Salesforce Attack Developments: Scattered Spider and ShinyHunters Team Up

In this blog series we spotlight one of the stories from our cybersecurity newsletter, Beacon.

The story of the ongoing targeting of Salesforce customers rolls on. After last week’s attribution of the hacking campaign to ShinyHunters, this week the attacks took on a new dimension as both researchers and threat actors said that the group may be working in collaboration with another hacking collective: Scattered Spider.

Evidence for this unholy alliance included the emergence of several Telegram channels combining the groups’ names (along with LAPSUS$, a group that made waves back in 2022 for data extortion and conflicts with other threat actors) to become: “Scattered LAPSUS$ Hunters”.

A cascade of stolen data samples and extortion demands were posted referencing victims previously associated with ShinyHunters, including Victoria’s Secret, Qantas and Coca Cola.

Records of dark web forum personas suggest that actors associated with the groups may have been working together for over a year, while an alleged representative of ShinyHunters claimed that the groups have “always been the same”.

This development highlights the propensity for overlap between actors in an ever-shifting threat landscape, and the importance of tracking techniques, tactics and procedures used in campaigns rather than distinct group identities.

If you’d like the latest dark web news and insights delivered into your inbox every Thursday at 10am, sign up to the email version of Beacon.