In September 2023, MGM Resorts International — one of the largest casino and hospitality companies in the world — suffered a catastrophic cyberattack that shut down hotel reservation systems, slot machines, digital room keys, and payment processing across its properties for over a week. The estimated cost exceeded $100 million. The attackers? A loosely affiliated group of primarily English-speaking young adults who relied not on zero-days or custom malware, but on phone calls to the help desk.
Scattered Spider — also tracked as UNC3944, Octo Tempest, and 0ktapus — had become one of the most effective threat groups operating at the time, not because of their technical sophistication, but because they understood something fundamental: identity systems are the weakest link in enterprise security.
Who Is Scattered Spider?
Scattered Spider is a loosely organized threat group composed primarily of young adults and teenagers, many based in the United States and United Kingdom. The group coalesced from online communities, particularly within Telegram and Discord channels focused on SIM swapping and social engineering.
Unlike traditional threat actor groups with hierarchical structures, Scattered Spider operated more like a collective. Members collaborated on specific operations, shared techniques and tools, and often worked with multiple sub-groups simultaneously. This fluid structure made attribution and disruption difficult.
The group's demographics set them apart from the Russian-speaking threat actors that dominate ransomware. Being native English speakers gave Scattered Spider a decisive advantage in social engineering attacks against English-speaking organizations — they could convincingly impersonate employees when calling help desks, something that language barriers prevent many Eastern European groups from doing effectively.
The 0ktapus Campaign (2022)
Scattered Spider first gained widespread attention through the "0ktapus" campaign in mid-2022, which targeted over 130 organizations through a mass phishing campaign:
- Attackers sent SMS phishing messages to employees, directing them to convincing fake Okta login pages
- When victims entered their credentials and MFA codes, the information was captured in real time
- Attackers immediately used the stolen credentials and MFA codes to access victim organizations' actual Okta portals
- From Okta, they pivoted to internal systems, code repositories, and communication platforms
The campaign hit major technology companies including Twilio, Cloudflare, DoorDash, and Mailchimp. The Twilio breach was particularly consequential — Scattered Spider used Twilio's access to target Signal users and access customer data from Twilio's client base, creating a supply chain cascade.
The MGM Resorts Attack (September 2023)
The MGM attack was Scattered Spider's most high-profile operation and illustrated their methodology perfectly:
Initial Access
According to multiple reports, the attackers identified an MGM employee through LinkedIn, then called the MGM IT help desk posing as that employee. They convinced the help desk to reset the employee's credentials, gaining access to the corporate network.
The call reportedly took about 10 minutes.
Escalation
Once inside the network, the attackers moved quickly:
- Used the compromised employee's access to enumerate the environment
- Identified and compromised the Okta identity infrastructure
- Planted identity provider backdoors to maintain persistent access
- Deployed the BlackCat/ALPHV ransomware across MGM's systems
The partnership with BlackCat was significant — Scattered Spider brought the access and BlackCat provided the ransomware infrastructure and extortion capabilities.
Impact
The attack disrupted nearly every aspect of MGM's operations:
- Hotel reservation systems went offline, forcing manual check-ins
- Slot machines and digital gaming systems stopped functioning
- Digital room keys failed, requiring physical key replacements
- ATMs and payment systems were disabled
- The MGM Rewards loyalty program was inaccessible
- Several MGM properties were visibly impacted for over a week
MGM chose not to pay the ransom. The recovery cost exceeded $100 million.
Caesars Entertainment
Around the same time, Scattered Spider hit Caesars Entertainment using similar techniques. Caesars reportedly paid approximately $15 million in ransom — half of the initial $30 million demand. The contrast in outcomes between MGM and Caesars highlighted the difficult calculus organizations face: MGM's refusal to pay cost them significantly more in operational disruption, but paying ransoms funds future attacks and doesn't guarantee data protection.
Techniques and Tactics
Social Engineering Mastery
Scattered Spider's social engineering went beyond simple phishing:
Help desk impersonation: Calling IT help desks while impersonating employees, armed with personal information gathered from LinkedIn, social media, and data breaches. They were convincing enough to get credentials reset, MFA tokens enrolled, and VPN access provisioned.
SIM swapping: Bribing or socially engineering mobile carrier employees to port victim phone numbers to attacker-controlled SIM cards, intercepting SMS-based MFA codes.
MFA fatigue: Bombarding employees with push notification approval requests until they accepted one.
Threatening employees: In some cases, Scattered Spider members reportedly made threats against employees and their families to coerce cooperation, escalating from social engineering to intimidation.
Identity Provider Targeting
What distinguished Scattered Spider from many other groups was their sophisticated understanding of enterprise identity systems:
- Okta expertise: The group specifically targeted Okta environments, understanding how to abuse Okta admin access to create persistent backdoors
- Azure AD manipulation: Skilled at creating rogue service principals and applications in Azure AD for persistent access
- Federation abuse: Understanding of SAML and OAuth flows well enough to create unauthorized federation trusts
- Conditional access bypass: Knowledge of how to modify or circumvent conditional access policies in cloud identity providers
Cloud-Native Operations
Scattered Spider operated primarily in cloud environments, reflecting the shift of enterprise IT to cloud platforms:
- Extensive use of Azure, AWS, and GCP management consoles
- Targeting of cloud-hosted code repositories (GitHub, GitLab)
- Abuse of cloud-based remote management tools
- Understanding of cloud IAM systems and permission models
Law Enforcement Response
In November 2023, the FBI arrested five individuals associated with Scattered Spider activities:
- Noah Michael Urban (aka "Sosa"), 19, from Florida
- Ahmed Hossam Eldin Elbadawy, 23, from Texas
- Joel Martin Evans, 25, from North Carolina
- Evans Onyeaka Osiebo, 20, from Texas
- Tyler Robert Buchanan, 22, from Scotland
Additional arrests followed in 2024. The relatively young ages of the defendants confirmed the group's demographics — many members were teenagers or young adults when they conducted attacks against billion-dollar enterprises.
Why Traditional Security Failed
Scattered Spider exposed several systemic weaknesses:
Help desks are a security boundary. Organizations invested millions in endpoint security, network monitoring, and cloud security but left help desks operating on trust-based verification processes that a convincing phone call could bypass.
Identity is the perimeter. With cloud-based infrastructure, there is no traditional network perimeter to defend. Identity systems — Okta, Azure AD, Google Workspace — are the actual security boundary. Scattered Spider understood and targeted this.
MFA is not infallible. SMS-based MFA is vulnerable to SIM swapping. Push-based MFA is vulnerable to fatigue attacks. Only hardware-based MFA (FIDO2/WebAuthn) proved resistant to Scattered Spider's techniques.
Insider knowledge isn't required. Scattered Spider demonstrated that publicly available information from LinkedIn, combined with basic social engineering, was sufficient to impersonate employees convincingly.
How Safeguard.sh Helps
Scattered Spider's attacks worked because identity systems — the software supply chain of access and authentication — were treated as trusted black boxes rather than attack surfaces requiring continuous monitoring.
Safeguard.sh extends supply chain visibility to the software components that underpin your identity and access infrastructure. By tracking the dependencies and configurations of your authentication stack, the platform helps identify the single points of failure that groups like Scattered Spider target.
The platform's continuous monitoring and policy enforcement ensure that changes to your software supply chain — including updates to identity providers, authentication libraries, and access management tools — are tracked and assessed for security impact. When your identity provider is the gateway to your entire organization, the software components that power it deserve the same rigorous supply chain security as your production applications.