Scattered Spider is targeting victims' Snowflake data storage for quick exfiltration

The Scattered Spider cybercriminal group is targeting victims’ data storage tools after gaining initial access by impersonating contracted information technology (IT) help desks.

Government agencies in the U.S., U.K., Canada and Australia updated an advisory initially released in November 2023 about the group — which has recently caused alarm with back-to-back campaigns targeting large companies in the retail, insurance and airline industries. 

In “many” incidents, Scattered Spider was seen searching for an organization's Snowflake access in order to steal large volumes of data, the advisory said. The data storage company serves many large organizations, but those clients are responsible for maintaining access credentials.

The FBI and others said the group is now posing as employees of targeted companies to convince IT teams or help desk staff to provide login information, passwords or other access through devices. 

The update includes data from FBI investigations conducted as recently as June 2025. Hackers connected to Scattered Spider are now using remote access tools like AnyDesk to bypass security alerts and deploying malware to maintain access while conducting internal reconnaissance.

The advisory notes that the DragonForce ransomware was used in several incidents, allowing the hackers to monetize their access, steal data and more. 

Google’s Mandiant unit said Tuesday that it had not observed “any new intrusions directly attributable” to Scattered Spider — which it labels UNC3944 — since arrests earlier this month in the United Kingdom of four people suspected of hacking major retailers. 

Mandiant CTO Charles Carmakal said, however, that “it's crucial that organizations don't let their guard down entirely” because other threat actors are using similar social engineering tactics.

Help desks, beware

Scattered Spider — a large, loosely affiliated network of hackers — has continued to evolve its tactics over the years but continues to sporadically turn back to tried-and-true methods like phishing. The FBI said employees of victim organizations have been targeted with phishing sites using the company name “appended with either a helpdesk or a type of single sign-on (SSO) solution to add credibility.” 

The group has also been seen purchasing employee or contractor credentials on cybercriminal forums like Russia Market or compromising third party services that have access to the networks of potential targets. 

“It is common for the threat actors to gather the personally identifiable information (PII) of users with elevated access to their network using online open-source information,” the agencies explained. 

“While Scattered Spider initially began their activity relying upon broad phishing campaigns, the threat actors are now employing more targeted and multilayered spearphishing and vishing operations. Scattered Spider searches business-to-business websites to gather information and ultimately determine the individual’s role in a target organization.”

Using “layered social engineering techniques,” the hackers figure out what they need to convince IT help desks to give them access to an employee’s account. 

The agencies warned that the tactics “make it more difficult for network defenders to warn targeted organizations or to use threat hunting tools to proactively identify intrusions.”

The agencies urged organizations to focus monitoring efforts on unauthorized account misuse and “risky logins” where sign-in attempts were flagged as suspicious. 

Multiple industries are still reeling in the aftermath of the Scattered Spider campaigns that took place over the last four months. The group allegedly caused chaos at retailers like Victoria’s Secret — which could barely operate its stores after an attack in May — and left companies like Hawaiian Airlines scrambling to ensure traveler safety. 

While insurance industry giants like Aflac were able to fend off more damaging attacks, the companies still warned customers of the potential for data theft that are still being investigated.

Year of law enforcement action against alleged members of the group have done little to stop it from continuing to wage successful campaigns against large companies.