"Scattered Spider Cybercrime Group Targets Mobile Carriers via Telecom, BPO Firms"
Security researchers at CrowsStrike are warning that a threat actor tracked as "Scattered Spider" is targeting telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile carrier networks and perform SIM swapping. The researchers noted that Scattered Spider is a financially-motivated threat actor and has been observed increasingly targeting the telecoms industry since June 2022, setting up persistence mechanisms and even reverting implemented mitigations to regain access to the compromised networks. According to the researchers, Scattered Spider has been relentlessly trying to gain access to victim networks, typically performing daily operations once access has been obtained. The researchers noted that the threat actor was seen deploying virtual private network (VPN) and remote monitoring and management (RMM) tools. After successfully containing Scattered Spider's intrusion into one organization, the threat actor moved to a different company in the same vertical, using the same tactics, techniques, and procedures (TTPs). The researchers stated that in all observed intrusions, the adversary attempted to leverage access to mobile carrier networks from a Telco or BPO environment. In two investigations, SIM swapping was performed by the adversary. The researchers noted that for initial access, the threat actor leveraged social engineering, including via phone calls and SMS and Telegram messages impersonating IT staff, to trick victims into entering their credentials on a phishing page or downloading and installing an RMM tool controlled by the attackers. The threat actors would also engage with the victims directly to obtain their one-time password (OTP) if multi-factor authentication (MFA) was enabled or relied on MFA push-notification fatigue.