The CyberWire Daily Podcast 5.28.24
Ep 2076 | 5.28.24

FBI untangles the web that is Scattered Spider.


The FBI untangles Scattered Spider. The RansomHub group puts a deadline on Christie’s. Prescription services warn customers of data breaches. Personal data from public sector workers in India is leaked online. Check Point says check your VPNs. The Internet Archive suffers DDoS attacks. A Minesweeper clone installs malicious scripts. N2K T-Minus Space Daily podcast host Maria Varmazis speaks with guest Carrie Hernandez Marshall, CEO and Co-Founder from Rebel Space Technologies, about the need to extend cybersecurity into space. If you can’t beat ‘em, troll ‘em.

Today is May 28th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The FBI untangles Scattered Spider. 

At last week’s Sleuthcon conference just outside Washington DC, Bryan Vorndran, assistant director of the FBI’s Cyber Division, revealed insights into Scattered Spider, a cybercriminal group linked to numerous high-profile breaches. Known also as 0ktapus or UNC3944, Scattered Spider comprises around 1,000 members, many of whom do not know each other directly. Vorndran described the group as a “very, very large, expansive, dispersed group of individuals.”

This group has breached several prominent companies, including MGM Resorts and Okta. The FBI considers Scattered Spider a top-tier cybersecurity threat, alongside nation-state actors from China and Russia. Composed primarily of native English speakers from the United States and the United Kingdom, the group employs both digital and physical threats. Some members even offer violence as a service, engaging in activities such as assaults and property damage to extort victims.

Despite facing criticism for the lack of public arrests, the FBIofficials say they have taken non-public actions against the group. In January, authorities in Florida arrested 19-year-old Noah Urban, identified as a key figure in the crime ring.

Also at Sleuthcon, Selena Larson, a senior threat intelligence analyst at Proofpoint, stressed that average organizations face greater risks from cybercriminals than from government-backed actors. Her remarks resonated with the audience, highlighting the need to reassess how resources are allocated in the fight against cybercrime.

The RansomHub group puts a deadline on Christie’s. 

The hacker group RansomHub, responsible for a recent attack on Christie’s, has threatened to leak sensitive client information if ransom demands aren’t met by May 31. RansomHub, previously behind an attack on Change Healthcare, claimed access to Christie’s data on the dark web, releasing sample data including names, birth dates, and nationalities. Christie’s acknowledged a tech issue in early May, just before major auctions, revealing unauthorized access by a third party. Despite rejecting initial ransom demands, Christie’s faces pressure to comply to avoid GDPR fines and reputational damage. 

Prescription services warn customers of data breaches. 

Australian digital prescription service MediSecure confirmed that data stolen in a recent ransomware attack is for sale on the dark web. The breach, originating from a third-party provider, involved personal and health information of patients and healthcare providers. A hacker, Ansgar, claimed possession of 6.5 terabytes of data, posting it for sale at $50,000. The Australian National Cyber Security Coordinator and police are investigating. MediSecure assured the public that ongoing access to medication is unaffected.

Meanwhile, Pharmacy prescription service provider Sav-Rx is notifying 2.8 million individuals of a data breach that occurred on October 8, 2023. The attack, quickly contained, did not disrupt patient care or prescription shipments. However, attackers accessed non-clinical systems, exfiltrating personal information including names, addresses, birthdates, Social Security numbers, and insurance IDs. Sav-Rx worked with cybersecurity experts to ensure stolen data was destroyed. The company is offering affected individuals two years of free credit monitoring and identity theft restoration services.

Personal data from public sector workers in India is leaked online. 

A report by WebsitePlanet revealed that over 1.6 million documents containing sensitive personal data from India’s police, military, teachers, and railway workers were exposed online. Cybersecurity researcher Jeremiah Fowler discovered a 496.4 GB database without password protection, likely offered for sale on a dark web-related Telegram group. The data, linked to ThoughtGreen Technologies and Timing Technologies, included biometric information like facial scans, fingerprints, and personal ID documents. The exposed database contained real-time updating records from 2021-2024. Despite attempts to contact the companies, no responses were received. The exposure underscores vulnerabilities in Indian cybersecurity, which has seen a rise in attacks targeting major organizations, posing significant security and privacy risks.

Check Point says check your VPNs. 

Cybersecurity firm Check Point advises customers to review their VPN configurations to prevent abuse by threat actors. Check Point observed attempts to access VPNs from various vendors using old accounts with password-only authentication. No software vulnerabilities were exploited. Check Point recommends disabling unnecessary local accounts and using multi-factor authentication for needed accounts. They provided a script and hotfix to block password-only access and issued guidelines for improving VPN security and investigating suspicious activity.

The Internet Archive suffers DDoS attacks. 

The Internet Archive is experiencing ongoing distributed denial-of-service (DDoS) attacks that began over Memorial Day weekend, causing service disruptions. Despite efforts to mitigate the attacks, many users still faced access issues. The organization confirmed continued attacks on Tuesday. The attacks have not affected the data but have rendered most services unavailable. 

A Minesweeper clone installs malicious scripts. 

Hackers are using code from a Python clone of Microsoft’s Minesweeper game to hide malicious scripts in attacks on financial organizations in Europe and the US. Ukraine’s CSIRT-NBU and CERT-UA attribute these attacks to the threat actor ‘UAC-0188.’ The attacks involve using legitimate Minesweeper code to conceal Python scripts that download and install SuperOps RMM, a remote management software. The attack starts with an email from “,” prompting the recipient to download a malicious .SCR file. This file includes both innocuous Minesweeper code and malicious Python code that downloads additional scripts. The attack aims to grant unauthorized access to compromised systems using SuperOps RMM. CERT-UA identified at least five breaches and shared indicators of compromise for detection.


Coming up on our guest segment, we share some N2K crossover. N2K T-Minus Space Daily podcast host Maria Varmazis speaks with Carrie Hernandez Marshall, CEO and Co-Founder from Rebel Space Technologies, about the need to extend cybersecurity into space. We’ll be right back

Welcome back. Thanks so much, Maria. We have details about our guest in our show notes. and, be sure to check out T-Minus Space Daily for your daily space intelligence. 


If you can’t beat ‘em, troll ‘em. 

Russian cybercriminals have been nearly untouchable, launching ransomware attacks against hospitals, critical infrastructure, and businesses with little fear of Western law enforcement or Russian authorities. Even when Russian police take their servers offline, the hackers often resume operations within weeks.

A story from Matt Burgess for Wired describes how Western law enforcement is now adopting a new tactic: psychological operations to disrupt cybercriminals’ trust and morale. They’re essentially trolling the hackers.

For example, in Operation Cronos, the UK’s National Crime Agency (NCA) infiltrated the LockBit ransomware group, responsible for extorting over $500 million. They took the group’s systems offline, redesigned their leak website, and published LockBit’s inner workings, including usernames and login details of 194 affiliate members. This public exposure shattered LockBit’s anonymity and brand, making it toxic to potential collaborators.

Hackers logging into LockBit’s administration systems received messages showing authorities had gathered their details, from usernames to cryptocurrency wallets. These psyops targeted the group’s brand reputation and internal trust, creating friction and distrust among members. As a result, only 69 of the 194 affiliates returned to the platform after the operation.

In another case, London’s Metropolitan Police disrupted LabHost, a phishing service. Police sent personalized video messages to 800 criminals, detailing the data they had collected, including IP addresses and targeted victims’ countries. The message: “We’ve been watching you every time you visited us.”

The impact of these tactics is significant. Hackers discuss these operations on Russian-language cybercrime forums, revealing divisions and mistrust. For instance, after Operation Cronos, some criminals speculated about possible collaboration with law enforcement, while others warned against making memes or jokes about the situation.

By using these psychological strategies alongside traditional technical measures, law enforcement hopes to make the cybercrime world a much more paranoid and hostile environment for the criminals. The ultimate goal? Make hackers think twice before launching their next attack.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.



We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.