Researchers agency up ShinyHunters, Scattered Spider hyperlink
The ShinyHunters hacking collective chargeable for a wave of cyber assaults orchestrated through Salesforce merchandise is probably going collaborating with the Scattered Spider gang that introduced down programs at Marks & Spencer earlier this yr, in accordance with new analysis.
In a report revealed right now, ReliaQuest researchers Kimberley Bromley and Ivan Righi argue that there’s now loads of proof – albeit a few of it extremely circumstantial – suggesting a deliberate partnership between the 2 operations, each of which have beforehand been linked to the broader cyber crime community referred to as The Com.
They described a dramatic shift in ShinyHunters’ ways that transfer the group effectively past its earlier modus operandi, which centred largely on credential theft and database exploitation, to incorporate “hallmark” Scattered Spider strategies.
These embrace the adoption of highly-targeted voice phishing, or vishing, campaigns that impersonate IT help workers to get victims to attach malicious apps – Salesforce Information Loader within the present marketing campaign – that allow them to steal information, using Okta-themed phishing pages to trick their victims into getting into their credentials, and using the respectable Mullvad digital personal community (VPN) service to carry out information exfiltration.
“These ways align carefully with Scattered Spider’s trademark strategies and people of the broader collective, The Com, fueling hypothesis about energetic collaboration between the teams,” wrote Bromley and Righi.
Proof provides up
The ReliaQuest crew provided up extra proof of a hyperlink, saying that the 2 teams additionally seem like focusing on related verticals – retail, insurance coverage, and aviation – throughout the identical tough timeline, and so they appear to be taking an analogous strategy within the naming conventions they used when registering their domains. Bromley and Righi warned that based mostly on their evaluation of domains registered that match the naming sample conference favoured by ShinyHunters and Scattered Spider, it’s seemingly that monetary providers firms ought to now be on excessive alert.
Extra proof has lately emerged of the existence of a person persona related to ShinyHunters, referred to as Sp1d3rhunters. This account, which first popped up on the BreachForums information leak service in 2024, when it was linked to ShinyHunters’ breach of Ticketmaster, has allegedly claimed that ShinyHunters and Scattered Spider are the identical, and furthermore all the time have been.
“If these connections are respectable, they recommend that collaboration or overlap between ShinyHunters and Scattered Spider could have been ongoing for greater than a yr,” mentioned the researchers.
Broader significance
Conceding that it will be potential to spend months dissecting the clues that recommend ShinyHunters and Scattered Spider are working collectively, Bromley and Righi mentioned it was necessary for defenders to not lose sight of the broader significance of the continued assaults – that they’re profitable not due to who orchestrated them, however due to how they have been executed.
“Risk actors continuously rotate infrastructure, change names, and adapt their TTPs to evade detection and maximise impression,” they mentioned.
“Because of this, monitoring the behavioral patterns and evolving TTPs behind these campaigns is way extra precious than focusing solely on indicators of compromise (IOCs) or attribution.
“For safety leaders, understanding this fluid and protracted risk panorama is vital to anticipating future assaults and making knowledgeable selections about safety technique and useful resource allocation.”
They warned that the cyber assault campaigns have been prone to proceed no matter whether or not the 2 teams are working collectively, or are one and the identical, including that others might also try and emulate the success of the high-profile assaults by adopting related ways.
“These latest campaigns showcase the effectiveness of a brand new wave of English-speaking risk actors extremely expert in social engineering,” they mentioned.
