CyberWire Daily - Creeping like a spider. [Research Saturday]
Episode Date: July 19, 2025This week, we are pleased to be joined by George Glass, Associate Managing Director of Kroll's Cyber Risk business, as he is discussing their research on Scattered Spider and their targeti...ng of insurance companies. While Scattered Spider has recently turned its attention to the airline industry, George focuses on the broader trend of the group’s industry-by-industry approach and what that means for defenders across sectors. George and Dave discuss the group’s history, their self-identification as a cartel, and their increasingly aggressive tactics, including the use of fear-based social engineering, physical threats, and the recruitment of insiders at telecom providers. They also examine how organizations—especially those with vulnerabilities similar to past targets—can proactively defend against this threat and prepare an effective response if their industry becomes the next focus. Complete our annual audience survey before August 31. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1, and
without securing them, trust, uptime, outages, and compliance are at risk.
CyberArk is leading the way with the only unified platform
purpose-built to secure every machine identity, certificates,
secrets, and workloads across all environments, all clouds,
and all AI agents. Designed for scale, automation,
and quantum readiness, CyberArk helps modern enterprises
secure their machine future.
Visit cyberarc.com slash machines to see how.
Hello everyone and welcome to the CyberWires Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down
the threats and vulnerabilities, solving some of the hard problems and protecting ourselves
in a rapidly evolving cyberspace.
Thanks for joining us. Well, we've been tracking Scatter Spider for a number of years now.
We refer to them internally as KTA 243.
We track it more as a associated group of individuals that tend to use social engineering.
We've been tracking them since about at least 2023. But this year, they've
obviously made quite a bit of a splash, especially here in the UK with their attacks on UK retail.
And since then, moving on to the insurance industry and most recently the aviation sector
as well.
That's George Glass, Associate Managing Director of Kroll's cyber risk business. The research
we're discussing today concerns Scattered Spider and their targeting of insurance companies.
[♪ music playing, fades out.
[♪ music playing, fades out.
Well, for folks who might not be familiar with Scattered Spider,
can you give us a little bit of the history
and how they've become so prominent?
Yes, of course.
The group is loosely affiliated with a online community
referred to as The Comm.
And it's essentially a group of cybercrime actors.
Many of them are recruited from roadblocks, Minecraft,
things like that.
Many of them may have been victims of cybercrime themselves
and that's how they get integrated into this group. More recently, the group has been demonstrating
their capabilities with social engineering with a lot more effect, especially targeting call centers
for password resets and things like that. They they've also shown that they are more than happy
to use ransomware now,
which I think is a fairly big change up
since when we first started tracking the group.
So certainly open to change
and makes them all the more interesting for the tracking.
And what is their general goal here?
Are they looking to profit?
Is it an espionage group? What are they doing?
Yeah, I would say on the whole it's for financial gain
I think there is also a certain amount of kudos within the community as well that they would
Be more than happy to sort of show off that they're performing these attacks successfully
But I think on the whole, especially in more recent months,
it's for financial gain first and foremost. Well, as your research points out, it seems as though
Scattered Spider targets one industry at a time. Why do you suppose they would adopt this kind of
focused approach? It's a very interesting question. It's hard to say. I would imagine it's because many of the industries they
target in clusters work the same way.
They tend to share third party suppliers also.
And they tend to have an affiliation with each other,
which maybe means that they can get some lateral movement
from attacking one organization.
They can potentially move into another.
But it is hard to say for certain.
And I would say a lot of that is probably driven by
events in the news,
quarterly reporting and things like that.
And access that they may be able to buy
or provision to each other
to then further attack an organization, deploy ransomware and so
on and so forth.
Well, your research focuses specifically on the insurance industry.
Can you take us through how they approach that industry and what you discovered?
Yes, from what we can tell, the modus operandi hasn't really changed too much from the attacks
that we saw on the UK retail sector.
So that is essentially socially engineering a help desk person to reset a password, change an MFA method, something like that.
Typically, that would take three or four social engineering calls to conduct. The first one may be,
what do I need to reset my password?
How do I reset it? I'm a new joiner, how do I do that?
Oh, you need this bit of information or X bit of information,
Y bit of information.
Okay, thank you very much, hang up the call.
On the next call, they will be able to solicit
that information from the help desk employee.
Then on the third or fourth or maybe even the fifth call,
they'll be able to use that to gain access
to that particular user account.
And then from there, it would take
the course of any sort of typical business email
compromise, quickly looking for relevant information,
things like information on VPNs, remote login protocols,
things like that, that they can then use
to further their attack.
And once they have that information,
is it ransomware, is it double extortion,
what do they do?
I think first and foremost,
their goal would be to exfiltrate
as much information as possible.
We've seen them be able to pivot in an environment incredibly quickly, start downloading things
from SharePoint files, from S3 buckets and things like that if they get into a cloud
environment.
And then from there, once they've exfiltrated as much data as they can, they may move to
deploying ransomware.
But because these are identity-based attacks,
they're not deploying malware immediately.
What we see is it's deployed as a coup de grace just
before the encryption happens and the ransomware deployment happens.
The rest of the time, they're just leveraging the access that they've already
managed to get and blend in with the environment as much as possible
using RMM tools like AnyDesk and ConnectWise
and so on and so forth.
How do they compare to some of the other threat groups that you track in terms of their sophistication?
That's a really good question.
I think because the group is so widespread, it's hard to give them a sort of a sophistication
score.
You know, I don't think they're going to be developing
their own malware to use as part of these attacks.
I think they would be sort of
in that consumer grade sector of malware.
But nevertheless, they've shown huge amounts of proficiency
in targeting SaaS environments
and cloud environments especially.
And as I said, they're very quick to move.
They know what they're after as soon as gaining access.
I think they're very well aware of defensive capabilities
as well and how quickly a SOC team would be able to detect
some of this activity.
So they move very, very quickly and they move straight
to their actions and objectives,
especially as it comes to exfiltration.
And then like I said, maybe then there's a handoff
to an operator that is more comfortable deploying ransomware.
We'll be right back.
Bad actors don't break in, they log in. Attackers use stolen credentials in nearly nine out of ten data breaches, and once inside,
thereafter one thing, your data.
Varonis's AI-powered data security platform secures your data at scale.
Across LAS, SAS, and hybrid cloud environments, join thousands of organizations who trust
Varonis to keep their data safe.
Get a free data risk assessment at veronis.com.
And we'll see you next time.
Bye.
Krogel is AI built for the enterprise SOC.
Fully private, schema free,
and capable of running in sensitive, air-gapped environments,
Krogel autonomously investigates thousands of alerts weekly, correlating insights across
your tools without data leaving your perimeter.
Designed for high availability across geographies, it delivers context-aware, auditable decisions
aligned to your workflows. Krogl empowers analysts to act faster and focus on critical threats, replacing repetitive
triage with intelligent automation to help your sock operate at scale with precision
and control.
Learn more at Krogl.com.
That's C-R-O-G-L dot com. What do we know about the group themselves?
I've seen that they refer to themselves as a cartel.
What does this mean in the cybercrime context?
So I think really that their affiliation with each other is fairly broad.
As I say, they're part of this community called the COM.
And especially when they're using Dragonforce, that's following a cartel model where it's
a group of groups, if you will, that have sort of aligned to work together, share TTPs,
share malware, and so on and so forth.
The idea that there's a collection of individuals that are consistently conducting these attacks,
I think is maybe not stated quite accurately. There's probably hundreds of people in this
group. Many of them are sort of chancing it again and again, but
with sort of significant amounts of learning as they go. The group is sort
of well known to be English speaking and certainly in the cases that we've worked
they speak English well. I wouldn't say that they were native English speakers
but of course there's been some arrests
attributed to the scatter spider group
that are British nationals, US nationals, Canadian nationals.
So I think that just goes to sort of underline the fact
that there's a very widespread group of individuals,
many of them young men,
and they have a fairly wide range of capabilities.
You mentioned that you wouldn't expect
to see them developing their own tools.
What sort of tools are they using?
On the whole, they're using commodity malware
when they do need to use malware.
So that would be things like information stealing malware,
like a Loomis dealer or Steelsea,
but mostly they're living off the land and using things like
PowerShell if they do need to touch an endpoint and using
commercial remote access tools, things like any desk connect
wise screen connect. All of those tools actually allow them
to evade detection a lot easier because you know they would
understand what tools are already deployed in the environment
and they would know what would look abnormal
and what would look potentially normal to a defender.
So on the whole, they leverage the tools that are already
there and they would leverage the identity
that they have access to to target cloud and SaaS
environments very, very quickly, pilfering things
from Slack messages, email inboxes,
and as I mentioned before, S3 buckets and so on.
Your research focuses on the insurance industry,
and we've seen recent reports that perhaps
scattered spiders now targeting the airlines.
I'm curious, based on the information you gathered
and the insights that you have looking at their focus
on the insurance industry, what would your recommendations
be for other industries if they find themselves
the focus of Scattered Spiders efforts?
So there's a few recommendations that I think
are more to do with hardening an environment first.
Namely, first of all, that's going to be talking to your help desk staff. I want to be really
clear. A lot of the time help desk staff are just trying to be helpful, you know, but there's a
policy to be followed and monitoring that that policy is kept to and adhered to is very, very
important because
that's typically the first way that Scatter Spider would try to gain initial access.
That training also follows for general users.
The group has a wide array of techniques that they can use to change a multi-factor method
or fish someone for credentials. So again,
training employees to be aware of what those signs of attack look like so
that they can be reported. And then thirdly, being able to detect that
activity as well. Things like identifying token theft, identifying when someone has
clicked a FishingLink and has potentially submitted their credentials
and things like that.
Those would definitely be the places that I would start.
You know, you mentioned that we've seen Scattered Spider attract the attention of law enforcement.
There have been some arrests.
Do we suspect that this is going to have an effect on their overall operations here or is it the kind of group that seems
to be able to evolve and continue operating?
In our research, I don't think that we've identified sort of kingpins or direct leaders,
but there are certainly what are referred to in the community as olders that have a
lot of knowledge, they're very skilled and they would
sort of proliferate that knowledge to the rest of the teams. I think any law enforcement action
against this group is welcome and I hope that more of them can be brought to justice. It's just a
case of being able to identify when one of these individuals makes an operational security mistake or indeed in a country that
can lead to extradition or arrest.
Yeah, it's interesting to me how you describe them as being kind of diffuse.
You know, it's a lot of people with loose affiliations.
Yes, sir.
Yeah, absolutely.
I think CrowdStrike did a good job on the naming there.
The scattered in Scattered Spider, I think, refers to that.
It's an interesting sort of additional movement,
like Anonymous was back in the day.
It's easy to say that you're part of Anonymous,
because it's an anonymous group of individuals.
I think the community in Scattered Spider
is more closely knit than that, but
certainly not as tight as other threat groups that we would track, which have very consistent TTPs.
You can do attribution to a certain individual a lot of the time. That's not always possible
with Scatter Spider. I think a lot of the reporting is mostly being attributed to the TTPs that are being
observed rather than individuals that they know are behind the attacks.
Our thanks to George Glass, Associate Managing Director of Kroll's Cyber Risk Business for joining us.
The research is about Scattered Spider and their targeting of insurance companies.
We'll have a link in the show notes.
That is Research Saturday brought to you by N2K Cyberwire.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of this summer.
There's a link in the show notes. Please do check it out. This episode was produced by Liz Stokes.
We're mixed by Elliot Peltsman and Trey Hester. Our executive producer is Jennifer Iben. Peter
Kielpe is our publisher and I, Dave Bittner. Thanks for listening. We'll see you back here next time. And now, a word from our sponsor ThreatLocker, the powerful Zero Trust enterprise solution
that stops ransomware in its tracks.
Allow Listing is a deny-by-default
software that makes application control simple and fast. Ring fencing is an application containment
strategy, ensuring apps can only access the files, registry keys, network resources, and other
applications they truly need to function. Shut out cybercriminals with world-class endpoint
protection from ThreatLocker.