Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines

Summary:
UNC3944, also known through public reporting as Scattered Spider, is a financially motivated threat actor known for its aggressive use of social engineering and direct engagement with victims. According to GTIG reporting, their operations initially focused on telecommunications companies to support SIM-swapping schemes, but by early 2023, they transitioned to broader ransomware and extortion campaigns, impacting various industries. They have since executed sector-specific targeting, including attacks on financial services in late 2023 and the food industry in May 2024. UNC3944 has also gone after well-known brands, likely seeking notoriety and media coverage.

Activity from the group reportedly declined following law enforcement actions in 2024 against alleged members. Such pauses are common as threat actors attempt to evade further scrutiny, rebuild infrastructure, or adopt new tools. However, UNC3944’s connections within the cybercriminal ecosystem may accelerate their recovery. Recent incidents have attributed Scattered Spider-like tactics to attacks on UK retailers involving DragonForce ransomware. BBC News reported that DragonForce actors claimed responsibility for attempted attacks on several UK retail organizations. DragonForce recently claimed control of RansomHub, a ransomware-as-a-service operation, which UNC3944 had joined after ALPHV shut down.

While attribution remains unconfirmed, extortion campaigns targeting retail organizations have risen, with data leak site listings from this sector increasing to 11 percent in 2025, up from 8.5 percent in 2024. Retailers, which often hold significant amounts of personal and financial data, may be more inclined to pay ransoms if business operations are disrupted.

Security Officer Comments:
UNC3944 primarily targets large enterprises, particularly those with sizable help desks and outsourced IT functions vulnerable to social engineering. Their victims span sectors such as Technology, Telecommunications, Financial Services, Business Process Outsourcing, Gaming, Hospitality, Retail, and Media and Entertainment. Geographically, the group focuses on English-speaking countries, including the United States, the United Kingdom, Canada, and Australia, with recent expansion into Singapore and India.


Suggested Corrections:

Proactive Hardening Recommendations

The following provides prioritized recommendations to protect against tactics utilized by UNC3944, organized within the pillars of:
  • Identity
  • Endpoints
  • Applications and Resources
  • Network Infrastructure
  • Monitoring / Detections
While implementing the full suite of recommendations in this guide will generally have some impact on IT and normal operations, Mandiant’s extensive experience supporting organizations to defend against, contain, and eradicate UNC3944 has shown that an effective starting point involves prioritizing specific areas. Organizations should begin by focusing on recommendations that:
  • Achieve complete visibility across all infrastructure, identity, and critical management services.
  • Ensure the segregation of identities throughout the infrastructure.
  • Enhance strong authentication criteria.
  • Enforce rigorous identity controls for password resets and multi-factor authentication (MFA) registration.
  • Educate and communicate the importance of remaining vigilant against modern-day social engineering attacks / campaigns (see Social Engineering Awareness section later in this post). UNC3944 campaigns not only target end-users, but also IT and administrative personnel within enterprise environments.
These serve as critical foundational measures upon which other recommendations in this guide can be built.

Link(s):
https://cloud.google.com/blog/topic...944-proactive-hardening-recommendations?hl=en