Have ShinyHunters and Scattered Spider Teamed Up? New Cyber Attack Attributions Paint a Complex Picture

Two of the biggest names in the ransomware game, Scattered Spider and ShinyHunters, may have a more complex relationship than previously thought. New information from Google’s Threat Intelligence Group (GTIG) and some very recent cyber attacks outline a unique approach that appears to belong to ShinyHunters, and in some cases was used in attacks previously attributed to Scattered Spider.

The full picture is not yet clear, but given the information available it seems possible that Scattered Spider is using their social engineering expertise to open doors to target networks and ShinyHunters is then conducting lateral movement and data exfiltration, at least in some cases that fit this particular profile. Recent cyber attacks on high-profile targets that initiated with their Salesforce CRM have prompted re-examination of some older attacks, and raised questions as to whether the groups have some involvement or if ShinyHunters may just be trying to confuse pursuers.

Some cyber attacks misattributed, may be joint effort

It’s best to address the simplest possibility first: that ShinyHunters merely left some “false flags” as part of their attacks, in this case Okta phishing pages of a type Scattered Spider is known to use, to confuse security analysts. But both groups have recently experienced arrest waves that rattled them, and ShinyHunters has previously made claims to the media that it does not handle the breach portion of cyber attacks and sees itself as merely a broker of stolen data.

Some cyber attacks that have taken place in recent weeks have prompted re-evaluation of the situation. Hits on LVMH companies (France-based parent company of numerous luxury goods brands), Adidas, Qantas, and Allianz Life all show the same pattern of the attacker targeting a “third-party customer relationship management platform.” These companies have not yet confirmed it was Salesforce, but strong clues are present in the available details about the attacks.

It is important to note that Salesforce itself is not compromised, rather the attackers have found a consistently successful way to make entry into local environments. Misattribution of some of these attacks to Scattered Spider, such as the early July attack on Qantas, stems from the fact that the group was known to be targeting that industry at that time and the fact that some key details were not available to the public. ShinyHunters also appears to be taking a maximum stealth approach with these attacks, negotiating privately with the victims for ransom to prevent private sale (rather than the usual public dumps) and not deploying ransomware once inside of environments.

FBI and security group advisories confused the issue, as did English-language approach

The other common thread is that these cyber attacks target English-speaking personnel with social engineering phone calls as the initial point of contact. However, the two groups have a “yin and yang” approach that distinguishes them. Scattered Spider likes to call up IT support desks, ideally third-party ones, and pretend to be an employee who needs a password reset. ShinyHunters instead targets an employee known to have Salesforce access, and pretends to be the company’s IT support team.

The ShinyHunters approach sees them try to convince the employee to connect to a malicious version of Data Loader by abusing a Salesforce feature that will establish a trusted connection by simply entering an eight-digit code provided by the attackers. Once done this gives the attackers full access to the Salesforce environment to exfiltrate data. Crucially, it also provides them opportunity to move laterally through connected platforms like Okta and Microsoft 365 and steal an even broader range of data.

The theory about possible cooperation between the two groups begins with the fact that Scattered Spider has adopted a more flexible posture since it was hit with a disruptive wave of arrests last year, reportedly now seeing cyber criminals from other groups come and go freely for particular cyber attacks. ShinyHunters was hit by its own wave of arrests last year, with a number of individuals picked up for running and maintaining its stomping ground BreachForums. Both teams have affiliated with a larger decentralized group called “The Com” that appears to engage in resource sharing and seems to focus on bringing English-speaking cyber criminals together.

Regardless of the success level of recent actions against them, both groups remain a substantial threat. Potentially impacted employees should be educated about these known common approaches, and the security posture of contractors should be reviewed.