Hacker working showing cyber attacks

Google Threat Intelligence Group: Some Scattered Spider Cyber Attacks May Have Actually Been the Work of ShinyHunters

As they did in 2023, the Scattered Spider ransomware gang has been grabbing headlines with a string of bold and high-profile cyber attacks. But researchers with Google’s Threat Intelligence Group (GTIG) now believe that some of these attacks may have been misattributed, and that the similarly long-tenured ShinyHunters group may have instead been the culprits.

Attribution is now in question for the recent cyber attacks on Qantas, Allianz Life, LVMH, and Adidas among others. A central theme in these attacks is that the threat group targets Salesforce CRM instances with valuable data and approaches its targets with social engineering attacks conducted by phone.

Cyber attacks impersonate IT support staff, try to get victims to link malicious salesforce data loader

The key thread that ties these various cyber attacks together is the targeting of Salesforce’s Data Loader application, with the attackers initially approaching English-speaking personnel at the target company by phone. One can see where this creates some confusion with Scattered Spider, which has also been very active in recent months and also leverages the fact that it has a number of members who are native English-speakers as their initial entry point.

The “standardized” approaches of ShinyHunters and Scattered Spider are different, however. Scattered Spider generally targets IT help desks, pretending to be an employee needing a password reset. ShinyHunters reverses this approach; they pose as company IT staff and make contact with employees that have access to Salesforce environments. The target is asked to connect to a malicious version of Data Loader that provides the attackers with the ability to exfiltrate and delete documents in the SalesForce environment as well as upload their own files.

The ShinyHunters cyber attacks exploit the fact that SalesForce environments can be accessed by an eight-digit “connection code” that authorizes and plugs the attacker’s modified tool directly into the target’s system when entered. The victim must thus only be convinced that the attacker’s request is part of normal workflows, which it often appears to be, and type in the code that is provided to them by the hackers.

Once the hackers have access to the Salesforce environment, they have the opportunity to move laterally through connected platforms (such as Okta and Microsoft 365) to expand their access to the target network. ShinyHunters has shown a pattern of immediately siphoning out all the available Salesforce data of interest once they are granted access, followed by exploring these attached platforms for further opportunities. The attackers have also been observed refining their approach over time, experimenting with different packet sizes to evade automated detection systems that can pick up on this unusual activity once they are inside.

ShinyHunters may be leveraging Scattered Spider activity for misattribution

There is some indication that ShinyHunters has intentionally left tracks to confuse researchers into believing their activity is that of Scattered Spider, deploying similar Okta phishing pages during their lateral movement that make reference to the group. But as more cyber attacks have happened and more details about them emerge, the attack techniques and patterns have thrown some prior attributions into doubt.

ShinyHunters is now thought to be behind a recent attack on LVMH, the parent company of a number of high-profile fashion brands Louis Vuitton and Dior. Those two brands disclosed their own data breaches, as did fellow subsidiary Tiffany Korea. There are also recent cyber attacks on Adidas, Qantas, and Allianz Life that fit the pattern. These victims have not yet confirmed publicly that their Salesforce environments were compromised, but all have confirmed that a third-party customer relationship management platform was involved. Some of the lack of correct attribution is due to the fact that ShinyHunters is reportedly engaged in ongoing shakedowns of the victims by email, demanding ransoms to prevent private sale of the stolen data rather than a public dump and not deploying ransomware that makes it obvious to the public that there has been a business disruption.

Another possibility is that Scattered Spider and ShinyHunters are simply sharing some of their members. Prior reports from security researchers on the recent Scattered Spider cyber attacks indicate that the group has adopted a more “fluid” formation since it was disrupted with a string of arrests in 2024, now seeing threat actors from other groups come and go for particular attacks and campaigns. This would explain both the deployment of similar tools during attacks, and the fact that the two groups seem to be targeting the same industries at the same time. ShinyHunters may also be working as an “as a service” arm, handling the data theft and negotiations after Scattered Spider achieves the initial breach with their sophisticated social engineering approach.

ShinyHunters also recently experienced a law enforcement disruption of their own, with a wave of arrests at their preferred underground hangout BreachForums. And Scattered Spider saw some new arrests in recent weeks, with four individuals picked up in the UK on charges related to the group’s May campaign of cyber attacks against UK retailers. Both groups are thought to be affiliated with a larger decentralized criminal group calling itself “The Com,” which researchers believe now has thousands of English-speaking members across the world.

Aditya Sood, VP of Security Engineering and AI Strategy at Aryaka, warns that both groups remain a persistent threat: “ShinyHunters implemented voice phishing (vishing) strategies to impersonate IT support staff in phone calls to targeted employees. Threat actors would persuade victims into visiting Salesforce’s connected app setup page, where ShinyHunters would install a malicious version of Salesforce’s Data Load OAuth when the victim was prompted to enter a “connection code. The distinguishing factor between Scattered Spider and ShinyHunters is that Scattered Spider tends to perform extensive network breaches culminating in data theft and ransomware, while ShinyHunters tends to focus more on extortion and targets a singular cloud platform or web application. Regardless, the similarities between TTPs indicate that there are likely overlapping members within the two groups. Though they may appear overshadowed by Scattered Spider at the moment, ShinyHunters is not a group to be dismissed. Instead, the inability to trace data breaches back to them demonstrates a high level of meticulousness, which only makes the group more dangerous. Employees should educate themselves about common vishing tactics and implement practices to prevent breaches, such as screening phone calls, drawing awareness to suspicious emails, and restricting access to computers or networks to only verified technicians.”