Cybersecurity researchers have tied a new series of attacks targeting the financial services industry to the cybercrime group known as Scattered Spider. This recent activity casts significant doubt on the group's previous claims of having retired and "going dark."
Threat intelligence firm ReliaQuest says it has seen signs that the threat actor has shifted its focus to the financial sector. This is supported by an increase in lookalike domains and a recently identified attack against an unnamed U.S. bank. In that intrusion, Scattered Spider gained initial access by social engineering an executive to reset their password via Azure Active Directory. From there, they moved laterally through the bank's network and compromised its infrastructure to dump credentials and steal data from repositories like Snowflake and Amazon Web Services (AWS).
The new attacks directly contradict the group's earlier claim that they were ceasing operations. Security experts are very skeptical of this retirement. According to Karl Sigler, a security research manager at Trustwave, the farewell letter should be seen as a strategic retreat designed to distance the group from increasing law enforcement pressure. It's likely a temporary move that allows them to re-assess their practices, refine their tools, and eventually re-emerge under a new identity. Sigler also points out that it's plausible something within the group's operational infrastructure was compromised, forcing them to go dark for a time.
Scattered Spider is a loose-knit hacking collective with a history of collaboration with other notorious groups like LAPSUS$ and ShinyHunters. In fact, these three groups have previously formed a larger entity. The incident serves as a reminder that organizations should not be lulled into a false sense of security, as financially motivated hacking groups rarely truly retire.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
