{ "id": "edd6ee69-cd54-4c0d-bbc7-d640b90ab92e", "created_at": "2026-04-06T00:19:22.105465Z", "updated_at": "2026-04-10T03:31:49.885573Z", "deleted_at": null, "sha1_hash": "26c4e95ac89f39a362a2943a3c46440105edc9ff", "title": "Scattered Spider group a unique challenge for cyber cops, FBI leader says", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 944532, "plain_text": "Scattered Spider group a unique challenge for cyber cops, FBI\r\nleader says\r\nBy Martin Matishak\r\nPublished: 2024-05-07 · Archived: 2026-04-05 20:48:03 UTC\r\nSAN FRANCISCO — The FBI must “evolve” if it hopes to successfully thwart a group of hackers who have\r\nwrought chaos on some of the largest companies in the U.S., according to a senior bureau official, who urged the\r\npublic to be patient as law enforcement fights the criminal network.\r\nThe hacking collective known as Scattered Spider drew international attention last year over its paralyzing\r\ncyberattacks on casino giants MGM Resorts and Caesars Entertainment. Identified by analysts in 2022, the\r\nhackers use social engineering to lure users into giving up their login credentials or one-time password codes to\r\nbypass multifactor authentication.\r\nOnce inside, the group — also known as Star Fraud, UNC3944, and Octo Tempest — establishes persistence in\r\nnetworks, living off the land as some nation-state hackers do, before they deploy ransomware or pilfer data and\r\nextort victims for ransoms.\r\n“We have to continue to evolve as they evolve. We have to innovate as they innovate,” Brett Leatherman, deputy\r\nassistant director of the FBI’s cyber division, told Recorded Future News during a sit-down interview at the RSA\r\nConference in San Francisco on Monday.\r\n“If you look at Scattered Spider, it is very consistent that we need private sector victims who have been\r\ncompromised by Scattered Spider to come forward quickly enough to provide us with information that would help\r\nus in that enforcement operation,” including new indicators of compromises and insight into technical\r\ninfrastructure.\r\n“If we can get that right away, we can sometimes use core authorized capabilities to go after that infrastructure and\r\ncollect new information that allows us to conduct a disruption operation,” he said.\r\nThe Scattered Spider network is an offshoot of a larger pool of online criminals who dubbed themselves \"the\r\nCommunity,\" or \"the Com.” The group’s size, expertise in social engineering and alleged coordination with\r\nRussian ransomware gangs like BlackCat/AlphV, pose a unique challenge for the FBI, which has increased its\r\noperational tempo against hacking groups over the last two years.\r\nThe bureau’s ultimate goal for such actions is to dismantle an adversary’s ability to reconstitute and target U.S.\r\nentities, he said.\r\nHowever, not all disruptions are equal, Leatherman admitted.\r\nFor instance, last year the U.S. and its allies announced they had eradicated a global network of computers\r\ninfected by malware that Russia's state security services allegedly used for nearly 20 years to steal secrets from\r\nhttps://therecord.media/scattered-spider-challenge-for-FBI\r\nPage 1 of 3\n\nWestern nations.\r\n“That operation has sustained …  meaning the Russians have not been able to reconstitute,” Leatherman said. “We\r\nreassess they haven't been able to reconstitute that capability since then.”\r\nMeanwhile, international authorities continue to shine a light on the notorious ransomware gang LockBit,\r\nunmasking and sanctioning its alleged leader on Tuesday — months after police hijacked the cybercriminal\r\ngroup’s dark web site and publicly shared information about its members. The LockBit operation had been going\r\non for two years, in one form or another.\r\nBut in the case of Scattered Spider, such tactics might not apply.\r\n“I don't know that I could answer that it's possible to dismantle” groups like Scattered Spider, Leatherman said,\r\ncomparing them to street gangs in major cities.\r\nWhenever law enforcement arrests individuals associated with such a group “there is a disruptive period of time\r\nwhere the gang is trying to figure out what happened,” he explained. \r\n“Some people are leaving as they don't want to be involved in any sort of enforcement action going forward. But\r\nthen you start to see others start to rise to the surface and engage in similar activity.\r\n“It's very difficult to dismantle large organizations like this. We will always endeavor to do it.”\r\nThe FBI has come under intense scrutiny for the seeming lack of action against the collection, save the January\r\narrest of a 19-year-old Floridian named Noah Urban on charges of stealing $800,000 in cryptocurrency.\r\n“There's always a demand to ask for the U.S. government to act,” Leatherman said, adding “there are actions we\r\nhave taken that are not currently public.”\r\nThe public should be “somewhat assured that even when they're not hearing about some of the disruption activity,\r\nwe are putting our best folks forward on that disruption — especially in a group like Scattered Spider,” he said.\r\nRead More: Live updates from the 2024 RSA Conference\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nhttps://therecord.media/scattered-spider-challenge-for-FBI\r\nPage 2 of 3\n\nNo previous article\r\nNo new articles\r\nMartin Matishak\r\nis the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more\r\nthan five years at Politico, where he covered digital and national security developments across Capitol Hill, the\r\nPentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group\r\nand Inside Washington Publishers.\r\nSource: https://therecord.media/scattered-spider-challenge-for-FBI\r\nhttps://therecord.media/scattered-spider-challenge-for-FBI\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/scattered-spider-challenge-for-FBI" ], "report_names": [ "scattered-spider-challenge-for-FBI" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434762, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/26c4e95ac89f39a362a2943a3c46440105edc9ff.pdf", "text": "https://archive.orkl.eu/26c4e95ac89f39a362a2943a3c46440105edc9ff.txt", "img": "https://archive.orkl.eu/26c4e95ac89f39a362a2943a3c46440105edc9ff.jpg" } }