Full Report
“Goodbye isn’t the end. It’s the beginning of what happens next.” — Joshua Shaw Reading the news, I see some headlines suggesting that “Scattered LAPSUS$ Hunters” lied in their “Goodbye” message. One headline read, “Security Industry Skeptical of Scattered Spider-ShinyHunters Retirement Claims.” Another read, “Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims,” and... Source
Analysis Summary
# Threat Actor: Scattered LAPSUS$ Hunters (Collaborative Entity)
## Attribution & Identity
The actor referenced is a collaborative entity referred to as "Scattered LAPSUS$ Hunters." This group appears to be an amalgamation or continuation of individuals associated with **ShinyHunters**, **Scattered Spider**, and remnants of **LAPSUS$**. The article suggests an internal disagreement regarding a "goodbye" message, indicating different factions or individuals within the collective hold varying intentions (some appearing to retire, others intending to continue activity silently or publicly).
## Activity Summary
The group recently issued a "goodbye" message suggesting retirement, with some members (specifically "ShinyCorp" of ShinyHunters) seemingly intending to cease operations. However, reports indicate skepticism that key members have stopped, with evidence suggesting they are continuing operations, potentially under the radar or exploiting new sectors. Recent activity has reportedly shifted focus toward the **financial sector**, following previous attacks on the **aviation sector**. The group is also associated with public breaches and taunting/bragging on communication platforms.
## Tactics, Techniques & Procedures
The article focuses less on specific technical TTPs and more on behavioral patterns:
- **Continued Exploitation:** Implied continuation of hacking activities despite public cessation claims ("Others will keep on studying and improving systems you use in your daily lifes. In silence.").
- **Public Bragging/Taunting:** A tendency to publicly boast about activities on platforms like Telegram, contrasting with the "in silence" continuation implied by some members.
- **Data Disclosure/Extortion:** Mention of claiming access to sensitive law enforcement portals (CJIS, Google LERS screenshots) and publishing data/threatening release (Qantas injunction).
- **Internal Conflicts/Management:** Evidence of internal management efforts by ShinyHunters to curb inflammatory posts that would attract law enforcement attention.
## Targeting
- **Sectors:** Primarily mentioned in connection with the **Financial Sector** (recent shift) and the **Aviation/Airline Sector** (previous focus).
- **Geography:** Implied global reach, with arrests occurring in the **UK** and activity spanning the **US** and other regions where the mentioned airlines operate.
- **Victims:**
* **Airlines:** Qantas, Hawaiian Airlines, WestJet (all linked to Scattered LAPSUS$ Hunters). Potential targets include British Airways and American Airlines.
* **Potential Indirect Targets:** Affecting infrastructure providers to the aviation sector, evidenced by the incident affecting **Collins Aerospace’s MUSE** software used by several **EU airports** (Brussels, London, Berlin). Dallas Airport incidents were mentioned but denied by ShinyHunters.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly detailed in the summarized text.
- **Infrastructure:** Usage of **breachforums[.]hn** for announcements. Active use of **Telegram** for communication, bragging, and threats (though some channels were banned).
## Implications
The primary implication is that the dissolution of the publicly recognized entities (Scattered Spider, ShinyHunters, LAPSUS$) does not equate to the cessation of threat activities. Factions of these groups are likely continuing operations, potentially shifting focus or operating more covertly ("in silence") to avoid immediate law enforcement attention following recent arrests and increased scrutiny. This suggests a fragmented but persistent threat landscape emerging from these predecessors.
## Mitigations
- **Assume Persistence:** Security teams should not rely on public retirement claims and must assume continued adversarial efforts from associated actors.
- **Monitor Communications:** Vigilance regarding public and dark web communications where actors might brag or leak data.
- **Sector Defense:** Increased focus on hardening defenses within the **Financial** and **Aviation/Transport** sectors, as these have been recent focuses of the collective or its fragments.
- **Supply Chain Due Diligence:** Recognizing that supply chain entities (e.g., software providers like Collins Aerospace) can be targeted to affect primary victims.