Dark Web Cybercriminal Activity and Law Enforcement Tactics

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group and a newly identified group named RedNovember, have been conducting sustained campaigns to compromise critical infrastructure networks worldwide. The campaigns aim to gain long-term access to telecommunications, government, transportation, lodging, and military networks. This activity has been detailed in a joint advisory by CISA, NSA, FBI, and international partners, including Canada, Australia, New Zealand, the UK, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain. The advisory provides intelligence on tactics used by these actors and recommends mitigations to strengthen defenses. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has issued a warning instructing critical infrastructure organizations to avoid using Chinese technology or transferring user data to servers located in China. The agency has re-evaluated its risk estimate of significant disruptions caused by China, now assessing it at a 'High' level. The NUKIB has confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The advisory highlights concerns over the transfer of system and user data to China, potentially misused by state, military, or political interests. The Czech government previously accused China of targeting its critical infrastructure through APT 31, an allegation denied by the PRC but condemned by the US, EU, and NATO. The advisory suggests that individuals and organizations consider restricting or prohibiting the use of products and services that transfer data to China. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The threat actors have exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks devices to gain initial access and have modified routers to maintain persistent access and pivot into other networks. The advisory also notes that the APT actors may target other devices such as Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, Sonicwall firewalls, etc. RedNovember has targeted perimeter appliances of high-profile organizations globally, including defense and aerospace organizations, space organizations, and law firms. The group has breached at least two U.S. defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia. RedNovember has used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions, along with the Spark RAT and LESLIELOADER. The group has also used VPN services like ExpressVPN and Warp VPN to administer and connect to servers used for exploitation and communication.

The Multi-State Information Sharing and Analysis Center (MS-ISAC) faces funding cuts that will expire on September 30, 2025, potentially leaving state and local governments vulnerable to cyberattacks. Recent ransomware attacks on Nevada, St. Paul, the Lower Sioux Indian Community, and Pennsylvania underscore the growing threat to local governments. MS-ISAC, which detected over 40,000 potential cyberattacks in 2024, will have to start charging for its services without federal funding. This includes cyber threat analysis and threat intelligence distribution to critical infrastructure such as schools, hospitals, and utilities. The Center for Internet Security (CIS), which operates MS-ISAC, has been temporarily funding the center at a cost of over $1 million per month. Without reinstated funding, the MS-ISAC's services will be at risk, leaving many state and local governments unable to maintain the security of their public services.

Jaguar Land Rover (JLR) has confirmed a data breach following a recent cyberattack that disrupted its operations. The attack, which forced JLR to shut down systems and instruct staff not to report to work, involved data theft. The company is collaborating with the U.K. National Cyber Security Centre (NCSC) to investigate the incident. A group called 'Scattered Lapsus$ Hunters', associated with Lapsus$, Scattered Spider, and ShinyHunters, has claimed responsibility for the breach, sharing screenshots of an internal JLR SAP system and claiming ransomware deployment. This attack is part of a broader pattern of Salesforce data theft attacks, which have impacted numerous organizations this year. The FBI has issued a flash alert on UNC6040 and UNC6395, groups targeting Salesforce platforms, exploiting OAuth tokens and using vishing campaigns. The group 'Scattered Lapsus$ Hunters 4.0' announced it is shutting down on September 12, 2025, possibly to avoid law enforcement attention. However, cybersecurity researchers believe the group will continue conducting attacks quietly despite their claims of going dark. ShinyHunters and Scattered Spider, two distinct cybercrime groups, have been collaborating on attacks, leveraging each other's strengths in large-scale data theft and social engineering. This collaboration has targeted major companies across multiple sectors, including retail, insurance, and aviation. The groups have used tactics such as vishing, domain spoofing, and VPN obfuscation for data exfiltration. Recent attacks have impacted Farmers Insurance, with 1.1 million customers affected by a breach involving a third-party vendor's Salesforce database. The group 'Scattered Lapsus$ Hunters' claimed access to Google's Law Enforcement Request System (LERS) and the FBI's eCheck background check system, raising concerns about potential impersonation of law enforcement to gain access to sensitive user data. Google confirmed the creation of a fraudulent account in its LERS platform but stated that no data was accessed. The groups have been observed using similar domain formats and registry characteristics, suggesting a coordinated effort. This collaboration poses a significant threat to organizations, requiring a shift in defensive strategies to focus on behavioral patterns and proactive detection measures. The groups are now targeting Salesforce customers and may expand to financial services and technology providers. A new Telegram channel emerged, conflating ShinyHunters, Scattered Spider, and LAPSUS$, claiming to develop a ransomware-as-a-service solution. BreachForums has been commandeered by international law enforcement and turned into a honeypot. Workday confirmed a breach involving a third-party CRM system, likely linked to ShinyHunters' Salesforce attacks. Attackers used social engineering to impersonate Workday's HR department, gaining access to business contact information. Workday quickly blocked access to the compromised system and adopted additional internal security measures. The attack on Allianz Life involved the theft of personal information of 1.1 million individuals, impacting nearly 1.4 million customers. The stolen data includes email addresses, names, genders, dates of birth, phone numbers, and physical addresses. The attackers used a malicious OAuth app to gain access to Salesforce instances, and the extortion demands were signed as coming from ShinyHunters, a known extortion group. The breach was first reported by TechCrunch and confirmed by Allianz Life on July 16. The compromised data was hosted on a Salesforce database, affecting multiple companies. Scattered Spider has resumed attacks targeting the financial sector, despite previous claims of going 'dark'. The group gained initial access by socially engineering an executive's account and resetting their password via Azure Active Directory Self-Service Password Management. They accessed sensitive IT and security documents, moved laterally through the Citrix environment and VPN, and compromised VMware ESXi infrastructure to dump credentials and further infiltrate the network. The group attempted to exfiltrate data from Snowflake, Amazon Web Services (AWS), and other repositories. Their recent activity undercuts claims of ceasing operations, suggesting a strategic move to evade law enforcement pressure. Scattered Spider is part of a broader online entity called The Com and shares significant overlap with ShinyHunters and LAPSUS$. The group's retirement claims are likely a strategic retreat to reassess practices, refine tradecraft, and evade ongoing efforts to disrupt their activities. Scattered Spider may regroup or rebrand under a different alias in the future, similar to ransomware groups. The group's farewell letter is viewed as a strategic retreat to complicate attribution efforts and evade law enforcement. Scattered Spider's recent activity includes targeted intrusions against a U.S. banking organization, using sophisticated tactics to evade detection. The UK National Crime Agency (NCA) has arrested two teenagers, Owen Flowers and Thalha Jubair, linked to the Scattered Spider hacking collective. Owen Flowers, 18, from Walsall, and Thalha Jubair, 19, from East London, are scheduled to appear at Westminster Magistrates Court. Flowers was previously arrested in September 2024 for his alleged involvement in the Transport for London (TfL) attack and was released on bail. Additional evidence links Flowers to attacks against U.S. healthcare companies, including SSM Health Care Corporation and Sutter Health. Thalha Jubair was charged with conspiracies to commit computer fraud, money laundering, and wire fraud, affecting at least 47 U.S. organizations. Jubair and his accomplices have received at least $115 million in ransom payments from victims. The TfL cyberattack in August 2024 disrupted internal systems and online services, and compromised customer data including names, contact details, and addresses. TfL provides transportation services to over 8.4 million Londoners through its surface, underground, and Crossrail transport systems. In May 2023, TfL experienced another security breach when the Clop ransomware gang stole data from one of its suppliers' MOVEit Managed File Transfer (MFT) servers. A member of the notorious cybercrime group Scattered Spider has turned himself in to authorities in Las Vegas. The suspect, identified by the FBI's Las Vegas Cyber Task Force, faces charges including extortion and computer-related crimes. The Clark County District Attorney's Office is seeking to transfer the juvenile to the criminal division to face charges as an adult. Meanwhile, two other suspected members, Thalha Jubair and Owen Flowers, were arrested in the UK for their involvement in the Transport for London (TfL) hack. Despite the group's announcement of shutting down operations, security researchers remain skeptical, pointing to evidence of continued activity. Three members of Scattered Spider were arrested in September 2025, following their announcement of shutting down operations. Noah Urban, a key member of Scattered Spider, was sentenced to ten years in prison for his role in SIM-swapping and cybercrime activities. Urban's role involved social engineering to gain access to sensitive systems, using tactics such as SIM-swapping and phishing. Urban's activities included breaching T-Mobile's customer service portal and exploiting a Twilio employee's credentials. The group 0ktapus, which includes Scattered Spider members, was involved in high-profile breaches, including the theft of personal information from Gemini Trust. A man from West Sussex was arrested in connection with a ransomware attack that disrupted operations at several European airports, including Heathrow. The ransomware variant used in the attack was identified as HardBit, described as an "incredibly basic" variant. The attack affected Collins Aerospace baggage and check-in software, causing flight delays at multiple airports. The Co-operative Group in the U.K. reported a loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack caused a revenue reduction of £206 million ($277 million) and additional losses of £20 million ($27 million) expected for the second half of 2025. The Co-op Group operates 2,300 food retail stores and 59 franchise stores. The cyberattack forced the Co-op to shut down parts of its IT systems, causing disruptions to back-office and call-center services. Scattered Spider affiliates were responsible for the Co-op cyberattack, stealing personal data of 6.5 million members. The Co-op had to rebuild its Windows domain controllers and extend system unavailability due to the attack. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response to the attack prevented encryption but resulted in significant financial impact and operational disruptions. The Co-op implemented manual processes, rerouted items, and offered discounts to mitigate the impact of the cyberattack. The Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco, due to the cyberattack. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.