Listen to this Post
Introduction:
When two teenagers—aged just 18 and 20—can infiltrate the computer network of Transport for London (TfL), a critical national infrastructure operator serving millions daily, and cause £39 million in damages, the cybersecurity industry must confront an uncomfortable truth: traditional identity controls are failing. Thalha Jubair and Owen Flowers, members of the notorious Scattered Spider criminal collective, pleaded guilty in June 2026 to orchestrating a cyberattack that forced all 28,000 TfL employees to reset their passwords in person, disrupted customer refund services for months, and exposed the personal data of approximately 10 million customers. This incident is not an anomaly—it is a blueprint for how modern threat actors exploit the weakest link in enterprise security: human-centric identity systems.
Learning Objectives:
- Understand Scattered Spider’s attack chain, from social engineering and SIM swapping to MFA bypass and privilege escalation
- Identify the specific tools, techniques, and procedures (TTPs) used in the TfL breach and similar attacks
- Implement phishing-resistant MFA, helpdesk hardening, and detection strategies to defend against identity-based threats
- The Scattered Spider Playbook: How Two Teens Took Down London’s Transit
Scattered Spider, also tracked as UNC3944, Octo Tempest, and Muddled Libra, is not a traditional hierarchical cybercrime group—it is a fluid community of English-speaking actors who recruit specialized talent on-demand for SIM swapping, helpdesk social engineering, or ransomware deployment. The TfL attack, which occurred between August 31 and September 3, 2024, followed a well-established pattern.
Step 1: Reconnaissance and Social Engineering. The attackers first gathered intelligence on TfL employees—likely through open-source research, credential marketplaces, or prior breaches. Scattered Spider is known to perform self-service password reset (SSPR) reconnaissance from malicious IP addresses to validate whether phone numbers or email addresses can be used for account takeover.
Step 2: Initial Access via SIM Swap or Helpdesk Impersonation. The group specializes in subscriber identity module (SIM) swapping—tricking telecom carriers into transferring a victim’s phone number to a device controlled by the attacker. Once the SIM is swapped, the attacker can intercept SMS-based one-time passwords (OTPs) and reset passwords via helpdesk calls. Alternatively, Scattered Spider actors impersonate employees and call IT helpdesks to request password resets or MFA device transfers—often succeeding because they have gathered enough contextual information to sound convincing.
Step 3: MFA Bypass. The group employs multiple MFA bypass techniques: MFA fatigue attacks (repeated push notifications until the victim approves), adversary-in-the-middle (AiTM) phishing kits like Evilginx that intercept session tokens in real time, and SIM swapping to capture SMS codes. In 2025, Scattered Spider adopted advanced AiTM phishing kits capable of bypassing MFA even in hardened environments.
Step 4: Lateral Movement and Privilege Escalation. Once inside, the attackers moved with astonishing speed. In similar Scattered Spider incidents, adversaries pivoted from SaaS environments to corporate networks in as little as four minutes. They leveraged Single Sign-On (SSO) to access VPNs and remote desktop services, then escalated privileges by compromising service accounts and assigning Global Administrator roles. Investigators recovered videos showing Jubair accessing TfL systems during the intrusion.
Step 5: Persistence and Data Exfiltration. The attackers created fake administrative accounts, registered Temporary Access Passes (TAPs) to bypass MFA on additional accounts, and deleted conditional access policies to evade detection. They exfiltrated data from TfL’s Oyster refunds system and communicated via Telegram and a shared online collaboration platform.
- The Tools of the Trade: What Scattered Spider Uses and How to Detect It
Scattered Spider’s operational playbook relies heavily on living-off-the-land (LotL) techniques—using legitimate administrative tools to blend into normal network activity. Below is a comprehensive list of tools observed in Scattered Spider attacks, along with detection commands for both Linux and Windows environments.
Remote Monitoring and Management (RMM) Tools (Abused for Persistence):
– AnyDesk, TeamViewer, ScreenConnect, Splashtop, Fleetdeck.io, Level.io, Tactical.RMM, Pulseway
Detection (Windows – PowerShell):
Check for unauthorized RMM installations
Get-WmiObject -Class Win32_Product | Where-Object { $<em>.Name -match "AnyDesk|TeamViewer|ScreenConnect|Splashtop" }
Review scheduled tasks for persistence
Get-ScheduledTask | Where-Object { $</em>.TaskPath -1otlike "\Microsoft\Windows\" }
Check for unusual outbound connections on RMM ports
netstat -an | findstr ":7070|:5938|:8040|:443"
Detection (Linux – Bash):
Check for running RMM processes ps aux | grep -E "anydesk|teamviewer|screenconnect|splashtop" Review systemd services for unauthorized persistence systemctl list-units --type=service --all | grep -E "anydesk|teamviewer" Check listening ports ss -tulpn | grep -E "7070|5938|8040"
Credential Theft Tools:
- Mimikatz (for credential dumping from LSASS memory), Raccoon Stealer, VIDAR Stealer, AveMaria (WarZone)
Detection (Windows):
Monitor for LSASS access attempts (Event ID 4656)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4656} | Where-Object { $<em>.Message -match "lsass.exe" }
Check for Mimikatz command-line arguments
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object { $</em>.Message -match "mimikatz" }
Exfiltration Infrastructure:
- MEGA.nz, Amazon S3 buckets, Snowflake instances
Detection (Network):
Monitor for large outbound data transfers to cloud storage Linux: Use nethogs or iftop for real-time monitoring sudo nethogs Check for unusual S3 API calls in AWS CloudTrail aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=PutObject
Phishing Domains (Indicators of Compromise):
Scattered Spider registers domains mimicking corporate SSO or helpdesk portals with patterns like:
– `targetname-sso[.]com`
– `targetname-servicedesk[.]com`
– `targetname-okta[.]com`
– `oktalogin-targetcompany[.]com`
- Defending Against Scattered Spider: A Step-by-Step Hardening Guide
Step 1: Implement Phishing-Resistant MFA
SMS-based OTPs and push notifications are no longer sufficient. Scattered Spider has demonstrated the ability to bypass both through SIM swapping and MFA fatigue. Organizations must deploy FIDO2/WebAuthn hardware security keys or passkeys, which cryptographically bind authentication to a specific origin and device, making credential theft and replay impossible.
Azure AD / Microsoft 365:
Enable FIDO2 security keys as an authentication method Requires Azure AD Premium P1 or P2 Navigate to Azure AD > Security > Authentication methods > FIDO2 security keys Set "Target" to "All users" and enable Configure Conditional Access policy requiring phishing-resistant MFA Use PowerShell to create policy New-AzureADMSConditionalAccessPolicy -DisplayName "Require FIDO2 for all users" -State "enabled"
Step 2: Harden Helpdesk Authentication Workflows
Scattered Spider’s primary attack vector is social engineering against IT helpdesks. Implement:
– Video verification or biometric confirmation for high-risk changes (password resets, MFA device transfers)
– Multi-approver workflows for administrative account modifications
– Monitoring of helpdesk tickets for anomalous patterns (e.g., multiple resets for the same user)
Step 3: Enforce Conditional Access and Zero Trust
Restrict access based on device compliance, geographic location, and risk signals. Disable legacy authentication protocols.
Azure AD Conditional Access (PowerShell):
Block legacy authentication $policy = New-AzureADMSConditionalAccessPolicy -DisplayName "Block Legacy Auth" -State "enabled" Configure grant controls to require MFA and compliant devices
Step 4: Monitor and Restrict RMM Tool Usage
Maintain an allowlist of approved remote access tools. Use Endpoint Detection and Response (EDR) to alert on unauthorized RMM installations.
Windows Group Policy:
Restrict software installation via AppLocker Create a policy to allow only approved executables Path: Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker
Step 5: Implement Comprehensive Logging and UEBA
Enable audit logging across all identity providers, cloud services, and endpoints. Deploy User and Entity Behavior Analytics (UEBA) to detect anomalous login hours, locations, or token reuse.
Azure AD Audit Logging:
Enable diagnostic settings for Azure AD logs Send to Log Analytics workspace or SIEM Monitor for: - Suspicious sign-ins (Event ID 50055) - Role assignments (Event ID 50056) - Conditional access policy changes
- Detection Hunting: How to Find Scattered Spider in Your Environment
Hunt 1: Identify SSPR Reconnaissance Activity
Search for repeated self-service password reset attempts from unusual IP addresses.
Azure AD Logs (KQL):
AuditLogs | where OperationName == "Self-service password reset flow started" | summarize Count = count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 1h) | where Count > 5
Hunt 2: Detect Temporary Access Pass (TAP) Abuse
Scattered Spider uses TAPs to bypass MFA and maintain persistence.
Azure AD Logs:
AuditLogs | where OperationName == "Add temporary access pass" | extend Target = tostring(TargetResources[bash].userPrincipalName) | project TimeGenerated, Target, InitiatedBy.userPrincipalName
Hunt 3: Monitor for Conditional Access Policy Deletions
Attackers delete policies to disable MFA requirements.
AuditLogs | where OperationName == "Delete conditional access policy" | project TimeGenerated, InitiatedBy.userPrincipalName, TargetResources
Hunt 4: Identify Unusual RMM Tool Installations
Windows Event Log - Software installation (Event ID 11707)
Get-WinEvent -FilterHashtable @{LogName='Application'; ID=11707} | Where-Object { $_.Message -match "AnyDesk|TeamViewer|ScreenConnect" }
- Incident Response: What to Do When You Detect a Scattered Spider Intrusion
Step 1: Isolate and Contain
- Immediately revoke all session tokens and refresh credentials for compromised accounts
- Disable suspected RMM tools and terminate unauthorized remote sessions
- Reset passwords for all privileged accounts—in person, with multi-factor verification
Step 2: Preserve Evidence
- Collect logs from identity providers, cloud services, endpoints, and network devices
- Capture forensic images of compromised systems
- Document all attacker actions, including timestamps and IP addresses
Step 3: Eradicate Persistence
- Remove unauthorized administrative accounts and service principals
- Revoke all Temporary Access Passes
- Restore deleted conditional access policies
- Review and rotate all OAuth tokens and application secrets
Step 4: Recover and Harden
- Require all employees to reset passwords in person (as TfL did with 28,000 staff)
- Deploy phishing-resistant MFA for all users
- Conduct a comprehensive review of helpdesk workflows and identity governance
Step 5: Report and Cooperate
- Engage law enforcement early—the NCA emphasized that TfL’s cooperation was critical to the investigation and prosecution
- Notify affected customers and regulators as required by data breach notification laws
What Undercode Say:
- Key Takeaway 1: Scattered Spider’s TfL attack demonstrates that MFA—as commonly implemented with SMS or push notifications—is no longer a reliable defense. The group’s ability to bypass MFA through SIM swapping, AiTM phishing, and helpdesk social engineering means organizations must urgently migrate to phishing-resistant authentication like FIDO2/WebAuthn.
-
Key Takeaway 2: The attack highlights the critical importance of helpdesk hardening. Social engineering against IT support remains the most effective entry point for Scattered Spider. Organizations should implement biometric verification, multi-approver workflows, and continuous monitoring of helpdesk activity to close this gap.
Analysis: The TfL breach is a watershed moment for cybersecurity. Two teenagers caused £39 million in damages and disrupted critical infrastructure serving millions of people—not through zero-day exploits or sophisticated malware, but by exploiting human processes and identity systems. The FBI’s charges against Jubair allege involvement in at least 120 computer network intrusions and extortion involving 47 U.S. entities, with victims paying over $115 million in ransom. This underscores that Scattered Spider is not an isolated threat but a persistent, adaptive, and highly capable adversary.
The group’s evolution from SIM-swapping and phishing in 2022 to AiTM phishing, DragonForce ransomware, and cloud infrastructure targeting in 2025 reflects a broader trend: financially motivated actors are adopting APT-level sophistication. Organizations must shift from perimeter-centric security to identity-centric defense, leveraging zero trust principles, behavioral analytics, and real-time threat intelligence. The TfL case also demonstrates the power of international law enforcement cooperation—the FBI, NCA, and other global partners worked together to investigate, arrest, and prosecute the perpetrators.
Prediction:
- +1 The TfL prosecution will serve as a deterrent and a template for future international cybercrime investigations, encouraging more organizations to report breaches early and cooperate with law enforcement.
-
+1 The incident will accelerate enterprise adoption of phishing-resistant MFA (FIDO2/passkeys), with Gartner predicting that by 2028, 60% of large enterprises will have eliminated SMS-based OTPs for high-risk applications.
-
-1 Scattered Spider’s adaptability means the group—or its remaining members—will likely pivot to new tactics, such as AI-driven social engineering or deepfake-based helpdesk impersonation, making detection even more challenging.
-
-1 The attack’s success will inspire copycat groups, particularly in the growing cybercriminal ecosystem, leading to a surge in identity-based attacks against critical infrastructure and SaaS environments.
-
+1 The NCA’s emphasis on early engagement with law enforcement will encourage more private-sector organizations to share threat intelligence, improving collective defense and reducing the average dwell time of attackers.
-
-1 Despite the guilty pleas, the global nature of Scattered Spider—with members operating across jurisdictions—means that dismantling the broader collective will remain a significant challenge for law enforcement.
▶️ Related Video (74% Match):
https://www.youtube.com/watch?v=8uyd4Ja1T2o
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Yesterday The – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
