Famous Scattered Spider Group Arrested in Spain: U.K. Hacker Associated with It

Famous Scattered Spider Group Arrested in Spain: U.K. Hacker Associated with It

Law enforcement authorities have reportedly apprehended a key figure in the notorious cybercrime group known as Scattered Spider. The suspect, a 22-year-old British man, was arrested in Palma de Mallorca, Spain, while attempting to board a flight to Italy. This arrest was a coordinated effort between the U.S. Federal Bureau of Investigation (FBI) and Spanish Police.

The news first emerged on June 14, 2024, through Murcia Today, with malware research group vx-underground later revealing that the detained individual is linked to several high-profile ransomware attacks orchestrated by Scattered Spider. The group further identified the individual as a SIM swapper operating under the alias "Tyler." SIM-swapping attacks involve transferring a victim's phone number to a SIM card controlled by the attacker to intercept messages, including one-time passwords (OTPs), and hijack online accounts.

Security journalist Brian Krebs reported that "Tyler" is believed to be a 22-year-old Scotsman named Tyler Buchanan, known as "tylerb" on Telegram channels related to SIM-swapping. Tyler's arrest follows that of another Scattered Spider member, Noah Michael Urban, who faced charges of wire fraud and aggravated identity theft from the U.S. Justice Department earlier in February.

Scattered Spider, also referred to by names such as 0ktapus, Octo Tempest, and UNC3944, is a financially driven threat group notorious for sophisticated social engineering attacks to breach organizations. Its members are suspected to be part of a larger cybercriminal gang called The Com. Initially, the group focused on credential harvesting and SIM swapping but has since evolved to ransomware and data theft extortion. More recently, they've shifted to encryptionless extortion, stealing data from software-as-a-service (SaaS) applications.

Google-owned Mandiant noted that UNC3944, a group related to Scattered Spider, sometimes uses fear-mongering tactics to obtain victim credentials. These tactics include threats of doxxing, physical harm to victims and their families, and distributing compromising material. Mandiant also observed that UNC3944 shares similarities with another group identified by Palo Alto Networks Unit 42 as Muddled Libra, which also targets SaaS applications to exfiltrate sensitive data. However, Mandiant emphasized that these groups should not be considered identical.

The names 0ktapus and Muddled Libra originate from the threat actor's use of a phishing kit designed to steal Okta sign-in credentials, which has since been adopted by various other hacking groups.

According to Mandiant, UNC3944 has exploited Okta permissions abuse techniques by self-assigning compromised accounts to every application within an Okta instance. This allows the attackers to extend their intrusion from on-premises infrastructure to Cloud and SaaS applications. With this elevated access, the threat actor can misuse applications that use Okta for single sign-on (SSO) and perform internal reconnaissance by visually inspecting available application tiles in the Okta web portal after role assignments.

The attack chains typically involve using legitimate cloud synchronization tools like Airbyte and Fivetran to export data to attacker-controlled cloud storage. The attackers also conduct extensive reconnaissance, establish persistence by creating new virtual machines, and weaken defenses.

Scattered Spider has also been seen using endpoint detection and response (EDR) solutions to run commands like whoami and quser to verify access to the environment.

Mandiant noted that UNC3944 continued accessing applications such as Azure, CyberArk, Salesforce, and Workday, conducting further reconnaissance within each. For CyberArk specifically, the attackers downloaded and used the PowerShell module psPAS to interact programmatically with an organization's CyberArk instance.

This targeting of CyberArk's Privileged Access Security (PAS) solution has also been noted in RansomHub ransomware attacks, suggesting that at least one Scattered Spider member may have become an affiliate of the emerging ransomware-as-a-service (RaaS) operation, according to GuidePoint Security.

The threat actor's tactics have evolved, coinciding with their active targeting of the finance and insurance industries using convincing lookalike domains and login pages for credential theft.

Last month, the FBI told Reuters that they are preparing charges against hackers from this group, which has been linked to attacks on over 100 organizations since its emergence in May 2022.