Full Report
The Federal Bureau of Investigation (FBI) is providing this Public Service Announcement (PSA) to warn of potential future impacts related to a cyber-attack that affected an online Learning Management System (LMS), resulting in an interruption of service to educational institutions and students across the country. The LMS platform is now fully operational. ShinyHunters (SH) — which claimed the cyber-attack that caused the disruption—is a cyber criminal group specializing in large — scale data breaches and extortion. They target major companies across tech, finance, and retail, often stealing millions of customer records at once. Threat actors often use their real or exaggerated claims of access to sensitive or personal information to prompt payment from victims. Victims may receive an extortion email signed as ShinyHunters. To exert pressure on victims1, SH actors commonly use harassment strategies, sending threatening text messages and phone calls to victims and their family members, and in some cases, swatting2. Threat actors may falsely claim to have sensitive or compromising information, including embarrassing photographs or videos of victims, which frequently do not exist. Following these pressure tactics, SH actors have sometimes posted exfiltrated data to various iterations of the SH data leak site on the Tor network.
Analysis Summary
# Threat Actor: ShinyHunters (SH)
## Attribution & Identity
- **Actor Identification:** ShinyHunters is a well-known cybercriminal group specializing in large-scale data breaches and extortion.
- **Aliases:** SH
- **Known Associations:** The group operates a dedicated data leak site on the Tor network.
## Activity Summary
ShinyHunters recently claimed responsibility for a significant cyber-attack against an online Learning Management System (LMS). This operation resulted in widespread service interruptions for educational institutions and students across the United States. Following the breach, the group utilized stolen data to launch extortion campaigns against individuals and institutions.
## Tactics, Techniques & Procedures
- **Data Exfiltration:** Specializes in high-volume theft of million-record customer databases.
- **Extortion:** Uses email communication signed as "ShinyHunters" to demand payment for the non-release of data.
- **Harassment & Psychological Pressure:** Employs aggressive "vulture" tactics including threatening text messages and phone calls to victims and their families.
- **Swatting:** Known to weaponize emergency services to exert extreme pressure on targets.
- **Deception/Bluffing:** Frequently makes false or exaggerated claims regarding the possession of sensitive or embarrassing media (photos/videos) to induce panic.
- **Data Leaking:** Posts exfiltrated data to various iterations of their leak site on the Tor network if demands are not met.
- **Impersonation:** Uses stolen context to impersonate faculty, IT support, or financial aid offices.
- **Spearphishing:** Leverages real-world context from stolen data to craft highly convincing phishing lures.
## Targeting
- **Sectors:** Education (principally Learning Management Systems), Technology, Finance, and Retail.
- **Geography:** Primarily United States (based on FBI PSA context).
- **Victims:** Educational institutions, students, faculty, and major corporate entities holding large customer datasets.
## Tools & Infrastructure
- **Infrastructure:**
- SH Data Leak Site (Tor-based/onion networks).
- Cloud-based management platforms (as an entry point/target).
- Integrated third-party services.
- **Communication Channels:** Direct SMS, VOIP/Phone calls, and Extortion emails.
## Implications
ShinyHunters represents a high-tier criminal threat due to their pivot from simple data theft to aggressive personal harassment. By targeting educational infrastructure, they gain access to a rich repository of PII that enables secondary attacks, such as sophisticated social engineering and identity theft. Their willingness to use physical-world threats (swatting) differentiates them from typical financially motivated actors, indicating a higher risk profile for victim safety and organizational reputation.
## Mitigations
- **Verify Communications:** Always verify unusual or urgent requests from schools or IT departments through a secondary, known-good communication channel.
- **Refuse Ransom Demands:** Do not send payment; payment does not guarantee data deletion and funds future criminal operations.
- **Cloud Security:** Secure cloud-based management platforms and third-party integrations which are primary SH targets.
- **Credential Hygiene:** Implement MFA and change passwords immediately if an associated service is breached to prevent account takeover.
- **Reporting:** Report extortion attempts and intrusions to the FBI Internet Crime Complaint Center (ic3[.]gov) or local law enforcement.
- **Mental Health Support:** Given the actor's use of swatting and harassment, organizations should provide mental health resources for impacted staff and students.