Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Experts point the finger at a mysterious hacking group with possible links to Scattered Spider for the Qantas breach, alongside a string of Salesforce-related incidents.
When Qantas first revealed it had been the victim of a cyber attack that compromised the personal data of millions of its customers, many experts attributed the attack to the Scattered Spider hacking collective.
However, while that attribution may be close, our colleagues in cyber journalism at Bleeping Computer now believe that the hacking group known as ShinyHunters may be behind the 5.7 million-person breach.
“A wave of data breaches impacting companies like Qantas, Allianz Life, LVMH, and Adidas has been linked to the ShinyHunters extortion group, which has been using voice phishing attacks to steal data from Salesforce CRM instances,” Bleeping Computer wrote on 30 July.
The current thinking of Bleeping Computer and some experts is that there is significant overlap in the membership of both ShinyHunters and ScatteredSpider, as well as an overlap in tactics, techniques, and procedures between the groups – a theory that Cyber Daily shares.
“According to Recorded Future intelligence, the overlapping TTPs between known Scattered Spider and ShinyHunters attacks indicate likely some crossover between the two groups,” Allan Liska, an intelligence analyst for Recorded Future, told BleepingComputer.
BleepingComputer has now linked ShinyHunters to a string of attacks that targeted Salesforce CRM platforms, including Allianz Life, Louis Vuitton, Adidas, and now Qantas. While Qantas has not confirmed it was a Salesforce instance that was compromised in its attack, there has been some speculation, both from the media and within the industry, that it was just that platform targeted in the attack.
Additionally, Google’s Threat Intelligence Group (GTIG) warned in June that a threat actor it attributed as UNC6040 was actively targeting Salesforce instances using the company’s own Data Loader application.
“In some of the intrusions using Data Loader, threat actors utilised modified versions of Data Loader to exfiltrate Salesforce data from victim organisations,” GTIG said in a recent blog post.
“In these interactions, UNC6040 also directly requested user credentials and multifactor authentication codes to authenticate and add the Salesforce Data Loader application, facilitating data exfiltration.”
GTIG noted that when making contact with its victims, this threat actor claimed to have links to the ShinyHunters group.
While correspondence between Qantas and its hackers has been released in court documents obtained by Cyber Daily, the name by which the hackers introduced themselves was redacted. However, BleepingComputer has learnt through its channels that the identity of the hackers was ShinyHunters, which seems to fit the length of the redacted copy within the correspondence that Cyber Daily has previously seen.
Shiny, Shiny, bad times not necessarily behind me
Several individuals with links to ShinyHunters were recently arrested in France, and the group has claimed a string of other high-profile attacks, often targeting vulnerabilities in third-party applications. AT&T, Ticketmaster, and Pizza Hut are all on the hacker’s previous hit list.
Despite the arrests, the collective appears to still be active, suggesting a wider group of individuals. Both Scattered Spider and ShinyHunters are thought to have links to or be a part of a wider, more shadowy collective known only as The Com. Little is known about this larger group, other than the fact that they are technically proficient and known to be English speakers.
Cyber Daily has reached out to Qantas for comment.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
