CISA, along with the Federal Bureau of Investigation, Canadian Centre for Cyber Security, Royal Canadian Mounted Police, the Australian Cyber Security Centre’s Australian Signals Directorate, and the Australian Federal Police and National Cyber Security Centre, released an updated joint Cybersecurity Advisory on Scattered Spider.
The cybercriminal group has garnered greater attention for its targeting of commercial facilities, including many in the industrial sector. The advisory provides updated tactics, techniques, and procedures (TTPs) obtained through FBI investigations conducted through June 2025.
Scattered Spider threat actors have been known to use various ransomware variants in data extortion attacks, most recently including DragonForce ransomware. While Scattered Spider often changes TTPs to remain undetected, some TTPs remain consistent.
These actors frequently use social engineering techniques such as phishing, push bombing, and subscriber identity module swap attacks to obtain credentials, install remote access tools, and bypass multi-factor authentication. There have also been multiple reports of attacks on help desks.
The Mitigations section of the Scattered Spider joint Cybersecurity Advisory offers critical infrastructure organizations and commercial facilities recommendations to fortify their defenses.
