U.K. Hacker Linked to Infamous Scattered Spider Group Arrested in Spain

A significant arrest has been made in connection with the notorious cybercrime group Scattered Spider. Last week, a 22-year-old man from the United Kingdom was apprehended in Palma de Mallorca, Spain, while attempting to board a flight to Italy. This operation was a collaborative effort between the U.S. Federal Bureau of Investigation (FBI) and the Spanish Police.

First reported by Murcia Today on June 14, 2024, and later confirmed by vx-underground, the arrested individual is tied to several high-profile ransomware attacks attributed to Scattered Spider. The malware research group identified the individual as a SIM swapper operating under the alias "Tyler." SIM swapping involves manipulating telecom providers to transfer a target's phone number to a new SIM card controlled by the attacker, allowing them to intercept messages, including one-time passwords (OTPs), and gain access to online accounts.

Security journalist Brian Krebs revealed that "Tyler" is likely Tyler Buchanan, a 22-year-old from Scotland known as "tylerb" on SIM-swapping Telegram channels. This arrest follows that of Noah Michael Urban, another Scattered Spider member charged by the U.S. Justice Department in February with wire fraud and aggravated identity theft, resulting in the theft of $800,000 from multiple victims.

Scattered Spider, also known as 0ktapus, Octo Tempest, and UNC3944, is a financially motivated threat group renowned for sophisticated social engineering attacks to infiltrate organizations. Initially focusing on credential harvesting and SIM swapping, the group has evolved to ransomware and data theft extortion, eventually moving to encryptionless extortion targeting software-as-a-service (SaaS) applications.

Google-owned Mandiant reported that UNC3944, another name for Scattered Spider, employs fear tactics to obtain victim credentials, including threats of doxxing, physical harm, and distribution of compromising material. They noted similarities with another cluster, Muddled Libra, tracked by Palo Alto Networks Unit 42, which also targets SaaS applications for data exfiltration. However, Mandiant clarified that these groups should not be considered identical.

The group’s use of a phishing kit designed to steal Okta sign-in credentials has been adopted by other hacking groups, complicating attribution efforts. Mandiant observed that UNC3944 exploits Okta permissions by assigning compromised accounts to multiple applications, expanding their intrusion from on-premises infrastructure to cloud and SaaS applications.

Attack chains often involve legitimate cloud synchronization tools like Airbyte and Fivetran to export data to attacker-controlled cloud storage, coupled with extensive reconnaissance, persistence setup via new virtual machines, and defense impairment. Scattered Spider also uses endpoint detection and response (EDR) solutions for commands like whoami and quser to test access environments.

Mandiant highlighted continued access to Azure, CyberArk, Salesforce, and Workday by UNC3944, conducting further reconnaissance within each application. Specifically, the use of the PowerShell module psPAS to interact with CyberArk instances has been noted, a pattern also observed in RansomHub ransomware attacks. This suggests a possible affiliation with ransomware-as-a-service (RaaS) operations, according to GuidePoint Security.

The group has actively targeted the finance and insurance sectors, using convincing lookalike domains and login pages for credential theft. The FBI told Reuters last month that it is preparing to charge hackers from Scattered Spider, which has been linked to attacks on over 100 organizations since May 2022

.