Four Key Players Drive Scattered Spider

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Knocknoc .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

A small number of key individuals are organising the activities of the group known as Scattered Spider, according to researchers at security firms. If it's true, there is hope that targeted approaches might bring some respite from the group's carnage. 

Scattered Spider is responsible for a number of significant, high-impact hacks that have left many victim organisations struggling to recover, sometimes for months. The group first achieved notoriety in 2023 for the hacks of Caesars Entertainment and MGM Resorts International . Since May this year the group is believed to have struck retailers in the UK and the US , insurance companies , and then airlines in quick succession. Overall, it's responsible for the compromise of hundreds of companies since 2022. It is financial cybercrime's apex predator. 

Its cybercrime activity is characterised by the use of highly effective social engineering to gain initial access to victims. This is followed up by brutally efficient post-compromise activities to steal data, deploy ransomware and cause mayhem in double-quick time.

This week, reporting indicated that at least some cyber security firms believe the group has  a very small number of key personnel. 

Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, told CyberScoop that Scattered Spider has between two and four senior operators. This very small group of project managers coordinates with initial access brokers, ransomware affiliates and negotiators. 

Adam Meyers, Crowdstrike's SVP for counter-adversary operations, agrees, per Wired : 

Meyers says Crowdstrike believes that Scattered Spider has roughly four core members, which drive the targeting of potential victims and "leverage" resources from the wider Com ecosystem as needed. 

As far back as 2023, ransomware incident response firm Coveware wrote the group's success appeared to rely on just a few key individuals:

One of the most common overlapping tactics observed was the skillful social engineering of the IT support desk to subvert, reset or overcome multi-factor authentication. Not only did we consistently see this tactic, but voice recordings from impacted enterprises confirmed that this group was consistently using the same two or three individuals to perform the social engineering.

This is in contrast to our previous understanding of the group. Last year, Bryan Vorndran, the assistant director of the FBI's cyber division, said that Scattered Spider is made up of about 1,000 people. At the time we wrote :

Given its size and the very loose affiliations between members, we don't think it makes sense to talk about Scattered Spider as a 'group', so much as a community that shares a collection of techniques, with members who occasionally team up for particular projects. It's more like Hollywood rather than Sony Pictures Entertainment.

This made us doubt that Scattered Spider was even susceptible to traditional law enforcement actions like arrests.  Would arresting the cast of Oppenheimer stop Hollywood making movies? 

The presence of key individuals with elite skills in social engineering or, ahem, effective project management, makes us more optimistic about the effects of targeted law enforcement actions. Perhaps detaining the four best directors would slow down Hollywood.

John Hultquist, Chief Analyst at Google's Mandiant, told Wired that "deterrence is extremely difficult because we’re essentially fighting a marketplace where a lot of the actors are replaceable".    

Still, Hultquist acknowledges that the group has "some uniquely skilled actors… when it comes to social engineering" and there is circumstantial evidence that arrests slow the monster. Five individuals were arrested in connection with Scattered Spider attacks last year. Coincidentally, there was a slow down in the group's activities around the same time   

Arrests certainly won't eliminate Scattered Spider's activities, and many of its members fly under the radar, such as by stealing cryptocurrency from individuals rather than high-profile organisations. But we are now optimistic that targeting the four 'studio execs' of this particular horror film will stem the bleeding, at least for a while.  

Intelligence for Sale Will Annoy Beijing but Amuse Us Immensely

Leaks from Chinese cyber espionage firms are being offered to the highest bidder on an underground forum. It looks like there could be actionable intelligence in these leaks and we can’t help but wonder: Is this the beginning of a Chinese espionage-as-a-service market? We hope so! 

Last week, the aptly named security firm SpyCloud published its analysis of two purported data leaks offered for sale on the English-language DarkForums data breach site. 

One DarkForums post offered data from VenusTech, a major IT security vendor in China with close links to the government. The description of leak, reproduced as posted:

selling sourced leaked documents dump of chinese tech company. includes papers, products sold to government, accesses, clients and more random sh[*]t sold to highest bidder after 48h. crossposted

The post included 16 screenshots of what appear to be VenusTech documents, presentations, spreadsheets and contracts. 

One of the screenshots shows a spreadsheet that looks to contain details of collection targets and the cadence of data retrieval. SpyCloud says one entry in that spreadsheet suggests VenusTech has access to the Korean National Assembly’s email server and "is contracted to deliver four updates of data per month from this access to an unnamed customer at the price of 65,000 yuan [about $9,000 USD]". 

Other entries in the same screenshot refer to Indian, Thai and Taiwanese entities. One suggests that the entire contents of the Taiwan National Development Council file server is provided for 85,000 yuan per month. That's more than any of the other targets listed, which could imply it is a higher priority target.

The other DarkForums post SpyCloud examined is titled "Chinese government hacking group [Salt Typhoon]: Banking Data + Internal Files". It offers:

selling first-hand data from hacking companies working for the central government. Data includes employee data, financial data of companies and banking data, router configurations of hacked routers with passwords and chats of employees and officials being investigated.

Data: CSV, XLSX, TXT, PDF

Salt Typhoon is the Chinese state-backed group that has had outrageous success compromising US telecommunications companies.  

The post's author provided multiple data samples. One sample includes the names, national ID numbers and phone numbers of seven Chinese citizens who the author claims are Salt Typhoon employees. Another includes IP addresses of some of the routers hacked by Salt Typhoon and links to their configurations. 

SpyCloud couldn't confirm the legitimacy of the samples, but the details were consistent with other information the firm found independently. For example, the personal details appear to be from real Chinese individuals and some of the people identified are even linked to Sichuan Juxinhe Network Technology Company. That firm was sanctioned by the US government for its "direct involvement" with Salt Typhoon. Some of the sample IP addresses pointed to types of routers that Salt Typhoon is known to have compromised.  

The i-SOON data leak , in February 2024, provided fascinating insight into how China's cyber espionage ecosystem operated. These new data sets don't add much to our understanding of the bigger picture, but they appear to contain specific details that could be very useful for counterintelligence. 

For example, the seller of the Salt Typhoon-related leak says the full dataset contains information on 242 hacked routers, including their passwords. That could be used for identification and remediation of compromised devices and networks. 

Just last month we wrote about the appearance of Russian FSB documents for sale on Telegram and speculated about the development of an espionage-as-a-service market. The group responsible, known as Ares Leaks, is certainly having a crack at developing classified documents for sale as a product line. But while the documents in that case were  interesting, they were not particularly actionable. We also didn't think that selling on Telegram was a good idea as it’s highly likely that Russian authorities have access to the service. It was an interesting idea, but we weren't entirely convinced that Russian espionage-as-a-service would take off. 

There are at least a couple of reasons a Chinese market might be more viable than a Russian one, though. The sheer size of China's cyber espionage ecosystem means there are far more potential sellers. Pay and conditions in some of these firms are not great , so a lucrative side-hustle could be attractive. To put it more succinctly, there are more potential vendors with more reasons to sell.

Importantly, assuming they are legit, these latest Chinese documents are actionable and could be used to satisfy short-term counterintelligence goals. In our view, this is the kind of stuff that is worth spending a few bucks on. If it pans out in the short-term it's a win. And if it encourages more leakers from China's cyber espionage firms? That's double happiness. 

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Microsoft shuts 3,000 North Korean IT worker accounts: In a blog post describing the North Korean IT worker scam, Microsoft announced that it had suspended Outlook and Hotmail consumer accounts created by the fraudulent workers. 
2. Android phones to get Stingray detection: Ars Technica reports that new Android 16 phones will have the ability to alert users of Stingrays aka cell site simulators . These devices are used by law enforcement and others to snoop on cell phones. 
3. Spyware schadenfreude: TechCrunch reports the administrator of the Catwatchful stalkerware app was identified because his app had a security vulnerability and his own personal information had been captured. The administrator's details were in the first record in the app's back-end database and included his full name and personal email address. TechCrunch says the administrator "opened our emails, but did not respond to our requests for comment sent in both English and Spanish".

Sponsor Section

In this sponsored interview, Patrick Gray chats with the CEO of Knocknoc, Adam Pointon.

They talk about the woeful state of internal enterprise networks and how many control system networks aren’t appropriately segmented.

Adam also explains why Knocknoc released a very simple identity aware proxy: For too long the Zero Trust “industry” has focussed on securing access to critical applications, while everything else is left behind to get owned. This is Zero Trust for crappy apps! Zero Trust for the rest of us!

In this product demo , Knocknoc CEO Adam Pointon walks Patrick Gray through the Knocknoc secure access platform. Knocknoc is a platform that restricts network and service availability to authenticated users via existing network security equipment. Users don't need to install an agent. It also has an identity-aware proxy component that supports web applications and RDP.

Shorts

Crypto Investigation of North Korean IT Workers

Cryptocurrency investigator ZachXBT has posted an interesting thread on fraudulent North Korean IT workers. 

He has tracked cryptocurrency payments of USD$16 million to IT worker-associated accounts since January this year. That works out to between 345 and 920 jobs infiltrated, depending upon whether the monthly salaries are USD$3k or USD$8k.

He also busts a few myths.  

He finds that IT workers increasingly use US cryptocurrency exchanges. Binance was once the exchange of choice, but its processes have improved and it is now rarely used in the scam. 

And although people believe "crypto projects have the most DPRK ITW [North Korean IT workers]... the issue is just as bad if not worse at traditional tech companies". 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about how there is an opportunity for the US to expand its 0day and talent acquisition pool to Asia. They revisit a paper comparing the Chinese and American 0day acquisition strategies and have some quibbles. 

Or watch it on YouTube!

From Risky Bulletin :

Browser extensions hijacked for web scraping botnet: More than one million users have installed browser extensions that turn their browsers into proxies for a web scraping botnet.

The extensions contain a library named Mellowtel that waits for users to go inactive, disables page security protections, and then loads a remote website inside a hidden iframe. The parsed/scraped website is then sent to a remote URL for analysis.

SecureAnnex found the Mellowtel library in 245 extensions for Chrome, Edge, and Firefox.

[ more on Risky Bulletin]

Chinese researchers claim to find new North American APT: Chinese security firm QiAnXin claims it discovered a new cyber-espionage group targeting China's high-tech sectors and operating out of North America.

QiAnXin's PanGu and RedDrip teams presented their findings at the CYDES security conference in Malaysia last week and published a technical report on GitHub on Friday.

Researchers describe the new NightEagle group (aka APT-Q-95 and APT-C-78) as extremely stealthy and very sophisticated.

The group uses novel malware, unique server infrastructure for each victim, and may be in possession of a suspected Microsoft Exchange zero-day.

[ more on Risky Bulletin ]

Hunters International ransomware shuts down and releases decryption keys: The Hunters International ransomware operation has shut down and promised to release free decryption keys for all past victims.

The group announced the shutdown in a message posted on its dark web leak site on Thursday, July 3, after removing all past victims.

The operation launched at the end of 2023 and was a rebrand of the Hive ransomware, which had its infrastructure seized earlier that year.

[ more on Risky Bulletin , including that this seems to be another rebranding exercise rather than an exit from the ransomware business.]