Last Friday (8 Aug), a group linked to Scattered Spider launched a new Telegram channel and began bragging about data breaches, extortion attempts, and new ransomware capabilities.
The group was named “Scattered Spider LAPSU$ Sp1d3r Hunters, UNC3944,” a possibly joking reference to several of the most well-known ransomware groups operating today. UNC3944 is the threat group name Google’s Mandiant threat research team has applied to Scattered Spider.
Cybersecurity researchers believe that these groups are very closely tied, with members coming and going between the different affiliates. This loose collective has called itself “The Community” or “The Com.” It’s possible that several members of one or more of these groups were in the Telegram channel.
Malware researcher @vxunderground on X and threat intelligence platform FalconFeeds.io have detailed several of the messages posted to the group, which contains information and screenshots purporting to show new leaks and apparent ransomware capabilities.
One of the well-known brands named in the channel was Coca Cola. The group dumped data from an alleged breach of “Coca Cola Euro-Pacific Partnership,” a UK-based bottling company. @vxunderground explains the data was taken from a Salesforce application in a method commonly used by Scattered Spider.
The data is “non-critical” and primarily contains information on vendors and representatives that purchase stock from Coca Cola, information which may already be public, @vxunderground explains. However, it is possible these companies or individuals may later be targeted by the group(s).
Other brands mentioned in the channel included Gucci, Chanel, and Victoria’s Secret, all of which have been recent targets of the Scattered Spider gang. Subaru was also mentioned, which is not a known victim, reports BankInfoSecurity.
Other activity including sharing partial data leaks and sales pitches for ransomware payments, posting interactive polls allowing group members to vote on the release of victim data, and issuing countdowns to put more pressure on victims.
Members also promoted a new ransomware-as-a-service offering named “SHINYSP1D3R,” claiming to have a inventory of zero-day exploits waiting to be targeted. However, it’s unclear how accurate these claims are, FalconFeed.io reports.
Many of the group’s messages simply mock data privacy laws, cybersecurity vendors, and victims. Crowdstrike, Mandiant, and the FBI were common targets of derogatory memes.
The group was eventually shut down by Telegram on August 11, researcher Kevin Beaumont reported.
Who Are “Scattered Spider”?
CISA has described Scattered Spider as a criminal group that targets “large companies and contracted IT help desks.” They have been active since 2022 and typically target companies in the USA, UK, Canada, and Australia.
Google Mandiant describes the group as a “financially-motivated” threat actor characterized by social engineering and “brazen communication” with victims.
Scattered Spider typically steal data and force companies to pay them in order to have the data recovered—an increasingly common evolution of the typical ransomware playbook. They are known for their use of “DragonForce” ransomware and for using social engineering and voice phishing to trick organizations into giving them access to Salesforce CRM software instances.
The group has been linked to several other ransomware gangs. As mentioned, these loosely affiliated groups sometimes go by the name “The Community.”
The National Crime Agency (NCA) in the UK linked Scattered Spider to a wave of DragonForce ransomware attacks on major high street retailers. The gang seem mostly to be made up of teenagers and young adults. Last year, US law enforcement charged five British and American men and teenagers for alleged Scattered Spider attacks.
In July, UK police arrested two men aged 19, a boy aged 17, and a woman aged 20 allegedly linked to Scattered Spider, on suspicion of “Computer Misuse Act offences, blackmail, money laundering and participating in the activities of an organised crime group.”
Read More On This Topic:
