The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation, Canadian Centre for Cyber Security, Royal Canadian Mounted Police, the Australian Cyber Security Centre’s Australian Signals Directorate, and the Australian Federal Police and National Cyber Security Centre, released an updated Joint Cybersecurity Advisory on Scattered Spider—a cybercriminal group targeting commercial facilities sectors and subsectors.

Scattered Spider threat actors have been known to use various ransomware variants in data extortion attacks, most recently including DragonForce ransomware. While Scattered Spider often changes tactics, techniques, and procedures (TTPs) to remain undetected, some TTPs remain consistent. These threat actors frequently use social engineering techniques such as phishing, push bombing, and subscriber identity module swap attacks to obtain credentials, install remote access tools, and bypass multi-factor authentication.

This advisory provides technical details and updated TTPs obtained through FBI investigations conducted through June. The authoring organizations encourage critical infrastructure organizations and commercial facilities to implement the recommendations in the mitigations section of this advisory to reduce the likelihood and impact of Scattered Spider malicious activity.