Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Darktrace CISO says breach shows “many hallmarks of the Scattered Spider ransomware group”.
Hours after Australia’s national carrier, Qantas, confirmed that it had been the victim of a cyber attack, experts are already saying the culprit is very likely the hacking collective known as Scattered Spider.
“Initial reports on Qantas’ cyber breach show many hallmarks of the Scattered Spider ransomware group, which claimed responsibility for attacks against America’s Hawaiian Airlines and Canada’s Westjet last week, and the crippling attack against Marks & Spencer in the UK in April,” Tony Jarvis, field chief information security officer and vice president APJ at Darktrace, told Cyber Daily.
“Scattered Spider are thought to be native English speakers who don’t just exploit technical vulnerabilities but manipulate people, especially IT help desks, through phishing, multi-factor authentication (MFA) bombing, and SIM swapping to gain access.”
Qantas said in a 2 July statement that it had detected “unusual activity” on a third-party customer service platform on Monday (30 June). The platform holds the details of 6 million Qantas customers, and while the airline is working to find out how many customers are impacted, it’s already aware that some personal details have been compromised.
“The unfortunate thing is that this sort of third-party attack is not unique. It is just one more example of why cyber security is a fundamental business priority across the entire supply chain – especially when defending against highly targeted tactics that bypass traditional security measures,” Jarvis said.
“How significant the impact will be to Qantas’ operations – across both digital and physical channels – and the damage to its brand and reputation remains to be seen.”
Given the FBI’s recent warning of Scattered Spider activity targeting airlines, Elliot Dellys, CEO of Australian cyber security firm Phronesis Security, said it would not be surprising if the collective was behind the Qantas data breach.
“Scattered Spider (also known as UNC3944) is a fascinating threat actor of growing concern. Rather than being composed of a centralised command and control structure like Russian ransomware groups, it is believed to be composed of a disparate group of young hackers living in the United States and United Kingdom,” Dellys said.
“While Qantas [has] made a public statement that login information, credit card details, personal financial information and passport details have not been disclosed, there remains a significant risk of ongoing targeted phishing attacks and identity fraud for users that may have personal information exposed.
“If this incident is the result of a third-party compromise, it adds to an increasing list of major Australian organisations that have done their utmost to secure data, just to have it exposed via a third party.
“It is also a timely reminder for organisations that effective cyber security is about far more than just having the latest tech. Breaches are frequently the result of inadequate third-party risk management, human error, or well-intended people doing the wrong thing.”
Satnam Narang, senior staff research engineer at Tenable, notes that the attack bears one of the Scattered Spider's signature moves - it has yet to be publicised anywhere.
"Because this breach just occurred, we don’t have the full extent of all of the data that may have been exposed as a result. What we do know is that so far, it hasn’t been shopped for sale by any threat actors," Narang said.
While the data compromised is relatively basic, Narang does note that it could still be useful in the cyber-criminal ecosystem, and have an impact on those individuals compromised.
"For users whose personal information may have been exposed, the biggest risk is follow-on social engineering attacks targeted against them. If passwords end up becoming part of the stolen data, then credential stuffing attacks, where attackers attempt to reuse stolen credentials on other sites, are likely to follow," Narang said.
"Without confirmation of password exposure, users don’t need to rush to change their passwords yet. However, users should ensure they use strong and unique passwords on each site, but most importantly, be sure that multifactor authentication (MFA) is enabled on sensitive accounts to prevent credential stuffing attacks from being successful.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
