Scattered Spider Resurfaces with Financial Sector Attacks
In mid-September 2025, the notorious Scattered Spider threat group reemerged after previous claims that its members had retired. Security operations teams report new, highly targeted attacks against financial institutions, demonstrating considerable adaptation in attack vectors and persistence techniques.
Background and Evolution of Scattered Spider
Scattered Spider is a well-documented cybercriminal group previously known for its use of social engineering and SIM swapping to breach enterprise networks. Their resurgence was unexpected, as several law enforcement actions earlier in the year and arrest announcements fueled the narrative that the group had ceased operations.
Technical Details of the Latest Attack Campaigns
The group’s latest campaigns are characterized by:
- Initial access through sophisticated phishing of financial sector personnel, often leveraging enticing but plausible business communications and fake corporate portals.
- Abuse of legitimate remote management tools to move laterally within networks after initial compromise, relying less on custom malware and more on “living off the land” techniques.
- Credential harvesting followed by rapid deployment of ransomware payloads on core banking infrastructure, disrupting services and attempting extortion for significant payouts.
Notable Adaptations and Detection Challenges
Technical analysis reveals that Scattered Spider has adopted advanced anti-forensic methods such as disabling endpoint monitoring agents and using compromised cloud identities to evade traditional detection. Researchers also note new, aggressive attempts to bypass multi-factor authentication by exploiting weaknesses in third-party integrations, emphasizing the critical need for reviewing authentication architecture in financial environments.
U.S. Department of Defense Increases Cybersecurity Requirements for Contractors
On September 10, 2025, the U.S. Department of Defense (DoD) issued a significant update to its Defense Federal Acquisition Regulation Supplement (DFARS), raising the baseline cybersecurity standards all DoD contractors must meet. The amended requirements reflect the U.S. government’s recognition of evolving threat vectors and past supply chain breaches.
Key Provisions of the New DFARS Rule
The final rule introduces several important controls for defense contractors, including:
- Mandatory continuous monitoring of information systems, replacing periodic point-in-time assessments.
- Detailed incident reporting obligations requiring contractors to notify the DoD within eight hours of a suspected breach.
- A formal Software Bill of Materials (SBOM) mandate for all software delivered to defense agencies, ensuring transparency for potential vulnerabilities in the software supply chain.
Implications for the Defense Industrial Base
These requirements are expected to increase compliance costs for small and medium-size defense firms, driving adoption of automated monitoring tools and improved incident response playbooks. Firms failing to comply with the updated DFARS rules face potential contract suspension and federal enforcement actions.
Strategic Rationale Behind the Policy Update
The enhancements aim to counter increasingly sophisticated cyber threats from nation-state adversaries and criminal entities targeting sensitive defense information. They follow multiple high-profile security incidents in 2024 and 2025 involving contractor networks, emphasizing the need for real-time threat visibility and supply chain transparency.
NSA, CISA, and Partners Release Unified SBOM Guidance
On September 3, 2025, U.S. federal agencies led by the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released “A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity.” The document provides both technical and strategic guidance for software producers, operators, and purchasers to strengthen software supply chain integrity.
Defining an SBOM and Its Value Proposition
An SBOM is a formal, machine-readable inventory of all components within a software product, including open source libraries and proprietary modules. By mandating SBOM usage, organizations obtain granular visibility into dependencies, enabling proactive vulnerability management and risk assessment for supply chain attacks such as those that enabled SolarWinds and MOVEit compromises.
Technical Recommendations and Integration Practices
The guidance emphasizes continuous generation and sharing of SBOMs throughout the software development lifecycle. It advises:
- Automated SBOM generation as part of CI/CD pipelines using standardized formats such as SPDX and CycloneDX.
- Integration with vulnerability management tools for dynamic risk scoring as new vulnerabilities are discovered in third-party components.
- Mechanisms for secure sharing of SBOMs between vendors, customers, and regulatory bodies without exposing confidential business information.
Broader Security and Regulatory Context
This unified vision solidifies SBOMs as foundational to federal cybersecurity policy and is likely to influence global regulatory trends, compelling vendors to adopt transparent supply chain management practices and strengthen their software assurance programs.
NIST Grants Over $3 Million for Cybersecurity Workforce Development
On September 17, 2025, the United States National Institute of Standards and Technology (NIST) awarded grants totaling more than $3 million to expand cybersecurity workforce training initiatives across 13 states. This move addresses the persistent shortage of skilled cyber professionals required to defend critical infrastructure and emerging technologies.
Objectives and Scope of the Grants
The grant program is structured to support the development of:
- Entry-level technical training for security operations and incident response roles.
- Specialized programs focused on industrial control systems (ICS) security, cloud security architecture, and secure software development.
- Outreach initiatives targeting traditionally underrepresented groups to broaden the talent pipeline.
Impact on the Cybersecurity Ecosystem
The NIST funding is intended to boost regional training centers, academic partnerships, and apprenticeship programs, directly addressing the widening skills gap in both public and private sectors. Participating organizations are required to align curricula to the NICE Cybersecurity Workforce Framework, ensuring standardization and industry relevance.