The Weekly Breach Breakdown Podcast by ITRC: Spider Bites – S6E21

Show Transcript

Welcome to the Identity Theft Resource Center's (ITRC’s) Weekly Breach Breakdown for July 11, 2025. I'm Alex Achten, Senior Director of Communications & Media Relations of the ITRC. Thanks to Sentilink for supporting the ITRC and this podcast. Each week, we look at the most recent events and trends related to data security and privacy. Today, we will take a deeper look at the works of a ransomware group that ITRC President James E. Lee discussed on the podcast just last month. We are discussing Scattered Spider attacks. 

Have you ever been bitten by a spider? It hurts so bad! The good news is that most spider bites are harmless. However, some are worse than others, especially black widow and brown recluse spiders. As James said in June, not all scary spiders are of the 8-legged freak. There is one that does not have eight legs and can inflict harm as nasty as a black widow or brown recluse bite. We are again discussing the ransomware group Scattered Spider, which continues to dominate the headlines and target companies.  

Scattered Spider has been running rampant recently, strategically targeting sector after sector with social engineering techniques to gain access to systems and steal data, encrypt files and hold companies ransom.  

First, Scattered Spider attacks targeted retail stores in the UK. Then, they headed over to the U.S. and pivoted to insurance companies. Now, the FBI reports they are focused on airlines and the transportation sector. In a statement to TechCrunch, the FBI stated that it has recently observed cyberattacks resembling Scattered Spider in the airline sector. They added that hackers may target large corporations and their third-party IT providers. Hawaiian Airlines, WestJet, Quantas and South African Airways have already reported possible intrusions. 

How are they doing all of this damage? Mathew Schwartz of ISMG News recently took a look at how Scattered Spider attacked an organization in the logistics sector. A report from ReliaQuest states that attackers demonstrated persistence, technical sophistication and tenacity when breaching a victim's IT environment, including the ability to evade defenses, escalate privileges and maintain access despite repeated attempts to eject them. 

Early on in the Scattered Spider attack, they focused on members of the C-suite and gathered publicly available intelligence to steal executives' credentials. Schwartz says that attackers appear to have gleaned the CFO's date of birth and the last four digits of the CFO's Social Security number, which enabled them to use the company's public-facing Oracle Cloud portal to confirm the executive's employee number. 

In the next stage of the Scattered Spider attack, Scattered Spider impersonated the organization’s CFO in a call to the IT help desk. The attackers successfully persuaded help-desk staff to reset the multi-factor authentication (MFA) device and credentials tied to the CFO’s account.  

After successfully gaining network access to the logistics firm, the attackers enumerated IDs via the organization's Microsoft Entra ID cloud-based identity and access management system. They also dumped a database and raided a company vault, stealing secrets tied to 1,400 accounts.  

Many organizations are vulnerable to the type of social engineering that Scattered Spider uses. The good news is that there have been arrests of alleged members. The bad news is that security experts expect the attacks to continue.  

Organizations should remain focused on strengthening their cybersecurity practices, including employee training and education. Schwartz and ISMG News say that attackers successfully cracked hashes for relatively weak or reused passwords. (Another reminder as to why the ITRC encourages the adoption of passkeys!) 

As James mentioned last month, there are few resources to help keep you and me, the consumer, safe while there is an overabundance of people seeking to take what is ours. This makes good cyber-hygiene (passkeys, MFA with an authenticator app, strong 12+ character passphrases, etc.) more important now than it has ever been. 

If you want to know more about how to protect your business or personal information or think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, via text message, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PT). Just visit www.idtheftcenter.org to get started. 

Thanks again to Sentilink for their support of the ITRC and this podcast. Please hit the like button for this episode and subscribe wherever you listen to your podcasts.  

On Wednesday, we will release our data breach findings for the first half of 2025. James will return next week with another episode of the Weekly Breach Breakdown to highlight and examine all of the findings. I'm Alex Achten. Until then, thanks for listening.