Continue your mission
Scattered Spider is a financially motivated threat group that has caused some of the most damaging enterprise breaches of the past several years through a specific and repeatable attack pattern: compromise the identity layer first, then own everything federated through it.
# Scattered Spider (UNC3944 / Muddled Libra)
Scattered Spider is a financially motivated threat group that has caused some of the most damaging enterprise breaches of the past several years through a specific and repeatable attack pattern: compromise the identity layer first, then own everything federated through it. The group is also tracked as UNC3944 (Mandiant), Muddled Libra (Palo Alto Unit 42), and 0ktapus (a campaign name that has been incorrectly applied to the group as a whole).
The naming confusion is worth clarifying before anything else. "0ktapus" refers to a 2022 phishing campaign that targeted Twilio, Cloudflare, and approximately 130 other companies through SMS-based credential harvesting. That campaign was attributed to this group and the name stuck in early reporting. Later, researchers began using Scattered Spider and UNC3944 interchangeably. Muddled Libra reflects Palo Alto's naming convention. All four names refer to the same core set of operators with overlapping infrastructure and TTPs.
What distinguishes Scattered Spider from nearly every other threat group currently active is not their malware or their infrastructure. It is their social engineering capability. The group operates primarily in English, natively, with fluency and cultural context that most threat actors cannot replicate. Their operators have convincingly impersonated employees to help desk staff, vendors, and IT support personnel in calls that lasted long enough to obtain MFA resets, account recoveries, and remote access. Some arrested members were teenagers at the time of their most damaging operations.
In the PDM, Scattered Spider attacks squarely at IAT (Identity Access and Trust), the civilization layer. They do not breach perimeters through vulnerability exploitation. They walk through the front gate by convincing the guard they belong there.
Scattered Spider's intrusion chain is consistent across documented campaigns and worth understanding step by step, because each stage represents a specific defensive control point.
Stage 1: Reconnaissance. Operators identify employee targets through LinkedIn, company directories, and social media. They look for IT staff, help desk workers, and employees with administrative roles. They collect phone numbers and direct contact information for the help desk.
Stage 2: SIM Swapping or SMS Phishing. The group uses two initial access methods depending on the target. In SIM swap attacks, operators contact the victim's mobile carrier posing as the victim and request that the victim's phone number be ported to an attacker-controlled SIM. Once the port completes, the attacker receives all SMS messages sent to that number, including MFA one-time codes. In the 0ktapus campaign, the approach was broader: mass SMS phishing that sent links mimicking Okta login pages to thousands of employees, harvesting credentials and MFA tokens in near real-time.
Stage 3: Vishing the Help Desk. This is the most operationally distinctive step. Rather than attempting to bypass MFA technically, operators call the corporate help desk posing as an employee who has lost access to their account. Using personal details gathered during reconnaissance, the caller convinces the help desk agent to reset MFA for the target account. In the September 2023 MGM Resorts breach, this call reportedly lasted approximately ten minutes. The entire MGM breach started with a LinkedIn search and a phone call.
Stage 4: Okta Admin Console Abuse. After obtaining initial access, operators frequently target Okta administrative accounts. Compromising an Okta admin account provides the ability to modify identity provider configurations for every application federated through that Okta tenant. This is the force multiplier: a single identity provider breach becomes a breach of every application the organization uses, simultaneously, with valid session tokens that bypass per-application authentication.
Stage 5: Persistence and Lateral Movement. The group installs legitimate remote access tools including AnyDesk and Splashtop to maintain persistence without custom malware. This makes detection harder because these tools appear in legitimate corporate environments. They also create new admin accounts, modify MFA policies, and disable security controls before the IT team notices anything unusual.
Stage 6: Ransomware Deployment. The monetization payload is ALPHV/BlackCat ransomware, deployed through a RaaS (Ransomware-as-a-Service) partnership. Scattered Spider provides the initial access and lateral movement; ALPHV/BlackCat provides the encryptor. Both parties share the ransom.
The 0ktapus campaign in summer 2022 targeted Twilio and Cloudflare and ultimately phished credentials from employees at approximately 130 organizations. Attackers obtained roughly 10,000 sets of credentials and MFA tokens. The phishing kit was sophisticated enough to relay credentials in real-time to the attacker, allowing them to use harvested MFA codes before they expired.
In late 2023, the group hit two of the largest hospitality companies in the United States in a short window. MGM Resorts International suffered a breach that disrupted hotel operations, slot machines, restaurant systems, and digital room keys across properties in Las Vegas and other locations. The incident cost MGM an estimated $100 million in losses. Caesars Entertainment paid approximately $15 million in ransom to prevent the publication of stolen data and restore operations.
The hospitality sector is not the exclusive target. The group has hit telecom companies, financial services firms, and technology vendors. The common thread is large Okta deployments with help desk staff who lack robust authentication procedures for MFA reset requests.
The architectural lesson from Scattered Spider is not that help desks are weak. It is that identity providers are force multipliers for both defenders and attackers. When an organization federates 200 applications through a single Okta tenant, every one of those applications inherits both the security and the vulnerability of that central identity layer.
A conventional perimeter-focused security program treats each application as a separate thing to defend. Scattered Spider proves that the identity layer is the thing. When it falls, every federated application falls with it, instantly, with valid credentials that bypass per-application security controls.
Most security programs are built around the assumption that attackers are trying to exploit technical vulnerabilities. Scattered Spider demonstrates that technical controls are irrelevant when the attacker can convince a human to hand over the keys. Firewalls, endpoint detection, email security, and even MFA can all be bypassed if a help desk agent is persuaded to reset authentication credentials.
This is not a training failure, though training is part of the answer. It is a process failure. Help desks that lack formal, enforceable authentication procedures for MFA reset requests are operating with an unclosed attack surface regardless of how much technology they deploy around it.
MGM: approximately $100 million in losses, including a 6% drop in Las Vegas Strip revenue for the impacted quarter. Caesars: $15 million ransom paid, disclosed in an SEC filing. These are not small organizations with immature security programs. Both were PCI DSS compliant. Both had active security programs. The attack bypassed all of it through a phone call.
For the CISO audience, the risk is straightforward to communicate to a board: if your help desk can be convinced to reset MFA via a phone call, your entire identity infrastructure is accessible to anyone willing to make that call.
In the Planetary Defense Model, IAT is the civilization layer: the domain that governs who is allowed to operate within the environment. Scattered Spider attacks this layer directly and specifically, by inserting themselves into the trust model as apparently legitimate citizens.
CDA's methodology for this domain is Zero Possession Architecture (ZPA). The ZPA tagline is direct: "Trust nothing. Possess nothing. Verify everything." Scattered Spider is, functionally, a proof of concept for what happens when ZPA principles are not applied.
ZPA's core mandate is that no trust is extended based on static credentials, unverified claims, or assumed identity. In ZPA-compliant environments, an employee calling the help desk to request an MFA reset cannot be validated by their ability to provide a name, employee ID, and phone number. Those data points are publicly available. Validation requires out-of-band, phishing-resistant verification through channels the attacker cannot intercept or replicate.
A conventional MSSP responding to Scattered Spider activity would likely focus on the ransomware deployment, the ALPHV/BlackCat indicators, and endpoint detection signatures. CDA's Predictive Defense Intelligence (PDI) methodology, operating in TID, would catch those indicators. But the more important intervention happens earlier, in IAT.
CDA's The Shield assessment scores help desk authentication procedures as a specific control within the IAT domain. This is not a typical assessment item. Most security assessments do not audit the help desk call script for MFA reset requests. CDA does, because ZPA requires it. An organization can score well on every technical IAT control and still have a critical gap if the help desk will reset MFA for any caller who knows the employee's name.
The relevant TOP missions include IAT-domain reconnaissance and build phases, where CDA audits identity infrastructure, federation configurations, and authentication exception handling. Mission SPH-R01 addresses security awareness at the program level, but the more targeted intervention is the IAT-specific audit of privileged account management and authentication bypass procedures.
Adjacent domain connections matter here. SPH (Security Posture and Hygiene) owns the help desk procedure as a security hygiene control. If a help desk has no written authentication procedure for account recovery requests, that is an APC (Autonomous Posture Command) failure: the posture is not defined, so it cannot be monitored or enforced. TID (Threat Intelligence and Defense) is responsible for detecting the post-compromise behaviors: anomalous Okta admin actions, unexpected remote access tool installations, and ALPHV/BlackCat artifacts.
For SOC analysts responding to a suspected Scattered Spider incident, the priority indicators are: help desk tickets or call logs showing MFA reset requests for accounts not recognized by the requester; victim reports of sudden loss of cell service (SIM swap indicator); anomalous Okta admin actions including new admin account creation, MFA policy changes, or authentication policy modifications; unexpected installations of AnyDesk or Splashtop on enterprise endpoints; and ALPHV/BlackCat ransomware artifacts in the later stages.
The critical detection window is Stage 3 through Stage 4. By the time ransomware deploys, the attacker has completed their objective and the remediation becomes significantly more complex.
The controls that stop Scattered Spider are not primarily technical. They are procedural. The most effective are:
Help desk authentication procedures. Before any MFA reset is performed, require the caller to authenticate through a second, out-of-band channel that the attacker cannot control. This means verifying the request through a pre-registered secondary email, a manager approval workflow, or an in-person verification process. A policy that says "we do not reset MFA over the phone without supervisor callback verification" eliminates the primary initial access vector.
Phishing-resistant FIDO2 MFA. Hardware security keys (YubiKey, Google Titan) implement FIDO2/WebAuthn, a protocol that is cryptographically bound to the legitimate domain and cannot be phished, SIM-swapped, or fatigued. When MFA fatigue attacks send repeated push notifications hoping the victim approves one, FIDO2 has no push notification to approve. When SIM swapping redirects SMS codes, FIDO2 has no SMS code to redirect. Migrating from SMS-based or app-based TOTP to FIDO2 hardware keys closes both vectors simultaneously.
Number portability alerts. Several mobile carriers offer port-out protection (also called number lock or SIM lock), which prevents number porting without an in-person verification or a specific PIN. Some carriers offer alerts when a port request is initiated. Enrolling accounts of high-value employees in port-out protection significantly increases the friction on SIM swap attacks targeting those individuals.
Okta admin action monitoring. Okta's system log provides events for every administrative action: new admin account creation, MFA policy changes, authentication policy modifications, session revocations, and application configuration changes. Alerting on unexpected admin actions, particularly outside business hours or from new IP addresses, provides detection during Stage 4 when the most damage is still preventable.
Mandiant. "UNC3944: SMS Phishing and SIM Swapping for Profit." Mandiant Threat Intelligence, 2023.
Palo Alto Unit 42. "Muddled Libra." Palo Alto Unit 42 Threat Research, 2023.
CISA. "Cybersecurity Advisory: Scattered Spider." Advisory AA23-320A, November 2023. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
MGM Resorts International. Form 8-K filed with the U.S. Securities and Exchange Commission, September 2023.
Caesars Entertainment. Form 8-K filed with the U.S. Securities and Exchange Commission, September 2023.
CDA Theater missions that address topics covered in this article.
Ransomware is malicious software that encrypts a victim's data and demands payment (typically in cryptocurrency) for the decryption key.
Social engineering is the manipulation of people into performing actions or divulging information that compromises security.
Written by Evan Morgan
Found an issue? Help improve this article.