Scattered Spider: New Faces and Strategies in Cybercrime
A Strategic Shift in Cybercrime
Scattered Spider, a notorious group in the cybercrime landscape, is undergoing a significant transformation in their operational methods. Moving away from their previous pattern of chaotic data breaches, this group is now adopting a more refined approach that combines elements of Ransomware-as-a-Service (RaaS) with insider threat operations. They are strategically forming a network of internal collaborators within major tech and telecommunications companies, including industry giants like Microsoft and Apple.
From High-Profile Attacks to Access Brokerage
Previously known for their sensational data leaks and high-profile breaches, Scattered Spider has shifted gears toward access brokerage. Instead of solely focusing on data exfiltration, they are now engaged in buying and selling privileged access to corporate systems, creating a more stealthy and profitable business model.
This transition sees them actively recruiting insiders from key industries such as telecommunications, cloud software, gaming, and business process outsourcing. Notable target companies include prominent names like Microsoft, Apple, IBM, and others spread across multiple geographies, including the US, UK, Australia, Canada, and France.
Profit Incentives for Insiders
Recent announcements from Scattered Spider reveal an enticing offer for potential accomplices. The group is willing to share 25% of profits with insiders who can provide access to Active Directory (AD) systems and 10% for access to identity platforms such as Okta or AWS IAM root credentials. This shift towards a profit-sharing model reflects a growing trend in cybercrime where insiders are not just regarded as information sources, but as partners in illicit activities.
Access Over Data: A New Ethos
The group’s rationale is clear: “We already have the data. We need access.” This statement encapsulates their shift from opportunistic hacking to a more calculated method of cyber extortion. Their focus is on establishing ongoing footholds within high-value systems, leading to sustained opportunities for exploitation.
In addition to targeting high-value access points, they are also interested in purchasing remote access tools, such as VPN credentials and AnyDesk sessions. These tools can then be resold to ransomware affiliates, further expanding their network of illicit transactions.
Targeting Major Corporations
The Scattered LAPSUS$ Hunters have recently rolled out a new dark web leak site to amplify their extortion tactics. Following breaches at notable firms like Salesloft and Salesforce, they assert that they have compromised around 40 different companies. They are threatening to release entire datasets unless their ransom demands are met by the set deadline.
Salesforce has responded to these threats, stating publicly, “There is no indication that the Salesforce platform has been compromised. Our findings indicate these attempts relate to past or unsubstantiated incidents.”
Despite assurances from companies like Salesforce, Scattered Spider remains unyielding, claiming they have access to nearly 1 billion records containing sensitive Personally Identifiable Information (PII). They have also highlighted Berger Montague, a law firm with expertise in data privacy, as a potential ally in a civil lawsuit against companies that do not comply with their demands.
Regulatory Threats and Legal Implications
The group is not only threatening to disclose sensitive data but also warning companies about potential regulatory violations under laws like GDPR and CCPA. One of their statements reflects their intention to expose how companies, as data controllers, could have thwarted such intrusions.
Critique of Cloud Security Practices
In a recent communication, the group criticized the conventional “shared responsibility” model associated with cloud security, arguing that major platforms like Salesforce transfer too much responsibility for security onto customers. They claimed that fundamental security measures, such as YARA rules to block known threats, were not adequately implemented, leading to excessive vulnerabilities.
A Wide Net of Potential Targets
The leak site operated by Scattered Spider lists several high-profile corporate targets, including major brands like Microsoft, Apple, Google, Cisco, and many others. This expansive targeting not only reinforces the group’s bold stance in the cybercrime arena but also highlights the precarious positions many companies find themselves in regarding their cybersecurity measures.
As they continue to refine their strategies, Scattered Spider represents a growing trend toward more sophisticated and collaborative forms of cybercrime that challenge both industry leaders and information security professionals alike.
