Srsly Risky Biz: Four key players drive Scattered Spider - Risky Bulletin

Summary4 min read

Risky Bulletin: Episode Summary Episode Title: Srsly Risky Biz: Four Key Players Drive Scattered Spider
Host: Amberly Jack
Guest: Tom Uren, Policy and Intelligence Editor at Risky Biz
Release Date: July 10, 2025

Introduction

In this episode of Risky Bulletin, host Amberly Jack engages in an insightful discussion with Tom Uren, the Policy and Intelligence Editor at Risky Biz. The conversation delves into two major cybersecurity topics: the organizational structure of the cyber threat group Scattered Spider and the implications of Chinese espionage data leaks being sold on underground forums.

Scattered Spider: Understanding the Organizational Structure

Amberly Jack initiates the discussion by highlighting the recent focus on Scattered Spider, a prominent cyber threat group. She notes the shift from viewing them as a loosely connected community to identifying specific key players within the group.

"Scattered Spider, whether you call them a group, a community, a vibe, causing all kinds of chaos, especially over the past few months." [00:59]

Tom Uren elaborates on the evolution of Scattered Spider, tracing its roots back to the teenage group Lapsus. He explains how their sophisticated social engineering and SIM swapping techniques have led to substantial disruptions.

"Originally, there was a group of teenagers called Lapsus... they've been just tremendously successful at breaking into all sorts of organizations." [01:38]

He further discusses recent reports from threat intelligence firms Halcyon and CrowdStrike, both indicating that Scattered Spider is driven by just two to four key players. This revelation suggests a more centralized command structure than previously believed.

"Cynthia Kaiser... said that there's only two to four key players... Adam Myers from CrowdStrike... said there's maybe four key players." [02:15]

Amberly reflects on the significance of this finding, comparing the influence of these key figures to that of project managers in large corporations.

"Regardless whether you're like a massive construction industry corporation or cybercrime, it all comes down to having the right project manager." [06:03]

Tom emphasizes the potential leverage in targeting these key individuals, drawing parallels to successful interventions where central figures were rehabilitated rather than solely relying on arrests.

"There's a point of leverage that people can target... figure out who those people are and do something about them." [06:14]

The discussion underscores the importance of focusing cybersecurity efforts on these pivotal actors to effectively disrupt Scattered Spider's operations.

Chinese Espionage Data Leaks: A New Market Emerges

Shifting gears, Amberly brings up Tom's analysis of recent data leaks involving Chinese espionage groups being sold on underground forums, expressing amusement at the potential rise of a "Chinese espionage for service" market.

"You seem kind of gleeful in your hope that this may be the beginning of a Chinese espionage for service market." [09:17]

Tom provides a detailed account of the situation, contrasting it with previous Russian data leaks. He highlights how Chinese cyber espionage materials are being offered on platforms like Darkforums, complete with actionable intelligence such as IP addresses, names, and phone numbers of compromised individuals.

"Salt Typhoon is the group that has had just tremendous success compromising U.S. telecommunications companies... it's offered the people who work for Salt Typhoon... their password and IP addresses." [11:00]

He points out the practicality of the leaked information, suggesting it could significantly aid efforts to track and counteract groups like Salt Typhoon.

"It felt like this stuff is probably worth buying and if you buy it, you may encourage a market and that would be a great thing." [12:30]

Amberly humorously remarks on the commercial nature of these leaks, likening them to products in an auction.

"It sounds like something that a few people might want to put the auction paddle up for and have a little peruse over." [14:41]

Tom contrasts the current Chinese leaks with earlier Russian ones, noting the increased actionable value and the likelihood of budget allocation within intelligence agencies to purchase such data.

"This feels like something it would be worth spending money for... it felt like there was a... an organizational dynamic that might encourage people to give up their personal budget to buy this stuff." [15:01]

He also observes the strategic choice of using English-language forums over platforms like Telegram, possibly to evade Russian government surveillance.

"It's an English language forum rather than Telegram. And so Telegram, it seems like the Russian government probably has access. And so this seems like a wiser choice as well." [16:15]

The segment concludes with Tom highlighting the actionable nature of the leaked data, emphasizing its potential in enhancing cybersecurity defenses against espionage activities.

Conclusion

The episode wraps up with Amberly thanking Tom for his valuable insights and encouraging listeners to subscribe to his Seriously Risky Business newsletter for more in-depth analyses.

"You can subscribe to Tom's Seriously Risky Business newsletter at Risky Biz." [16:34]

Key Takeaways

Scattered Spider's Structure: Recent intelligence suggests that Scattered Spider operates under the guidance of a few central figures, making targeted disruption strategies more feasible.
Chinese Espionage Leaks: The sale of actionable espionage data on English-language forums could signify the emergence of a marketplace for intelligence information, potentially altering the landscape of cyber espionage and defense.
Actionable Intelligence: The availability of detailed and practical data from espionage leaks presents both challenges and opportunities for cybersecurity professionals in mitigating threats.

For more detailed analyses and updates on cybersecurity threats, subscribe to Risky Business and their accompanying newsletters.

Loading summary

Transcript24 lines

[00:05]
Amberly Jack
Hey, everyone, and welcome along to Seriously Risky Business, the podcast that we do here at Risky Biz, all about cybersecurity policy and intelligence. My name is Amberly Jack, obviously not Patrick Gray. He's on holiday for a couple of weeks, and I usually hang out behind the scenes here at Risky Biz, but I will be talking to Tom Uren, our policy and intelligence editor, in just a moment. But first, I want to thank William and Flora Hewlett foundation for supporting Tom's work here at Risky Biz and also Lawfare, who syndicate and publish Tom's newsletter on the Lawfare Media website. You can, of course, head along to our website, Risky Biz, and subscribe to Tom's Seriously Risky Business newsletter and all the newsletters that we do here at Risky Biz. We also have a corporate sponsor this week which is Knock Knock, and you can find them@knoc knoc.com but now, Tom, thank you for joining me. How are you?
[00:57]
Tom Uren
G', Day, Amberly. Welcome to the podcast.
[00:59]
Amberly Jack
Thank you. It's very exciting. I spend a lot of time in the production minds here, and it's kind of exciting being on this side of the camera. You've touched on a couple of topics, and the first one that I want to talk to you about is Scattered Spider and the fact that there may kind of be a few key players as opposed to just a whole lot of people doing their thing. Scattered Spider, whether you call them a group, a community, a vibe, causing all kinds of chaos, especially over the past few months. But this new reporting that you've written about could kind of be key to us figuring out the structure of Scattered Spider. Is that the case?
[01:38]
Tom Uren
Yeah. So the story behind Scattered Spider is basically, in the last three or four years, there have been a number of different groups that have had different names. Originally, there was a group of teenagers called Lapsus, and it turned out they were UK and US kids who were just really good at social engineering. And they would also do sim swapping. So they would basically get the identity or steal the identity of someone, their access credentials, and then they would break into organization and cause absolute chaos. And as a group, these teenagers have really pointed out that everyone's operating under a set of assumptions that aren't really true. And they've been just tremendously successful at breaking into all sorts of organizations. Now that group's evolved and those techniques are relatively widespread. And as of last year, the FBI said that There are about 1,000 people involved in this broader group. And for a while here at Risky Business, we've Been saying it's more a vibe, it's more a community rather than a discrete group. And that makes it very hard to stop. Really the only way to stop that group is to one by one improve the processes at like places like call centers, because they often target call centers where that are providing support to businesses. They're called business process Outsource. Someone who might manage an IT support network for a firm, and they target those outsources and they get access and they just recal it tremendously quickly. Now, these reports come basically from two different threat intelligence firms. So they've been produced in two different articles, basically. And one of them is this firm called Halcyon. And they have an ex FBI cyber person in their, Cynthia Kaiser. And she basically said that there's only two to four key players. And she described them as project managers, people who gather all the other people involved, set them at a task, coordinate the gathering of initial access brokers, and bring together people to get a job done. And the other one was Adam Myers from CrowdStrike, who's their, I think, VP of counter adversary Operations or something like that. And he basically had exactly the same number. He said there's maybe four key players. Now, that really changes the way you think about what to do about a group like Scattered Spider. A group like Scattered Spider. And if there's just four key players, that really gives you something concrete to target. So there's some evidence that there are a small number of key players here. In the last year, there were about five people who were arrested, and they were all arrested for the social engineering part. So they were very good at talking to help desks and getting information that they would, you know, they get denied, but they get a little bit of information, then they'd ring up again at a different time, get a little bit more information. And they might have already the credentials of someone from an initial access broker, but they would convince the help desk to reset their MFA tokens or hardware or whatever so that they could then turn those credentials into actual access. And so by repeatedly calling, they would assume accents. They would understand the help desk or the organization well enough to masquerade as a genuine employee. And apparently those skills were somewhat unique. There's not a whole huge number of people who are actually very good at it. So in fact, a couple of years ago, Bill Siegel, who's at coveware, which is a ransomware incident response firm, he'd helped a number of companies deal with Scattered Spider. And he said that they would listen to the recordings of the interactions with Help desk. And it turns out there was only two or three people who were doing those calls. So it seems like. Like whether it's the project management or the social engineering, there's just some people who are very much better than other people and are able to pull off these kinds of hacks.
[06:03]
Amberly Jack
It's quite funny, actually. I mean, regardless whether you're like a massive construction industry corporation or cybercrime, it all comes down to having the right project manager, right?
[06:14]
Tom Uren
Yeah, that's right. I spoke to Adam Barlow about this and I said, does this make sense to you that there's just some people who are way more capable than everyone else and it's. I guess it's like the people call the 10x developer. And he said, yeah, yeah. In his experience in penetration testing, there's a small number of people who are actually able to have, he said, a vision and drive what other people do in order to achieve that vision. So in a way, this story left me hopefully that there's a point of leverage that people can target. And now that's not necessarily arrests like the traditional law enforcement process is just to arrest people and put them away. I'm reminded of the story of the kids who wrote Mariah, and most of those kids, I think there was three or four of them. The FBI intervened. One of the FBI agents became somewhat like a father figure, it felt to me, in this story, and. And basically turn their lives around. Most of them are now working actually in threat intelligence, so it doesn't have to be arrests, but I guess the point is that you need to figure out who those people are and do something about them.
[07:26]
Amberly Jack
Yeah, for sure. What I found really interesting reading your analysis this morning as well is, I mean, you've touched on, I think there were two different reports, maybe a third one as well, but they all kind of landed on the same number. They were all saying, you know, it's three or four, so. So there must be something to that, surely.
[07:46]
Tom Uren
I would suspect that the two threat intelligence companies, Halcyon and Crowdstrike, were talking about the same people. So the third report I referenced, they were talking about social engineers rather than the project managers. But I suspect they know who they are, like Halcyon and CrowdStrike do. And it's just a matter of the FBI sometimes takes longer than people would like.
[08:17]
Amberly Jack
Shrug yeah, fair enough. As you said in the newsletter, we're not going to stop them necessarily, but if we manage to, you know, if those people manage to get located.
[08:30]
Tom Uren
And the way I think about it is that there is a community. There is like a large number of people doing these kinds of activities. Some of them focus on high impact, very disruptive activities. And like, I guess those are the ones you have to prioritize. There's a whole lot of other people who do lower profile, lower impact stuff. And I think when you've got perhaps a thousand people involved, yes, you just have to let that stuff maybe not go, but it's certainly not where you're focusing your efforts. And if you can identify just a few key people, that's absolutely where you have to focus your effort. And I think that's the take home from this story that there are key people that it is worth tracking down.
[09:18]
Amberly Jack
Yeah, 100%. And the second thing that you touched on today, Tom, is these leaks from Chinese espionage companies for sale on underground forums, data breach and leak site. And it made me laugh. You seem kind of gleeful in your hope that this may be the beginning of a Chinese espionage for service market.
[09:39]
Tom Uren
Yeah. So the backstory is a couple of weeks ago I wrote about some leaks of material from the Russian Federal Security Service, the fsb. And they were sold on Telegram by a group called AresLeaks. And that I thought was interesting. Like here's a group trying to sell intelligence material. They've got it as a product line that's like, that's interesting. I don't think it'll ever take off. But in this case we have two different, maybe different vendors trying to steal material from Chinese cyber espionage companies on an English language data leak site called Darkforums. And they've got samples and the samples relate to a company called Venus Tech, which it looks like apparently is hacking a large number of like Indian, South Korean, Taiwanese entities, organizations. And it's got, the sample shows a list of how often it gets material from those hacks and the price that's paid. So for example, the a Taiwanese entity, it was 85,000 yuan per month, which is something on the order of 10 or 12,000 US dollars. And it was everything on the server that we want every month. And so you can see that different organizations have different prices and different revisit rates, which I thought was super interesting. And then another leak offered for sale was from Salt Typhoon. Salt. So Salt Typhoon is the group that has had just tremendous success compromising U.S. telecommunications companies and others around the world. And it's offered the people who work for Salt Typhoon, it's given as a sample just seven individuals, their names, national ID numbers, their phone numbers, and then it's also offered routers like These are the routers that Salt Typhoon has compromised, and it's given IP addresses. And it struck me that that intelligence is actually tremendously actionable. Like, if you're trying to track down what Salt Typhoon is up to, having a list and it's offered. The vendors offered 242 routers, including their passwords and IP addresses in the full data set for sale. That would be actually really useful. Like, even if you're. It doesn't seem like the US is entirely confident they've wrapped up Salt Typhoon. So having a. Maybe it's a master list, I don't know, that would be, I think, very useful.
[12:30]
Amberly Jack
Yeah.
[12:31]
Tom Uren
And so the information they're offering is, I felt, actionable, like it would be actionable to know. Here are the IP addresses, here are. Here are the names and numbers of these individuals. Here are the entities that whoever is related to Venus Tech has hacked. I think that's stuff you could use very, very practically. And the structure of the Chinese espionage, I call it an ecosystem, is that there's many, many different front companies, there's many contracting firms, they operate on sort of freelance basis where they go and hack and then try and buy, try and find buyers for the intelligence in official government intelligence services later. And so there's a lot of potential suppliers in that ecosystem who might think, yeah, actually I have some interesting information where I can earn a little extra money as a side hustle by selling it on the free market. And also the paying conditions in some of these firms is not that good. So we know from other leaks that people, employees get disgruntled by the poor conditions, they work very hard, don't necessarily get paid a huge amount. So it actually seems like there's the possibility that espionage for service market could arise out of these things. So whereas the Russian leaks I first started talking about, they didn't feel very actionable. They felt interesting. It was interesting to hear this stuff from the horse's mouth, from the fsb. And it also felt like the sources of interesting documents were very few. Like, there's the actual national intelligence agencies and they would be very motivated to crack down on those leaks. Whereas this feels very different. Feels like there's a possible wealth of vendors and they've got more reasons to try and sell stuff. So to me, it felt like this stuff is probably worth buying and if you buy it, you may encourage a market and that would be a great thing.
[14:41]
Amberly Jack
Yeah, yeah, for sure. I mean, I'm no expert, but when I was reading your piece this morning and saw the title Chinese government hacking group sold Typhoon banking data plus internal files. It sounds like something that a few people might want to put the auction paddle up for and have a little peruse over.
[15:02]
Tom Uren
One of the things about the previous Russian leaks is that it didn't feel like there was anyone in a intelligence agency who would think, I'm willing to give up budget for that. It kind of told us stuff that we already knew, but it was interesting to hear the words directly from the horse's mouth from Russian official sources. Whereas this feels like I might have the job of tracking down Salt Typhoon. This seems like something that it would be worth spending money for. So it feels like there would be a budget holder that could say, okay, here's $10,000 or whatever, and that that might save us $10,000 worth of time and effort, or it might supercharge our efforts. It felt like there was a. A sort of organizational dynamic that might encourage people to give up their personal budget to buy this stuff.
[15:56]
Amberly Jack
Yeah.
[15:56]
Tom Uren
So that struck me as just a different dynamic in the type of data offered for sale. And if you can get practical stuff, that's the whole point of, the whole point of espionage is to get stuff that you can take action on is actionable.
[16:12]
Amberly Jack
Yeah, for sure. Is this, Is this a terror free auction? Do you know?
[16:15]
Tom Uren
Yeah. The other interesting thing is that it's an English language form forum rather than Telegram. And so Telegram, it seems like the Russian government probably has access. And so this seems like a wiser choice as well.
[16:31]
Amberly Jack
Less windows.
[16:33]
Tom Uren
That's right.
[16:35]
Amberly Jack
All right. Hey, Tom, we're going to leave it there, but thank you so much for your time and as always, for your fascinating newsletter. You can subscribe to Tom's Seriously Risky Business newsletter at Risky Biz. And Tom, we will see you same time next week.
[16:49]
Tom Uren
Thanks, Amberly.