In August 2022, workers at Twilio began receiving text messages purporting to be from their company’s IT department. The texts claimed that their passwords had expired, or that their schedule had changed, and that they needed to log in to their work accounts.
A link was provided that took them to a landing page that looked identical to the sign-in page for the US communications company. It was convincing enough that several employees fell for the scam, leading to the data of roughly 125 customers being compromised.
The scale was small but the attack was notable for its sophistication. It formed part of a series of successful attacks on telecom companies that year, which soon spread to casinos in 2023, and then onto industries spanning telecom, finance, gaming, hospitality and retail.
The group of hackers, who became known as Scattered Spider, has caused hundreds of millions of pounds worth of damage, with high-profile targets in the UK including M&S and Co-op.
On Friday, the FBI issued an alert warning that Scattered Spider was now turning its focus on US airlines. So who exactly are they, and how have they been able to reap such havoc?
Who are Scattered Spider?
The group is believed to have formed through online hacker forums, made up of mostly English-speaking teenagers based in the UK and US.
A comprehensive profile of the cyber criminals, compiled by Melissa DeOrio at the cyber security consultancy firm S-RM, revealed the group’s origins, behaviours and members.
The report, shared with The Independent, describes Scattered Spider as “a set of predominantly native English-speaking cybercriminals – some as young as 16 – who have emerged from in a set of underground hacking groups known collectively as ‘The Community’ or ‘The Com’.”
Referred to as “big game hunters”, the broad spectrum of targets has seen more than 100 firms fall victim to their social engineering attacks.
“Scattered Spider is a loose affiliation of individuals rather than a cohesive criminal outfit; it lacks a clearly-defined hierarchy and does not maintain a ‘brand’ in the manner of ransomware operators like Akira or LockBit” the S-RM report states. “Group members appear to be motivated by both money and notoriety.”
In 2024, at least seven Scattered Spider members were arrested, including the alleged leader Tyler Buchanan. The 23-year-old UK national was arrested at an airport in Spain last June while trying to fly to Italy.
Despite the arrests, attacks from Scattered Spider have continued to escalate in the months since.
How they operate
Scattered Spider typically target an organisation’s IT helpdesk by posing as one of its employees using publicly available information that can be found online.
S-RM’s report notes that the employees targeted are usually mid-level IT personnel and network engineers.
“The group can convince helpdesk staff to quickly reset employee accounts,” the report notes. “In some cases the group also purchases account access from initial access brokers on the dark web.”
This type of social engineering attack exploits what some security researchers refer to as the main vulnerability of most major organisations: people.
By tricking individuals, the attackers are able to bypass multi-million pound security systems simply by resetting a login.
These attacks have become increasingly common in recent years with the rise of generative artificial intelligence, which allows cyber criminals to quickly create targeted campaigns without being hindered by language barriers or writing skills.
“[Scattered Spider] attacks shows that no matter how much is spent on cyber defences, people remain a critical line of defence,” Kev Breen, senior director of cyber threat intelligence at Immersive, told The Independent.
“Even experienced IT staff can fall for social engineering, especially when tired, so targeted, cyber skills development for all employees is essential.”
