Reading time: 2 minutes.
US and Spanish authorities have collaborated to arrest a 22-year-old British hacker in Palma de Mallorca, Spain and this individual is suspected of being a key member of the cybercriminal group known as Scattered Spider, known for its sophisticated social engineering and SIM swapping attacks. The arrest occurred while the hacker, known by the alias “Tyler” and identified as Tyler Buchanan, was attempting to board a flight to Italy.
Operation Details
The operation, conducted by the FBI in collaboration with the Spanish police, followed an in-depth investigation into several high-profile ransomware attacks attributed to Scattered Spider. This group is also known by other names, including 0ktapus, Octo Tempest and UNC3944, and is involved in credential harvesting and ransomware activities, using advanced phishing techniques and Okta permission abuse to compromise cloud and SaaS infrastructures.
Attack Methodologies
Scattered Spider is known for using SIM swapping attacks, where the hacker convinces the telecom provider to transfer the victim’s phone number to a SIM under their control. This allows attackers to intercept messages and take control of the victim’s online accounts. Additionally, the group has adapted its techniques to carry out encryption-free extortion attacks, aimed at stealing data from SaaS applications and using it to blackmail victims.
Involvement in RansomHub ransomware
Tyler Buchanan’s involvement isn’t just limited to Scattered Spider. He is also suspected of being affiliated with the ransomware-as-a-service (RaaS) operation known as RansomHub. This group uses cloud synchronization tools such as Airbyte and Fivetran to export data to attacker-controlled cloud storage. Tactics include creating virtual machines to maintain persistence and using PowerShell modules to interact with victims’ CyberArk instances.
Implications and security measures
The arrest of Tyler Buchanan represents a significant blow to Scattered Spider and global ransomware operations and the fact that it occurred in Spain suggests that cybercriminals do not police their places of origin. Authorities continue to work to identify and prosecute other members of the group, which has already affected over 100 organizations since its inception in 2022. This case highlights the importance of robust cybersecurity systems and international cooperation in the fight against cybercrime .
