ReliaQuest links manufacturing breach to Scattered Spider

ReliaQuest has released an investigation into an intrusion targeting a customer in the manufacturing sector in October 2024.

The security firm attributed this incident with high confidence to "Scattered Spider," an English-speaking collective that acts as an affiliate for the ransomware group RansomHub. This group previously collaborated with "ALPHV" and now partners with RansomHub following ALPHV's disbandment earlier this year.

The attacker gained initial access to the organisation by performing social engineering tactics on the help desk. This included convincing staff members to reset the account credentials of high-ranking executives, such as the Chief Financial Officer (CFO) and a domain administrator, to facilitate further unauthorised access.

In a notable approach, the assailant utilised the organisation's ESXi environment to create a virtual machine, a strategy employed to maintain persistence and evade detection from security tools. The virtual machine was subsequently used to encrypt systems and sabotage backups within six hours.

ReliaQuest's investigation detailed the tactics, techniques, and procedures (TTPs) employed by Scattered Spider. The report recommends organisations take comprehensive security measures to mitigate such attacks, including restricting permissions on platforms like SharePoint and hardening ESXi environments against unauthorised configurations.

Further scrutiny of the attacker's methods revealed the use of Verizon IPv6 addresses for network infiltration, leveraging this clean reputation to bypass security controls. The attackers manipulated infrastructure such as Okta for authentication processes and gained unauthorised access to critical applications like SentinelOne by impersonating users.

This breach underscores the trend of collaboration between English-speaking threat actors and Russia-linked groups. Scattered Spider's English proficiency has proved advantageous for conducting social engineering attacks, facilitating their partnership with groups adept at network intrusion and ransomware deployment.

The report also explores RansomHub's rise as a dominant ransomware group. Since its emergence in early 2024, RansomHub's profit-sharing model has attracted proficient affiliates, including those from ALPHV's defunct network. This, coupled with advanced social engineering skills, has increased the group's influence in the cyber landscape.

Critical to the investigation was the discovery of a new tactic employed by the attackers. After encrypting hosts and exfiltrating data, the attacker delivered a ransom note through Microsoft Teams rather than traditional means, emphasising tactics shifting to ensure victim receipt and response.

ReliaQuest stresses that this incident illustrates the importance of robust defence mechanisms against advanced cyber threats. The company advises firms to bolster resistance against social engineering and ransomware attacks by updating security protocols and conducting regular employee training to effectively recognise and respond to potential threats.