The cybercrime landscape has been recently stirred by announcements from two notorious hacking groups, Scattered Spider and ShinyHunters, declaring their retirement. Despite these proclamations, the cybersecurity community remains skeptical, suspecting that these groups may continue their illicit activities under different guises.
Background on Scattered Spider and ShinyHunters
Scattered Spider has been active for several years, targeting sectors such as retail, insurance, and aviation. Notably, they orchestrated a widespread hacking campaign against Salesforce, affecting major corporations like Google. Over the past year, law enforcement agencies have arrested, charged, and sentenced several individuals linked to this group.
ShinyHunters, known for their extortion tactics, have been implicated in recent attacks alongside Scattered Spider, leading to speculation about a possible merger between the two groups.
The Retirement Announcement
Last week, a manifesto attributed to both groups surfaced online, detailing their recent high-profile hacks and openly challenging law enforcement efforts. The statement concluded with, Our objectives having been fulfilled, it is now time to say goodbye.
Industry Skepticism
Despite the announcement, cybersecurity experts advise caution. James Maude, Field CTO at BeyondTrust, recalled a similar situation in 2019 when the GandCrab ransomware group announced their retirement after amassing over $2 billion. Shortly thereafter, REvil ransomware emerged, bearing striking similarities to GandCrab, suggesting a mere rebranding rather than a genuine cessation of activities.
Maude further noted that groups like Scattered Spider and ShinyHunters operate as loosely connected individuals. This structure makes it more plausible for them to disband and reform under new identities rather than truly retire.
Continued Activity Post-Announcement
Threat intelligence firm KELA observed that on August 18, Scattered Spider and ShinyHunters announced the deletion of their Telegram channel, only to create a new one on August 28. Despite their recent retirement declaration, the groups have not deleted their current channel and continue to post, including sharing FBI reports about themselves.
Potential Motivations Behind the Announcement
Cian Heasley, Principal Consultant at Acumen Cyber, suggests that the retirement claim might be a strategic move to buy time, possibly due to internal disagreements or concerns about legal repercussions.
The groups’ farewell message also indicated that any forthcoming data breach disclosures would stem from past attacks and should not be interpreted as signs of ongoing activity. They added, We have decided that silence will now be our strength.
Implications for Future Cyber Threats
Casey Ellis, founder of Bugcrowd, interprets the emphasis on silence as a potential shift towards more covert operations or offering their expertise to other malicious actors. He posits that members might transition into other forms of cybercrime, such as hacking-for-hire or fraud.
Sam Rubin, Senior Vice President at Palo Alto Networks, warns that even if public operations pause, risks remain. Stolen data can resurface, undetected backdoors may persist, and actors may re-emerge under new names. He emphasizes that silence from a threat group does not equate to safety, urging organizations to remain vigilant.
Nivedita Murthy, Senior Staff Consultant at Black Duck, points out that even if some groups decide to step back, it doesn’t prevent copycat groups from emerging and filling the void.
Maude concurs, highlighting that the lucrative nature of cybercrime ensures that any vacated space will be quickly occupied by new or rebranded entities.
Conclusion
While Scattered Spider and ShinyHunters have publicly announced their retirement, the cybersecurity industry remains cautious. Historical patterns and recent activities suggest that such declarations may be strategic diversions rather than genuine cessations. Organizations are advised to maintain robust security measures and stay alert to evolving threats in the cyber landscape.
