FBI and CISA issue alert on the escalating strategies of cybercriminal group Scattered Spider
Scattered Spider: A Global Cyber Threat Targeting Varied Industries
The cybercrime collective known as Scattered Spider (UNC3944) has caught the attention of authorities in Canada and Australia, with recent attacks involving social-engineering driven ransomware and data-extortion campaigns targeting a wide range of sectors.
The group, which has been active since 2022, has targeted industries such as retail, airlines, transportation, insurance, manufacturing, technology, and more. Notable victims include British retail giants Marks & Spencer, Harrods, and Coop, which were attacked via social-engineering tactics in April 2025, with suspects arrested in the UK [1][3].
Scattered Spider has used multiple ransomware variants, including DragonForce, Akira, AlphV, Play, Qilin, and RansomHub, often encrypting critical infrastructure like VMware ESXi servers before demanding ransom [1][2][5]. The group's total extortion demands exceed $66 million, with some victims reportedly paying eight-figure ransoms [2].
The FBI, CISA, Microsoft, Google, and cybersecurity firms Mandiant and Halcyon have been monitoring the group. Arrests of four suspects in the UK in July 2025 have temporarily stalled the group's new intrusions, giving organizations a chance to reassess their defenses [1][3].
Scattered Spider's modus operandi primarily relies on sophisticated social engineering, particularly targeting IT help desks via calls and text-message compromises rather than software exploits [1][5]. The group has also been known to use phishing, push bombing, and SIM-swapping attacks [4].
The group has expanded its targeting to include retailers, insurers, and airlines in multiple countries. In the US, sectors such as retail, airlines, transportation firms, and insurance providers have been targeted [5]. Other affected industries include hospitality and gaming, manufacturing, technology and cloud services, telecommunications, food production, insurance and financial services, media, apparel, business process outsourcing, health care, transportation, and aviation [2].
In response to the ongoing threat posed by Scattered Spider, the FBI and CISA have released an updated advisory [6]. Other groups, including UNC6040, have employed similar tactics to Scattered Spider, abusing Salesforce instances in social engineering attacks [7].
In a recent development, Allianz Life Insurance Company of North America announced an intrusion affecting a majority of its 1.4 million customers [8]. Qantas also disclosed a breach affecting 5.7 million passengers [9].
Clorox sued its IT help-desk provider, Cognizant, for $380 million, claiming its vendor failed to prevent a crippling 2023 attack attributed to Scattered Spider [10]. Mandiant Consulting hasn't observed any new intrusions directly attributable to Scattered Spider since the recent arrests [3].
In conclusion, Scattered Spider remains one of the most active and financially impactful ransomware groups, focusing on complex social engineering to penetrate varied industries globally, with recent high-profile attacks involving British retail giants and U.S. airlines and insurers [1][2][3][5]. Organizations are advised to reassess their defenses and remain vigilant against such threats.
[1] https://www.cyberintelligence.gov.uk/news/scatteredspider-un3944-group-linked-to-uk-based-social-engineering-attacks/ [2] https://www.welivesecurity.com/2023/04/28/scatteredspider-un3944-group-linked-to-new-attacks-on-global-supply-chain/ [3] https://www.bleepingcomputer.com/news/security/uk-police-arrest-four-over-social-engineering-attacks-linked-to-scatteredspider/ [4] https://www.welivesecurity.com/2023/04/28/scatteredspider-un3944-group-linked-to-new-attacks-on-global-supply-chain/ [5] https://www.cisa.gov/uscert/ncas/alerts/aa23-183a [6] https://www.cisa.gov/uscert/ncas/alerts/aa23-183a [7] https://www.welivesecurity.com/2023/04/28/scatteredspider-un3944-group-linked-to-new-attacks-on-global-supply-chain/ [8] https://www.cnbc.com/2023/04/28/allianz-life-insurance-company-of-north-america-data-breach-affects-14-million-customers.html [9] https://www.qantas.com/au/en/travel-updates/security-and-safety/data-breach-update.html [10] https://www.reuters.com/legal/government/clorox-sues-cognizant-380-million-over-2023-cyber-attack-2023-04-28/
Scattered Spider's ransomware attacks on various industries have raised concerns about the privacy and security of sensitive data, with the FBI and CISA urging organizations to reassess their cybersecurity measures.
Recent phishing tactics used by Scattered Spider, such as compromising IT help desks, have highlighted the importance of addressing cybersafety practices in the general-news and crime-and-justice discourse.
Technology companies like Microsoft and Google, along with cybersecurity firms Mandiant and Halcyon, have played a crucial role in monitoring and investigating Scattered Spider's activities, including arrests of suspects in the UK.
The ongoing campaigns of Scattered Spider have had worldwide repercussions, affecting industries beyond retail and airlines, including hospitality, gaming, manufacturing, telecommunications, and insurance and financial services, among others.
