Threat Intelligence Tarot
Major Arcana · 18
Criminal (Anglophone, primarily US/UK teens)
G1015★★★★★
risk 4/5
✦ The Shape Shifter ✦
Scattered Spider
UNC3944 · Muddled Libra · Octo Tempest · 0ktapus
BPO firmsTelecomHospitalityGamingIdentity providers
Active since ~2022 · Financial theft, SIM swapping, Ransomware deployment, Social clout
It picks up the phone, says it's from IT, and asks your help desk to reset the CEO's MFA. It speaks your company's internal language because it researched your org chart on LinkedIn first. It does not look like a threat actor. It sounds like a colleague.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆MGM Resorts attack - $100M+ impact, 10-minute social engineering call
- ◆Caesars Palace $15M ransom paid
- ◆Twilio and Cloudflare phishing campaign (2022)
- ◆0ktapus campaign - 130+ companies via Okta credential phishing
Defenses
- ▸Phishing-resistant MFA (FIDO2) eliminating OTP/pushNIST SP 800-63B ↗
- ▸Strict help desk identity verification protocols for account changesCIS Control 6 ↗
- ▸SIM swap protections with carrier accountsFCC guidance
- ▸Privileged action approval workflows with out-of-band verificationCIS Control 5 ↗
Reversed: Their Weakness
Scattered Spider's reliance on vishing and social engineering means that a well-trained, skeptical help desk is its most powerful counter. Its members - many teenagers - have been identified and arrested through standard law enforcement channels.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.