Cordial Spider and Snarky Spider Target Critical Infrastructure for Data Theft

Severity: High (Score: 71.0)

Sources: Scworld, Cyberscoop

Summary

Cordial Spider and Snarky Spider, two threat groups linked to The Com, are actively conducting rapid data theft and extortion attacks against U.S. organizations in critical infrastructure sectors such as academic, aviation, retail, hospitality, automotive, financial services, legal, and technology. These financially-motivated attackers utilize voice-phishing and social engineering techniques to breach identity platforms and navigate SaaS environments. They trick employees into visiting phishing pages that mimic legitimate single sign-on or identity provider sites, capturing sensitive credentials and tokens. Once inside, they disable multi-factor authentication and erase alerts to conceal their activities. The extortion demands from these groups are typically in the seven-figure range, and some victims have also faced DDoS attacks. CrowdStrike has noted that the tactics, techniques, and procedures of the two groups differ, although their end goals remain the same. The current status of the groups includes ongoing attacks, with some data-leak sites, like BlackFile, being taken offline recently. Key Points: • Cordial Spider and Snarky Spider are targeting critical infrastructure sectors in the U.S. • Attackers use voice-phishing and social engineering to gain access to identity platforms. • Extortion demands from these groups are often in the seven-figure range.

Key Entities

• Cordial Spider (apt_group)
• Scattered Spider (apt_group)
• ShinyHunters (apt_group)
• SLSH (apt_group)
• Snarky Spider (apt_group)
• The Com (ransomware_group)
• Data Breach (attack_type)
• DDoS (attack_type)
• Phishing (attack_type)
• Financial (industry)
• Hospitality (industry)
• Legal (industry)
• Retail (industry)
• Technology (industry)
• T1566.002 - Spearphishing Link (mitre_attack)
• 9Proxy (tool)
• Infatica (tool)
• Mullvad (tool)
• NetNut (tool)
• NSocks (tool)