💰💣

Scattered Spider Security Incident

2024-2025 464 days ago Resolved

Incident Overview

Situation Description

The notorious Scattered Spider cyber criminal group is evolving its tactics, techniques, and procedures (TTPs) in 2025 to bypass security controls like MFA and take over accounts on internet applications and services.

Event Types

Ransomware Malware / Destructive Attack

Industry Sector

Hospitality

Geographic Scope

Global

Response Actions

Isolated Compromised Systems Took Systems or Services Offline Restored Systems from Secure Backups Engaged Third-Party Forensic Investigators Conducted Threat Hunting & Eradication Fulfilled Formal Breach Disclosure Obligations Notified Affected Individuals & Entities Refused to Pay Ransom / Extortion Paid Regulatory Fines or Legal Settlements Offered Post-Breach Remediation Services Notified Law Enforcement Managed Public Narrative & Crisis Communications Revised Incident Response Plan Implemented Advanced Authentication Hardened Attack Surface Conducted Employee Training Shared Threat Intelligence Collaborated with Peers / Community Enhanced Third-Party & Supply Chain Risk Management

Impact Analysis

Event Types (2 identified)

Ransomware Malware / Destructive Attack

Financial Impact

$155,000,000 USD

Records Affected

Data Types Compromised

PII (Personally Identifiable Information) Financial Data (Credit Cards, Bank Accounts) Operational / System Data

Primary Impacts

Financial Loss Data Exposure Operational Disruption Reputational Damage Legal/Regulatory Penalties

Key Decisions Made

Scattered Spider socially engineered MGM Resorts helpdesk personnel to bypass MFA and log into accounts.; Scattered Spider targeted accounts with Super Administrator privileges within MGM Resorts Okta tenant to register an attacker-controlled IdP via inbound federation.; Scattered Spider deployed ransomware to around 100 ESXi servers and exfiltrated data after compromising MGM Resorts' Okta tenant.

Technical Analysis

Attack Method

Social Engineering

Threat Actor Attribution

Scattered Spider 0ktapus Octo Tempest Scatter Swine Muddled Libra UNC3944 ShinyHunters Lapsus$ Yanluowang Karakurt DragonForce RansomHub Qilin

Vulnerability / Tool

MFA Bypass Okta VMware ESXi

Additional Information

Blog / Identity-based attacks Scattered Spider: TTP evolution in 2025 Dan Green Content & Research May 6, 2025 | 15 min read Share this post Identity-based attacks Detection & response How the notorious Scattered Spider cyber criminal group are evolving their TTPs in 2025 to bypass security controls like MFA and take over accounts on internet applications and services. Background: Who are Scattered Spider? Scattered Spider (also tracked as 0ktapus, Octo Tempest, Scatter Swine, Muddled Libra, and UNC3944) is a native English speaking, financially motivated criminal collective known for high-profile cyber breaches in recent years, including MoneyGram, Transport for London, Caesars, MGM Resorts, Clorox, DoorDash, Twilio, Reddit, Coinbase, MailChimp, Okta, HubSpot, Cloudflare, Activision, Pure Storage, and the ongoing Marks & Spencer, Co-op, and Harrods incidents. Scattered Spider shares similar characteristics and TTPs with a number of named threat groups such as Lapsus$, Yanluowang, Karakurt , and ShinyHunters (behind the Snowflake attacks in 2024). With criminal hacker collectives being fluid in nature, Scattered Spider has also been associated with the Snowflake attacks attributed to the ShinyHunters group, which resulted in hundreds of millions of breached records from 9 public victims including AT&T, Ticketmaster, and Santander (with the full impact suggested to be around 165 organizations), monetized through ransom payments, extortion of individual victims, and resale of the data on criminal forums. Case study: MGM Resorts One of Scattered Spiders most notorious and well-documented attacks was that affecting MGM Resorts . Scattered Spider socially engineered MGM Resorts helpdesk personnel bypass MFA and log into accounts for which they had acquired valid login credentials for via credential phishing and historical infostealer compromises. They specifically targeted accounts with Super Administrator privileges within MGM Resorts Okta tenant, which they then...

... (truncated for display)

Quick Facts

Company:: Scattered Spider
Date:: 2024-2025
Status:: Resolved
Decision Maker:: nan
Position:: nan
Published:: 6/05/2025

Source Information

Original Query

MGM Resorts class action lawsuit settlement details "Scattered Spider"

View Original Source

Timeline

Information Published

6/05/2025

Incident Occurred

2024-2025 (464 days ago)

Status: Resolved

Estimated resolution based on age

Actions

View Company Profile

Navigation

Quick Stats