Threat Actor Targets Telecom Service Providers and Alters Defensive Methods When Detected

By Gagandeep Singh


Scattered Spider hijacked Telecom services providers and Business process outsourcing companies, diligently altering defensive mitigation when the attacks were detected.

These attacks have been going on since June 2022 and are still going on, and these attacks seem to be money driven.

The campaigns' main goal is to break into telecom network systems, gain access to subscribers' information, and conduct other activities such as swapping SIMs.

The hackers gain initial access to telecom by applying social engineering techniques - impersonating and redirecting them to phishing websites that have the company logo.

The intrusions noticed by the security firms mention that the hackers went fierce in their attempts to maintain access to the breached network even after being detected.

The hackers were also found using these remote monitoring and & management tools like - BeAnywhere, Domotz, DWservice,, AnyDesk and

The hacker gain access to the system then try to add their devices to the trusted MFA lists by using the compromised user account.

The threat actors seemingly got more active and deployed persistence methods such as VPN (Virtual Private Network) access or RMM tool.

The threat actors used various VPNs and ISPs to access the victim's organization Google Workspace Environment.

For the full story, visit the attached link.