When "Goodbye" Isn't the End: Scattered LAPSUS$ Hunters Hack On

"Goodbye isn't the end. It's the beginning of what happens next." - Joshua Shaw

As a journalist, I've seen my fair share of sensational headlines, but one recent article caught my attention. The title read: "Security Industry Skeptical of Scattered Spider-ShinyHunters Retirement Claims." Another headline asked: "Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims." A third article declared that the threat actors just feigned retirement and asked: "You didn't really trust the crims to keep their word, did you?" But what word do you think they really gave? The "goodbye" message, which was posted on breachforums[.]hn, is no longer available at that URL, but had been reproduced on DataBreaches.net to preserve it.

The "goodbye" message, in part, said: "Our objectives having been fulfilled, it is now time to say goodbye. If you worry about us, don't. The most stupid (Yurosh, Intel – say hi, you poor La Santé impersonator) will enjoy our golden parachutes with the millions the group accumulated. Others will keep on studying and improving systems you use in your daily lifes. In silence. Others finally will just go gentle into that good night."

DataBreaches interpreted it to mean that at least some would keep on finding and exploiting vulnerabilities, and they would be improving systems we use by exploiting weaknesses in our systems until we strengthened our security.

However, not everyone was convinced by the "goodbye" message. DataBreaches had significant doubts that individuals associated with Scattered Spider or LAPSUS$ shared that desire or would do anything "in silence." Their apparent fun in bragging and taunting targets and law enforcement on Telegram was unlikely to stop without some compelling reason.

But why would they stop attacking targets? And why would they stop publicly bragging? Those are somewhat rhetorical questions. The goodbye message wasn’t all a lie. DataBreaches suspects that it is more the case that ShinyHunters really didn’t have the agreement of all those in the Scattered LAPSUS Hunters collaborative.

In the weeks preceding the goodbye message, ShinyHunters had been deleting posts by others that threatened researchers or analysts or that would draw too much heat from law enforcement or Telegram. ShinyCorp’s efforts, which reminded DataBreaches of herding cats, were only partially successful, as some posters continued to reveal more than ShinyHunters would have approved of disclosing.

Those screenshots, posted after the goodbye message, led DataBreaches to suspect that some seemed to be having difficulty sticking to the "in silence" part. Eventually, we may see more Telegram channels as some members of the collaborative may gleefully abandon all suggestions of “in silence.”

The Shift to Financial Sector Attacks

ReliaQuest recently noted what appeared to be a shift to the financial sector, but there have also been media reports of airlines that have been hit. Qantas, Hawaiian Airlines, and WestJet incidents have all been linked to Scattered LAPSUS$ Hunters, but their goodbye message hints that they may have also attacked British Airways and American Airlines, although neither of those entities have disclosed or confirmed any breaches.

The Recent Airport Incidents

This week, there were reports of significant interruptions affecting Dallas Airport in the U.S., and several EU airports in Brussels, London, and Berlin. The affected EU airports all use Collins Aerospace’s Multi-User System Environment (MUSE) software which is part of a common-use passenger processing system used by airlines for passenger check-in and boarding.

Collins Aerospace’s parent company, RTX, confirmed that MUSE had suffered a cyber-related incident, but did not disclose whether this was a ransomware incident with encryption and whether they had received any ransom demand. Is Scattered LAPSUS$ Hunters responsible for recent airport incidents?

The Denial from ShinyCorp

According to ShinyHunters, the group is not responsible for the issues Dallas and its surrounding airports experienced. But when asked whether the group was responsible for the Collins Aerospace incident, ShinyCorp responded with “no .” For ShinyCorp to respond "no" to an inquiry from DataBreaches is not unheard of, but ShinyCorp usually asks this site not to mention that they have declined to.

Make of that what you will. DataBreaches will continue to try to get actual confirmation or denial from other sources.