“Goodbye isn’t the end. It’s the beginning of what happens next.” — Joshua Shaw
Reading the news, I see some headlines suggesting that “Scattered LAPSUS$ Hunters” lied in their “Goodbye” message. One headline read, “Security Industry Skeptical of Scattered Spider-ShinyHunters Retirement Claims.” Another read, “Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims,” and a third article declared that the threat actors just feigned retirement and asks,”You didn’t really trust the crims to keep their word, did you?”
But what word do you think they really gave? It seems that although some security professionals understood some nuances in the “Goodbye” message, others may not have fully appreciated one part that seemed the harbinger of current and future events.
The “goodbye” message, which was posted on breachforums[.]hn, is no longer available at that URL, but had been reproduced on DataBreaches.net to preserve it. In part, it said (emphasis added by DataBreaches):
Our objectives having been fulfilled, it is now time to say goodbye.
If you worry about us, don’t. The most stupid (Yurosh, Intel – say hi, you poor La Santé impersonator) will enjoy our golden parachutes with the millions the group accumulated. Others will keep on studying and improving systems you use in your daily lifes. In silence.
Others finally will just go gentle into that good night.
DataBreaches does not know how others interpreted that “Others will keep on studying and improving systems…” line, but DataBreaches interpreted it to mean that at least some would keep on finding and exploiting vulnerabilities, and they would be improving systems we use by exploiting weaknesses in our systems until we strengthened our security.
Not Everyone On Board the “Goodbye” Train?
Although ShinyCorp (“Shiny”) of ShinyHunters seemed ready to retire and to call it quits, DataBreaches had significant doubts that individuals associated with Scattered Spider or LAPSUS$ shared that desire or would do anything “in silence.” Their apparent fun in bragging and taunting targets and law enforcement on Telegram was unlikely to stop without some compelling reason. But the contingencies that might enable others to stop or put the brakes on their behavior seem to be missing for a lot of the active posters on the now-banned Telegram channels. They did not and do not seem to be afraid of law enforcement, despite an increasing number of arrests, Nor is it clear that violence associated with some individuals and incidents is having any significant deterrent effect.
So why would they stop attacking targets? And why would they stop publicly bragging? Those are somewhat rhetorical questions.
The goodbye message wasn’t all a lie. DataBreaches suspects that it is more the case that ShinyHunters really didn’t have the agreement of all those in the Scattered LAPSUS Hunters collaborative. In the weeks preceding the goodbye message, ShinyHunters had been deleting posts by others that threatened researchers or analysts or that would draw too much heat from law enforcement or Telegram. ShinyCorp’s efforts, which reminded DataBreaches of herding cats, were only partially successful, as some posters continued to reveal more than ShinyHunters would have approved of disclosing, such as the alleged arrest of “UNC6395” by a county sheriff on unrelated charges, and threats about retaliation towards that person or agency, or the CJIS screenshots and Google LERS screenshots. Those screenshots, posted after the goodbye message, led DataBreaches to comment that some seemed to be having difficulty sticking to the “in silence” part.
So what’s next?
Eventually, we may see more Telegram channels as some members of the collaborative may gleefully abandon all suggestions of “in silence.”
ReliaQuest recently noted what appeared to be a shift to the financial sector, but there have also been media reports of airlines that have been hit. Qantas, Hawaiian Airlines, and WestJet incidents have all been linked to Scattered LAPSUS$ Hunters, but their goodbye message hints that they may have also attacked British Airways and American Airlines, although neither of those entities have disclosed or confirmed any breaches.
Have they also attacked airports? This week, there were reports of significant interruptions affecting Dallas Airport in the U.S., and several EU airports in Brussels, London, and Berlin. The affected EU airports all use Collins Aerospace’s Multi-User System Environment (MUSE) software which is part of a common-use passenger processing system used by airlines for passenger check-in and boarding. Collins Aerospace’s parent company, RTX, confirmed that MUSE had suffered a cyber-related incident, but did not disclose whether this was a ransomware incident with encryption and whether they had received any ransom demand.
Is Scattered LAPSUS$ Hunters responsible for recent airport incidents? According to ShinyHunters, the group is not responsible for the issues Dallas and its surrounding airports experienced. But when asked whether the group was responsible for the Collins Aerospace incident, ShinyCorp responded with “no comment.”
For ShinyCorp to respond “no comment” to an inquiry from DataBreaches is not unheard of, but ShinyCorp usually asks this site not to mention that they have declined to comment. This time, he mentioned that I could include that he usually asks DataBreaches not to include his “no comments.” Make of that what you will. DataBreaches will continue to try to get actual confirmation or denial from other sources.