By Ravie Lakshmanan
Law enforcement authorities have reportedly arrested a key member of the notorious cybercrime group known as Scattered Spider.
The individual, a 22-year-old from the United Kingdom, was detained this week in Palma de Mallorca, Spain, as he prepared to board a flight to Italy. This operation is part of a collaborative effort between the U.S. Federal Bureau of Investigation (FBI) and the Spanish National Police, initiated last May.
The arrest was first reported by Murcia Today on June 14, 2024, and was later confirmed by vx-underground, which stated that the individual is “associated with several high-profile ransomware attacks conducted by Scattered Spider.”
This individual has been identified as a SIM swapper operating under the alias “Tyler.” SIM swapping involves contacting a telecom provider to transfer a target’s phone number to a SIM controlled by the attacker, enabling them to intercept messages and gain access to online accounts.
According to security journalist Brian Krebs, Tyler is believed to be Tyler Buchanan, a 22-year-old from Scotland, known as “tylerb” on Telegram channels related to SIM swapping.
Buchanan is the second member of Scattered Spider to be arrested; the first was Noah Michael Urban, who was charged by the U.S. Justice Department in February with wire fraud and aggravated identity theft related to the theft of $800,000 from at least five victims.
Scattered Spider, which also operates under the names 0ktapus, Octo Tempest, and UNC3944, is a financially motivated threat group notorious for executing sophisticated social engineering attacks to gain access to organizations. Members of this group are suspected to be part of a larger cybercriminal gang known as The Com.
Initially focused on credential harvesting and SIM swapping, the group has shifted towards ransomware and data theft extortion, recently moving to encryptionless extortion attacks targeting software-as-a-service (SaaS) applications.
Mandiant, a Google-owned cybersecurity firm, reported that evidence indicates UNC3944 sometimes employs fear tactics to access victim credentials, including threats of doxxing and physical harm.
The activity associated with UNC3944 shows similarities to another group tracked by Palo Alto Networks as Muddled Libra, which has also targeted SaaS applications for sensitive data exfiltration. However, Mandiant clarified that they should not be regarded as the same group.
UNC3944 has been known to exploit Okta permissions abuse techniques, enabling them to extend their intrusions beyond traditional infrastructure to cloud and SaaS applications. This method allows attackers to observe available applications after role assignments in the Okta web portal.
The attack methods also include using legitimate cloud synchronization tools to transfer data to attacker-controlled storage, conducting extensive reconnaissance, and creating new virtual machines to maintain access.
Scattered Spider has employed endpoint detection and response (EDR) solutions to execute commands that assess access within compromised environments. Mandiant noted that UNC3944 has accessed platforms like Azure, CyberArk, Salesforce, and Workday for reconnaissance.
The targeting of CyberArk’s Privileged Access Security has been noted in RansomHub ransomware attacks, suggesting a possible link between Scattered Spider and the emerging ransomware-as-a-service model.
The evolution of their tactics coincides with active targeting of the finance and insurance sectors, utilizing convincing lookalike domains for credential theft.