Band of Spider associates pretends to quit operation, infiltrates bank instead
In a recent turn of events, the notorious hacking collective Scattered Spider has returned to the cybercrime scene, this time focusing on the financial sector. According to a report by ReliaQuest, the group has been responsible for a digital intrusion at a US bank, employing sophisticated social engineering techniques to bypass security and steal sensitive data.
The attack started with the resetting of a Veeam service account password and the assignment of Azure Global Administrator permissions, providing the attacker with unfettered access to the bank's IT systems. Scattered Spider then used this access to snoop through sensitive documents and move laterally through the bank's Citrix environment and Virtual Private Network (VPN).
To evade detection, the attacker relocated virtual machines and compromised VMware ESXi infrastructure, dumping employee credentials and further infiltrating the financial organization's network. Evidence points to attempted data exfiltration from Snowflake, Amazon Web Services (AWS), and other repositories.
ReliaQuest had predicted this shift in focus by Scattered Spider in an investigation posted on August 12, 2025. The cybersecurity company had earlier linked the group's activities to ShinyHunters in a Salesforce-related heist, and to ALPHV/BlackCat in a previous incident.
Despite claims of retirement following high-profile casino heists in 2023, Scattered Spider has not exited the cybercrime business. At least seven members of the group were arrested following these heists, but the collective has shown signs of activity and evolution since then.
Rex Booth, chief information security officer at SailPoint, emphasised the importance of prevention over personalities. He stated, "We need to focus on prevention more than personalities." Ransomware and digital crime are opportunity-driven, implying that the retirement of a group like Scattered Spider may not significantly reduce cybercrime.
This incident serves as a reminder of the ongoing threats in the financial sector and the need for robust cybersecurity measures. As Scattered Spider continues to evolve, it is crucial for organizations to stay vigilant and proactive in their defence against such sophisticated attacks.
