The notorious cybercrime groups Scattered Spider and ShinyHunters claim they are retiring, but the cybersecurity industry is skeptical and believes the hackers will continue to be active.
Scattered Spider has been around for several years and it recently made many headlines for targeting the retail, insurance, and aviation industries. The threat group has also been in the spotlight for its widespread Salesforce hacking campaign, which impacted major companies such as Google.
Several individuals with alleged ties to Scattered Spider have been arrested, charged and sentenced over the past year.
Some of the recent attacks attributed to Scattered Spider also appear to have involved ShinyHunters, a cybercrime group specializing in extortion. The two groups are believed to have merged.
In a message posted online last week, Scattered Spider and ShinyHunters announced their retirement. A lengthy manifesto mentions recent high-profile hacks and taunts law enforcement. “Our objectives having been fulfilled, it is now time to say goodbye,” the hackers said.
However, the cybersecurity industry doubts that the cybercriminals will completely retire. SecurityWeek has heard from several industry professionals and most of them have urged organizations not to let their guard down.
It’s not uncommon for high-profile threat groups to make false claims about retiring, particularly when pressure from law enforcement is building up.
“Back in 2019 the GandCrab crew announced they were retiring after earning more than $2bn, they had cashed out and quit the business,” said James Maude, field CTO at BeyondTrust. “A few months later REvil ransomware appeared bearing all the hallmarks of the GandCrab crew leading many to the conclusion that they had actually rebranded rather than retired.”
“With these groups in particular they are not organized in the same way as previous threat actors and are a far more loosely connected group of individuals that would be far more likely to disband and reform in new groups than actually retire,” Maude added.
Threat intelligence firm KELA pointed out that Scattered Spider and ShinyHunters posted a similar retirement statement on Telegram on August 18, announcing the deletion of their Telegram channel, only to create a new channel on August 28.
“This time, despite declaring their retirement about a week ago, they have not deleted their channel and have continued posting, including sharing FBI reporting about them,” KELA told SecurityWeek.
Cian Heasley, principal consultant at Acumen Cyber, believes the cybercriminals “are buying some breathing time, panicking about the threat of prison, and arguing behind the scenes about how much trouble they are actually in and the need to be cautious.”
The cybercriminals’ farewell message notes that even if they will be mentioned in new data breach disclosures, those will be the result of their old attacks and should not be seen as a sign that they are still active. On the other hand, the hackers said “we have decided that silence will now be our strength”.
“The statement about ‘silence being their strength’ could signal a shift in strategy—perhaps moving toward quieter, more targeted attacks or selling their expertise to other groups,” said Casey Ellis, founder at Bugcrowd. “It’s possible that some members will transition into other forms of cybercrime, like hacking-for-hire or fraud.”
Palo Alto Networks SVP Sam Rubin has highlighted some of the risks that remain even if public Scattered Spider operations are paused. “Stolen data can resurface, undetected backdoors may persist, and actors may re-emerge under new names,” Rubin said. “Silence from a threat group does not equal safety. Organizations must stay vigilant and operate under the assumption that the threat has not disappeared, only adapted.”
Nivedita Murthy, senior staff consultant at Black Duck noted, “It could be possible that some of these groups may have decided to step back and enjoy their payday, but it does not stop copycat groups from rising up and taking their place”.
BeyondTrust’s Maude agrees, pointing out that “even if some members of the group are retiring, spending their days cashing out ill-gotten cryptocurrency in the Caribbean, the amount of money available from cybercrime will ensure that any void is quickly filled.”
Related: Scattered Spider Activity Drops Following Arrests, but Others Adopting Group’s Tactics
Related: US Offers $10 Million Reward for Ukrainian Ransomware Operator
Source link
