Extortionists Detail Fresh Victims, Although Sensitivity of Stolen Data Unclear
Extortionists tied to numerous attacks against high-profile brands have begun naming fresh victims and leaking supposedly stolen data.
See Also: Securing Manufacturing’s Transition to the Cloud
On Friday, individuals claiming to be part of the cybercrime collectives Scattered Spider, ShinyHunters and Lapsus$ launched a channel on social platform Telegram, posted partially redacted screenshots tied to previously claimed as well as newly claimed victims and the group announced plans to soon launch its own ransomware-as-a-service operation.
“This group is jokingly referring to themselves as ‘Scattered Spider LAPSU$ Sp1d3r Hunters, UNC3944,'” said the malware researcher who goes by “vx-underground,” in a post to social platform X.
The lattermost designation, UNC3944, is Google’s codename for Scattered Spider, which it describes as being a financially motivated threat group consisting largely of Western adolescents who are native English speakers. The group is also tracked as Octo Tempest and Roasted 0ktapus.
Victims named across various posts to the Telegram channel from Friday until the channel disappeared on Monday included known victims such as Gucci, Chanel and Victoria’s Secret, as well as a new victim, automotive giant Subaru. The hackers also claimed to have breached the likes of the U.S. Department of Homeland Security, Britain’s National Crime Agency and Ministry of Justice, and government agencies in Brazil, France and India.
The group leaked a database purportedly stolen from another new victim, Coca-Cola Euro-Pacific Partnership, which is a British multinational bottling company with operations across 31 countries, and advertised for sale a database stolen from Neiman Marcus, for one bitcoin ($121,000).
The leaked Coca-Cola data is legitimate but appears to be non-critical information, largely consisting of contact information for representatives, “which may already be public information,” vx-underground reported.
ShinyHunters and Scattered Spider have been tied to an ongoing wave of attacks in which they trick organizations into giving them access to their Salesforce cloud-based CRM software instances. Recent victims have included Adidas, Cisco and Google, plus airlines Air France, KLM and Qantas, among others.
Threat intelligence firm Kela said some of the group’s Telegram posts – such as “DO NAAT REDEAM DA SALESFARCE COADE!!!” – reference Salesforce codes. “The actors allegedly obtained these codes via vishing (voice phishing) and used them to access victim data hosted on the Salesforce platform,” Kela said.
Based on the posts to Telegram, “they also appear to have an Oracle WebLogic exploit (unclear if zero day) and a SAP NetWeaver exploit and used that to get inside organizations,” said British cybersecurity expert Kevin Beaumont.
ShinyHunters and Scattered Spider – as well as Lapsu$, which appears to remain less of a going concern – are loosely affiliated efforts that sprang from a cybercrime collective calling itself “The Community,” aka The Com or The Comm. To what extent individuals cross over between the groups remains an open question, although it could simply be one of nomenclature.
A representative who goes by “Shiny” told the privacy researcher who goes by “Dissent Doe” that they are attempting to extort $1 million Australian dollars ($650,000) from Qantas, and sent a ransom demand – they didn’t specify the amount – to Google after the technology giant said Tuesday that it fell victim to the group. Shiny also said the Telegram channel launched Friday got banned and removed by Telegram.
Many ShinyHunters attacks appear to feature data theft and extortion. In contrast, Scattered Spider attacks typically feature not only data theft and extortion, but also ransomware through partnerships with such ransomware operations as Alphv, a.k.a. BlackCat, RansomHub, Qilin and DragonForce. Recently the group has been targeting the aviation sector as well as U.S. insurers.
The launch of a Telegram channel for leaking data stolen by the groups arrived just days after group members denied having any plans to do so. Psychologically speaking, such moves are designed to pressure victims who have declined to pay a ransom into opting to do so, as well as scare future victims into submission (see: Ransomware Groups’ Data Leak Blogs Lie: Stop Trusting Them).
Security experts have been tracking Scattered Spider attacks since 2022.
Multiple participants appear to be very adept at voice phishing attacks against help desks, via which they typically will trick a customer support agent into believing they’re an employee of the organization and “restoring” their access to a legitimate account. From there, the attacker will typically attempt to move laterally through the organization’s IT environment, escalate permissions, steal data and perhaps unleash crypto-locking malware.
By mid-2024, authorities tied attacks conducted under the Scattered Spider banner to breaches at least 130 organizations, including MGM Resorts and Clorox.
Individuals continue to conduct attacks under both the Scattered Spider and ShinyHunters banners, despite alleged members continuing to get arrested by law enforcement.
Moroccan police in June 2022 arrested Frenchman Sébastien Raoult, aka ShinyHunters member “Sezyo,” at an airport in Morocco. Following his extradition to Seattle, Raoult pleaded guilty and in January 2024, received a three-year prison sentence and was ordered to pay more than $5 million in restitution for committing wire fraud and aggravated identity theft.
Scattered Spider’s then alleged leader, a British national in his early 20s, was arrested in May 2024 in Spain.
In November 2024, Canadian police arrested Alexander Moucka, aka Connor Moucka, on charges tied to stealing terabytes of data from clients of cloud-based data warehousing platform Snowflake, potentially under the Scattered Spider’s banner. His alleged accomplice, U.S. citizen John Erin Binns, was arrested in May 2024 in Turkey, based on a U.S. indictment charging him with hacking T-Mobile in 2021. The U.S. is seeking Binns’ extradition.
Last month, British law enforcement arrested four young adults in connection with damaging attacks conducted under the Scattered Spider banner. Targets of the ransomware-wielding attackers included major retailers Marks & Spencer and the Cooperative Group.
The public-private U.S. Cyber Safety Review Board in 2023 reported that crossover between the tactics, techniques and procedures used by individuals who align themselves with Lapsus$ and other Com groups, or perhaps interoperate via ad hoc partnerships or alliances, complicates efforts to track relationships between group members or attribute attacks to any specific threat actor (see: Cyber Review: Teens Caused Chaos With Low-Complexity Attacks).
