider is not known to be state-sponsored but operates with a level of coordination comparable to advanced threat groups. It appears to be based primarily in Western countries, including the UK and the US, and communicates in English.
The group is believed to collaborate with ransomware operators, including affiliates of the ALPHV/BlackCat programme. Its combination of fraud, social engineering, and technical compromise makes it a hybrid actor straddling cybercrime and organised threat activity.
9. Conclusion
Scattered Spider, also known as Octo Tempest, represents a modern threat actor blending human and technical compromise to bypass enterprise security. With its deep focus on identity exploitation, helpdesk intrusion, and ransomware deployment, it has become a significant threat to large organisations across critical sectors.
UK organisations, particularly those with remote access, mobile fleets, or cloud-first infrastructures, should prioritise hardening of identity systems and user awareness to defend against this highly adaptive group.
Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025
