Scattered Spider: Impersonation, and Cybersecurity in the Age of Cloud Computing
By Skeeter Wesinger
June 29, 2025
In an era where companies have moved their infrastructure to the cloud and outsourced much of their IT, one old-fashioned tactic still defeats the most modern defenses: impersonation.
At the center of this threat is Scattered Spider, a cybercriminal collective that doesn’t exploit code—they exploit people. Their operations are quiet, persuasive, and dangerously effective. Instead of smashing through firewalls, they impersonate trusted employees—often convincingly enough to fool help desks, bypass multi-factor authentication, and gain access to critical systems without ever tripping an alarm.
This is the cybersecurity challenge of our time. Not ransomware. Not zero-days. But trust itself.
Who Is Scattered Spider?
Known to threat intelligence teams as UNC3944, Muddled Libra, or 0ktapus, Scattered Spider is an English-speaking group that has compromised some of the most security-aware companies in North America. Their breaches at MGM Resorts and Caesars Entertainment made headlines—not because they used sophisticated malware, but because they didn’t have to.
Their weapon of choice is the phone call. A help desk technician receives a request from someone claiming to be a senior executive who lost their device. The impersonator is articulate, knowledgeable, and urgent. They know internal jargon. They cite real names. Sometimes, they even use AI-generated voices.
And too often, it works. The attacker gets a password reset, reroutes MFA codes, and slips in undetected.
The Illusion of Familiarity
What makes these attackers so dangerous is their ability to sound familiar. They don’t just say the right things—they say them the right way. They mirror internal language. They speak with confidence. They understand hierarchy. They’re skilled impersonators, and they prey on a simple reflex: the desire to help.
In the past, we might have trusted our ears. “It sounded like them,” someone might say.
But in the age of AI, “sounding like them” is no longer proof of identity. It’s a liability.
When Cloud Isn’t the Cure
Many organizations have moved to cloud-based environments under the assumption that centralization and managed services will reduce their exposure. In some ways, they’re right: the cloud simplifies infrastructure and offloads security operations. But here’s the truth: you can’t outsource responsibility. The human layer remains—and that’s precisely where Scattered Spider operates.
They don’t need to breach Azure or AWS. They just need to impersonate someone with access to it.
It’s time we stop treating “trust but verify” as a cliché and start treating it as operational policy. Better yet: trust—but always verify. Every request. Every reset. Every exception.
Verification today means more than checking a box. It requires multi-channel authentication. It means never resetting MFA or passwords based solely on a phone call, no matter how credible the caller seems. It means locking down help desk protocols so impersonation doesn’t slip through the cracks.
Security teams must also monitor legitimate tools—like AnyDesk, TeamViewer, and ScreenConnect—that attackers often use once inside. These aren’t inherently malicious, but in the wrong hands, they’re devastating.
And above all, organizations must train their frontline personnel—especially support staff—to treat every identity request with healthy skepticism. If your instinct says something feels off, pause and verify through secure channels. Escalate. Slow down. Ask the questions attackers hope you won’t.
Scattered Spider doesn’t hack your servers. They hack your systems of trust. They bypass encryption by impersonating authority. And they exploit the one vulnerability no software can patch: assumption.
As we continue shifting toward remote work, outsourced IT, and cloud-based everything, the real threat isn’t technical—it’s personal. It’s the voice on the line. The urgent request. The person who “sounds right.”
In this world, cybersecurity isn’t just about what you build. It’s about what you believe—and what you’re willing to question.
Therefore, you have to train your teams. Harden your protocols. And remember in the age of the cloud, the most important firewall is still human.
Trust—but always verify!