Full Report
On September 8, the “scattered LAPSUS$ hunters 4.0” Telegram channel posted: FBI and French LE, great job for the third time arresting the wrong person in France once again. DOJ please stop wasting your budget by flying your agents to France every time to make the WRONG arrest, as it’s almost the end of the... Source
Analysis Summary
# Threat Actor: ShinyHunters / ScatteredSpider / LAPSUS\$ (Implied collective/associated entities)
## Attribution & Identity
The article discusses a collection of entities referred to as "ShinyHunters," "ScatteredSpider," and LAPSUS\$. These groups appear to be associated due to shared activities and the coordinated messaging about arrests and operations. The messaging implies they operate under a loose or evolving structure, possibly using disinformation campaigns to confuse law enforcement.
## Activity Summary
The primary activity discussed involves high-profile data breaches and aggressive operational patterns, potentially evolving into data extortion/disruption rather than direct ransom demands in some cases.
Key activities mentioned include:
* Paralyzing Jaguar factories.
* Superficially hacking Google four times.
* Attacking Salesforce and CrowdStrike defenses.
* Breaching Kering (including Gucci, Balenciaga, Brion, and Alexander McQueen) via Salesforce attacks.
* Attacking Air France and American Airlines, and British Airlines.
* The groups claim to have caused previous successful breaches where victims have not yet disclosed the incident or made ransom/extortion demands.
* They announced "going dark" via a Telegram channel following arrests, later confirming this was potentially permanent via a statement on BreachForums[.]hn.
* They claim to have deliberately controlled the extent of intrusions into Google systems, leaving confusion about the actual scope of compromise.
## Tactics, Techniques & Procedures
- Evading detection and law enforcement countermeasures, evidenced by mocking the FBI/French LE arrests as targeting "the wrong person."
- Utilizing disinformation campaigns to mislead investigators.
- Executing multi-stage operations involving physical infrastructure disruption (Jaguar factories) and high-value corporate targets (Salesforce, Google).
- Intentional containment or self-limitation of certain intrusions (e.g., within Google) possibly as a feature of their operational planning or to manage exposure.
- Abandoning established tools and communication methods ("progressively abandon some of our tools (Hello, Tutanota) and our correspondents").
- Claiming successful exploitation of critical infrastructure companies without public disclosure from victims.
## Targeting
- **Sectors:** High-end fashion retail (Kering group), Automotive (Jaguar factories), Technology/Cloud Services (Google, Salesforce, CrowdStrike defense). Critical infrastructure sectors including Airlines (Air France, American Airlines, British Airlines).
- **Geography:** Operations appeared targeted globally, with specific interaction noted with US, UK, AU, and French authorities regarding arrests.
- **Victims:** Kering (Gucci, Balenciaga, Brion, Alexander McQueen), Google, Salesforce, CrowdStrike, Jaguar, Air France, American Airlines, British Airlines.
## Tools & Infrastructure
- **Malware families used:** Not explicitly named, but they mention abandoning certain tools.
- **Infrastructure (C2, domains, IPs):**
- Communication platform: Telegram (used for initial "going dark" announcement).
- Post-arrest venue: BreachForums[.]hn (used for detailed operational statement).
- Abandoned Tool: Tutanota (mentioned as being progressively abandoned).
## Implications
The actors demonstrate a sophisticated, adaptive, and disruptive posture, capable of executing high-impact attacks across multiple sectors while effectively managing law enforcement pressure by mocking, misleading, and absorbing arrests. Their final message suggests a shift towards silence ("silence will now be our strength") after achieving operational goals, indicating that the true scope of compromise may remain undisclosed for many victims. This suggests a potential for residual access or undisclosed data exposure even if the active campaign ceases.
## Mitigations
- **Enhanced Verification:** Organizations should not solely rely on official external confirmations of security status given the actor's claims of having victims that have not disclosed breaches.
- **Security Posture Review:** Assume compromise or deep surveillance by sophisticated adversaries if operating in targeted sectors.
- **Contingency Planning:** Be aware of adversarial methods that involve deliberately controlled exposure or disinformation campaigns intended to distract security teams.
- **Investigative Focus:** Due to the nature of the group's deflection tactics, law enforcement efforts must focus on evidence gathering beyond immediate arrests, given the claim that arrested individuals may be scapegoats or intentionally sacrificed.