Recent investigations have linked a series of cyberattacks targeting financial institutions to the notorious cybercrime group known as Scattered Spider, contradicting their earlier assertions of ceasing operations.
ReliaQuest, a threat intelligence firm, has observed a shift in Scattered Spider’s focus towards the financial sector. This is evidenced by an uptick in domains mimicking legitimate financial services, potentially associated with the group, and a recent targeted intrusion into an unnamed U.S. banking organization.
In this incident, Scattered Spider gained initial access by socially engineering an executive’s account, resetting their password through Azure Active Directory Self-Service Password Management. Subsequently, they accessed sensitive IT and security documents, moved laterally through the Citrix environment and VPN, and compromised VMware ESXi infrastructure to extract credentials and further infiltrate the network.
To escalate their privileges, the attackers reset a Veeam service account password, assigned Azure Global Administrator permissions, and relocated virtual machines to evade detection. There are also indications that Scattered Spider attempted to exfiltrate data from Snowflake, Amazon Web Services (AWS), and other repositories.
Exit or Smokescreen?
This recent activity undermines the group’s previous claims of ceasing operations alongside 14 other criminal groups, such as LAPSUS$. Scattered Spider is part of a broader online entity called The Com, which shares significant overlap with other cybercrime crews like ShinyHunters and LAPSUS$. These clusters have collectively formed an overarching entity named scattered LAPSUS$ hunters.
Notably, ShinyHunters has engaged in extortion efforts after exfiltrating sensitive data from victims’ Salesforce instances. These activities occurred months after the targets were compromised by another financially motivated hacking group tracked by Mandiant as UNC6040.
ReliaQuest emphasizes the importance of remaining vigilant against such threats, cautioning organizations not to be lulled into a false sense of security. As with ransomware groups, retirement claims should be viewed skeptically, as these groups often regroup or rebrand under different aliases.
Karl Sigler, security research manager of SpiderLabs Threat Intelligence at Trustwave, suggests that the group’s retirement announcement is likely a strategic move to distance themselves from increasing law enforcement pressure. He notes that such announcements often signal a strategic retreat, allowing the group to reassess its practices, refine its tradecraft, and evade ongoing efforts to curb its activities.
Sigler also points out that the farewell letter should be viewed as a strategic retreat, allowing the group to reassess its practices, refine its tradecraft, and evade ongoing efforts to put a lid on its activities, not to mention complicate attribution efforts by making it harder to tie future incidents to the same core actors.
He further suggests that the group may have faced internal disruptions, such as a compromised operational infrastructure, breached systems, exposed communication channels, or the arrest of lower-tier affiliates. Historically, when cybercriminal groups face heightened scrutiny or internal disruption, they often retire in name only, opting instead to pause, regroup, and eventually re-emerge under a new identity.
