Qantas Cyber Attack Linked to ShinyHunters and Scattered Spider
Qantas recently confirmed that it was targeted in a cyber attack that compromised the personal data of millions of its customers. Initial assessments from cybersecurity experts indicated that the attack might have been executed by the Scattered Spider hacking collective. However, new insights have emerged linking this incident to the notorious ShinyHunters group, known for leveraging voice phishing tactics to breach Salesforce CRM platforms.
According to a report from Bleeping Computer published on July 30, a series of data breaches involving prominent companies, including Qantas, Allianz Life, LVMH, and Adidas, have been connected to ShinyHunters. This group has utilized sophisticated techniques to extract sensitive information from Salesforce CRM instances, raising alarm bells in cybersecurity circles. There is increasing consensus among experts that there is substantial overlap in the membership and operational methodologies of both ShinyHunters and Scattered Spider. Allan Liska, an Intelligence Analyst at Recorded Future, corroborated this notion, suggesting that similar tactics employed by these groups indicate a likelihood of connection.
Bleeping Computer has detailed a pattern of attacks aimed at Salesforce environments, associating ShinyHunters with breaches at high-profile organizations, including Qantas. While the airline has refrained from confirming whether the compromised data was specifically drawn from a Salesforce instance, speculation abounds among industry insiders that this was indeed the case. This theoretical framework is further bolstered by findings from Google’s Threat Intelligence Group, which recently cautioned that a threat actor identified as UNC6040 was actively exploiting Salesforce instances using its Data Loader application.
UNC6040 has been reported to modify Data Loader to facilitate the exfiltration of data from targeted businesses. During these attacks, the group has reportedly solicited user credentials and multifactor authentication codes directly from their victims to authenticate the malicious application, thereby bypassing standard security measures. Notably, UNC6040 has purportedly made claims to have ties with the ShinyHunters group, further deepening the complexity of these interrelated cyber threats.
Court documents accessed by Cyber Daily have revealed exchanges between Qantas and its attackers, though the name by which the hackers introduced themselves was redacted. Sources indicate that these hackers are indeed part of ShinyHunters, aligning with earlier reports about the nature of the correspondence. Despite arrests of several individuals linked to ShinyHunters in France, the group appears to maintain operational efficacy, indicating a potentially expansive network behind these attacks.
Both Scattered Spider and ShinyHunters are believed to connect to a broader, enigmatic organization referred to as “The Com.” Details surrounding this group remain limited, but they are understood to be technologically adept and primarily consist of English speakers.
As cybersecurity threats continually evolve, business owners must remain vigilant. Understanding the tactics deployed in these recent attacks can provide crucial insights into risk management strategies. The MITRE ATT&CK Framework highlights relevant adversary tactics that may have been employed in this incident, including initial access through social engineering, persistence via compromised applications, and data exfiltration techniques, all of which underscore the sophisticated nature of current cyber threats.
Cyber Daily has sought comments from Qantas, emphasizing the need for clarity in light of these ongoing developments. As the landscape of cyber threats continues to shift, organizations must proactively reevaluate their cybersecurity protocols to safeguard against these ever-present risks.
