Organizations must urgently update their defenses to protect against tactics deployed by the Scattered Spider hacking collective this year, according to experts speaking during the Gartner Security & Risk Management Summit 2025.
A particular focus should be placed on identity tools and controls, security processes and third-party risk management to tackle the novel and highly effective techniques used by the group.
During a session at the Summit, George Glass, associate manging director at risk advisory company Kroll, discussed Scattered Spider’s highly successful approach in compromising high profile targets from April to July 2025.
The group, affiliated to The Com online criminal network, was linked to a number of attacks on retailers in April and May, including Marks & Spencer (M&S), the Co-op and Harrods.
It then switched focus to the insurance sector in June, and later in the month to the transportation industry. Attacks have followed the same playbook, with the techniques highly effective in accessing sensitive data and deploying ransomware.
Glass noted that the group has been known to have used threats of physical violence to executives as an extortion tactic.
Since then, Scattered Spider’s activity has significantly reduced, which Glass attributed to law enforcement actions, including the arrest of suspected members of the outfit in July and internal “infighting.”
With other actors, such as ShinyHunters, using similar tactics to Scattered Spider to great success, it is vital that organizations update their security measures to tackle the tactics employed.
Experts believe that there are many overlaps and cooperation between The Com affiliated groups such as Scattered Spider and ShinyHunters.
For example, the recent cyber-attack on car manufacturing giant Jaguar Land Rover (JLR) was claimed by a group calling itself “Scattered Lapsus$ Hunters,” suggesting a possible collaboration between Scattered Spider, ShinyHunters and Lapsus$.
How Scattered Spider Operates: A Case Study
Glass provided insights into a Scattered Spider attack on a Kroll client, which the firm was ultimately able to stop.
The attack began with the threat actor calling the target’s IT helpdesk, claiming to be an employee who was locked out of their account.
Once the password was reset, Scattered Spider sought to bypass the user’s multifactor authentication (MFA) using “push notification fatigue” – bombarding users with mobile phone push notifications until the user either approves the request by accident or to stop the notifications.
After gaining access to the account, the attacker quickly changed the devices MFA codes are sent to.
From there, Scattered Spider moved quickly to gain access to sensitive systems on the network, leveraging further social engineering techniques.
“In some cases, in less than an hour they have been through SharePoint, they’ve captured very important information there,” Glass noted.
In this particular occurrence, the actors gained access to an Okta account and then used Slack for internal spear phishing.
This led to the attacker deploying a remote access tool and the AveMaria remote access trojan (RAT) to steal further credentials. Glass noted that Scattered Spider doesn’t deploy malware and other tools “until absolutely necessary.”
Through this process, they stole a LastPass login token, resulting in eight secret access keys being compromised.
At this point, Kroll were able to stop the attack before the threat actors gained access to the victim’s system This would likely have involved scouring the victim’s AWS environment for S3 buckets, exfiltrating sensitive information and deploying ransomware, according to Glass.
How to Protect Against Scattered Spider Attacks
Experts set out three key areas organizations should focus on to tackle the techniques used by Scattered Spider.
Identity Based Protection and Response
Bill Sawyer, managing director at Kroll noted that identity is key to Scattered Spider’s entry into organizations, aiming to capture passwords and MFA.
“Applying identity protection that is more mature than username and password is very important,” Sawyer said.
This includes ensuring all software-as-a-service (SaaS) applications are connected to single sign on (SSO).
He also recommended that organizations use number matching MFA codes, as these are harder for attackers to capture.
Detection and response are also heavily linked to identity. For example, security teams should ensure they are able to quickly detect if a user is using tokens in unusual way.
Update Processes to Tackle Social Engineering
Sawyer also noted that social engineering is a major part of Scattered Spider’s playbook – from using vishing to impersonate employees to using internal slack channels to request users do things they wouldn’t normally do.
He said it was important to introduce more “friction” into processes to try and tackle these techniques. This could include making employees go onto a video call or in person to the IT helpdesk to request a password reset.
Third Party Risk Management
Scattered Spider’s attacks typically involve the targeting of victims’ technology vendors, such as SSO and other identity providers, to gain access to systems.
As a result, organizations must ensure they are working effectively with their vendors on countering any third-party attacks.
Speaking to Infosecurity during the Gartner Summit, Debbie Janeczek, global chief information security officer at ING, emphasized the need to have a close relationship with vendors to be quickly alerted to any potential incident.
“I have vendors that will text me and say ‘hey check your email, we’ve been breached and this is how it affects you’. If you don’t have that partnership, you won’t get the immediate flag that you need to look at something,” she explained.
Janeczek also advised firms to closely monitor disclosed incidents affecting other organizations, understanding the tactics employed and updating defenses accordingly.
“You have to watch the tactics, techniques and procedures (TTPs) for yourself,” she noted.
