A banner week for Scattered Spider/Lapsus$/ShinyHunters and maybe The Com

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

People outside the cybersecurity industry, and even infosec professionals, can be forgiven if they confuse several groups of loosely organized, young, native English-speaking, primarily financially motivated hacking groups for one another. These groups go by various names, including Scattered Spider, Lapsus$, ShinyHunters, and The Com.

The first three of these groups are so closely aligned, if not in organization, then in demographics, spirit, and motivations, that in August, they launched a joint "Scattered LAPSUS$ Hunters" Telegram channel to indicate they are either working together or that their hacker ranks overlap.

The Com, however, is an amorphous group, also composed of native English-speaking hackers, that Unit221B’s chief research officer, Allison Nixon, stresses is a malicious teen “culture” distinct from Scattered Spider and rooted more in publicity seeking rather than financial gain. However, Scattered Spider and The Com recently both seemingly took credit for the same significant breach (more on that below), so the boundaries between those two entities may be permeable.

In any case, the Scattered Spider/ShinyHunters hackers have been on a financial extortion spree this year, creating havoc with attacks on retail giants in the UK, luxury brands including Tiffany and Co, Louis Vuitton, and Dior, the aviation sector, and high-profile Salesforce clients, among other targets.

But this past week, they reached a little-noticed high-water mark for the sheer number of cybersecurity news items linked to them, including:

• An attack on Vietnam’s National Credit Information Center (CIC).
• An attack on Kering SA, whose luxury brands include Gucci, Saint Laurent, Balenciaga, and others.
• An attack on Jaguar Land Rover, which has thrown the automaker into an extended shutdown.
• Google’s public acknowledgment that hackers breached its Law Enforcement Request System (LERS) platform.
• A breach of Korea’s SK Telecom, which the telco has denied.
• A class action lawsuit brought by victims of the Coinbase breach was brought against the cryptocurrency’s outsourced helpdesk firm, TaskUS, which alleged that at least one employee was involved in a $500k bribery scheme, for which both The Com and Scattered Spider have taken credit.

Despite the magnitude of that breach, which was not a ransomware attack but an extortion scheme against Coinbase to halt the release of data on around 70,000 of its highest-paying customers, and is expected to cost the company around $400 million, only a few journalists have reported on the threat actors who might be behind the bribes.