British hacker with links to notorious Scattered Spider group arrested in Spain

June 16, 2024Press releaseCybercrime / SIM swapping

Law enforcement authorities have reportedly arrested a leading member of the notorious cybercrime group “Scattered Spider”.

The 22-year-old British man was arrested this week in the Spanish city of Palma de Mallorca as he attempted to board a flight to Italy. The move is said to be a joint operation by the US Federal Bureau of Investigation (FBI) and Spanish police.

News of the arrest was first reported by Murcia Today on June 14, 2024. Subsequently, vx-underground revealed that the arrested individual “is linked to several other high-profile Scattered Spider ransomware attacks.”

The malware research group further said that the individual was a SIM swapper operating under the pseudonym “Tyler.” SIM swapping attacks work by calling the telecom provider to transfer the target’s phone number to a SIM card under their control. The goal is to intercept their messages, including one-time passwords (OTPs), and take control of their online accounts.

According to security journalist Brian Krebs, Tyler is believed to be a 22-year-old Scotsman named Tyler Buchanan, who appears on Telegram channels related to SIM swapping under the name “tylerb.”

Tyler is the second member of the Scattered Spider group to be arrested, following Noah Michael Urban, who was charged by the U.S. Department of Justice in early February with wire fraud and aggravated identity theft.

Scattered Spider, whose activities also overlap with the names 0ktapus, Octo Tempest, and UNC3944, is a financially motivated threat group notorious for orchestrating sophisticated social engineering attacks to gain access to organizations. Members of the group are suspected of being part of a larger cybercriminal gang known as The Com.

The group initially focused on credential harvesting and SIM card swapping, but has since expanded its modus operandi to focus on ransomware and extortion through data theft. It later moved to extortion attacks without encryption aimed at stealing data from SaaS (software-as-a-service) applications.

“The evidence also suggests that UNC3944 occasionally resorted to scare tactics to gain access to victims’ credentials,” said Mandiant, a Google company. “These tactics include threatening to release personal information, physically harming victims and their families, and distributing compromising material.”

Mandiant told The Hacker News that the activities associated with UNC3944 bear certain similarities to another cluster tracked by Palo Alto Networks’ Unit 42 as Muddled Libra, which has also been observed targeting SaaS applications to steal sensitive data, but stressed that they “should not be considered ‘the same.'”

The names 0ktapus and Muddled Libra come from the threat actor’s use of a phishing kit designed to steal Okta credentials, which has since been used by several other hacker groups.

“UNC3944 also leveraged Okta privilege abuse techniques by self-assigning a compromised account to each application on an Okta instance to expand the scope of intrusion beyond on-premises infrastructure to cloud and SaaS applications,” Mandiant noted.

“With this privilege escalation, the threat actor could not only abuse applications that use Okta for single sign-on (SSO), but also conduct internal reconnaissance through the use of the Okta web portal by visually observing which application tiles were available after these role assignments.”

Attack chains are characterized by the use of legitimate cloud sync programs such as Airbyte and Fivetran to export the data to cloud storage buckets controlled by the attacker. In addition, steps are taken to conduct extensive reconnaissance, establish persistence by creating new virtual machines, and compromise defenses.

Additionally, Scattered Spider has been observed using Endpoint Detection and Response (EDR) solutions to execute commands such as whoami and quser to test access to the environment.

“UNC3944 continued to access Azure, CyberArk, Salesforce, and Workday and conducted additional reconnaissance within each of these applications,” the threat intelligence firm said. “For CyberArk in particular, Mandiant observed the download and use of the psPAS PowerShell module to programmatically interact with an organization’s CyberArk instance.”

Targeting the CyberArk Privileged Access Security (PAS) solution was also an observed pattern in RansomHub ransomware attacks, so according to GuidePoint Security, there is a possibility that at least one member of Scattered Spider has become a partner in the emerging ransomware-as-a-service (RaaS) operation.

The evolution of threat actors’ tactics also coincides with their active attack on the financial and insurance industries, using deceptively real-looking domains and login pages to steal credentials.

The FBI told Reuters last month that it was laying the groundwork for an indictment against hackers from the group, which has been linked to attacks on more than 100 organizations since it emerged in May 2022.