The recent arrests of two alleged members of the prolific cybercrime group Scattered Spider in the U.K. mark a significant victory for international law enforcement. As detailed by the National Crime Agency (NCA) and Cybersecurity Dive, the operation goes beyond a single hack, highlighting the group's global reach and the collaborative efforts to dismantle their network.
The arrests of 19-year-old Thalha Jubair and 18-year-old Owen Flowers are directly linked to a cyberattack on Transport for London (TfL) in August 2024. However, the scope of their alleged crimes is far broader. The investigation revealed that Flowers was also involved in attacks on two major U.S. healthcare companies, SSM Health Care Corporation and Sutter Health, by targeting their third-party vendors.
The charges against Jubair are even more extensive. He is accused of orchestrating cyberattacks against at least 47 U.S. victims, including a critical infrastructure company and the U.S. Courts, leading to more than $115 million in ransom payments.
[RELATED: 4 Arrested in U.K. for Cyberattacks on Retail Tied to Scattered Spider]
The arrests are part of a coordinated global effort to crack down on Scattered Spider, a group composed largely of young adults. This news underscores several key trends for cybersecurity professionals:
-
International collaboration: The success of this operation demonstrates the critical importance of cooperation between law enforcement agencies across different countries.
-
Third-party risk: The attacks on U.S. healthcare companies highlight the persistent vulnerability of third-party vendors. Threat actors like Scattered Spider are exploiting these connections to gain access to larger, more lucrative targets.
-
Human-operated attacks: These arrests confirm that groups like Scattered Spider are not just relying on automated tools. Their success is built on sophisticated social engineering, vishing, and other human-centric tactics to bypass traditional security defenses.
The U.K.'s National Crime Agency, in collaboration with U.S. law enforcement, is sending a strong message: despite their young age and technical skills, cybercriminals will be held accountable for their actions, regardless of borders.
In related news, cybersecurity researchers have tied a fresh round of cyberattacks targeting financial services to Scattered Spider, undercutting the group's recent claims that they were ceasing operations alongside 14 other criminal groups, such as LAPSUS$.
ReliaQuest said it has observed indications that the threat actor has shifted its focus to the financial sector. This is reinforced by an increase in lookalike domains potentially linked to the group that are geared towards the industry vertical, as well as a recently identified targeted intrusion against an unnamed U.S. banking organization.
"Scattered Spider gained initial access by socially engineering an executive's account and resetting their password via Azure Active Directory Self-Service Password Management," the company said. "From there, they accessed sensitive IT and security documents, moved laterally through the Citrix environment and VPN, and compromised VMware ESXi infrastructure to dump credentials and further infiltrate the network."
To achieve privilege escalation, the attackers reset a Veeam service account password, assigned Azure Global Administrator permissions, and relocated virtual machines to evade detection. There are also signs that Scattered Spider attempted to exfiltrate data from Snowflake, Amazon Web Services (AWS), and other repositories.
"Scattered Spider has been notorious for many targeted attacks in specific sectors, and their attack patterns seem to be familiar. Typically, they try to gain access to credentials and they use lateral movement for very targeted exfiltration and ransomware," said Agnidipta Sarkar, Chief Evangelist at ColorTokens. "Based upon their previous attack patterns, I would consider building cyber defenses to address two very specific MITRE ATT&CK tactics: Credential Access (17 techniques) and Lateral Movement (9 techniques)."
Sarkar added, "Specific focus should be to deny any opportunity to misuse 'Valid Accounts,' especially by first resetting all passwords, then by adopting digital certificate-based passwordless authentication mechanisms. This will force the attackers to attempt to use other Lateral Movement techniques, especially internal spearphishing or social engineering of trusted users. And this is why companies must urgently use simulation capabilities in microsegmentation tools to test and enforce rules to absolutely stop any other proliferation techniques."
"Attackers don't need to break into systems if they can trick people in order to hijack privileged accounts. Scattered Spider's apparent pivot to the financial sector is a wake-up call that no industry is off-limits," said Shane Barney, CISO at Keeper Security. "Any organization managing sensitive data or payments should assume they are a target. For financial institutions, in particular, administrator accounts and SaaS platforms are prime targets for theft and extortion, making strong security controls an urgent focus."
Barney continued, "Security teams should focus on three immediate priorities:
-
Strengthening identity controls – Require phishing-resistant multifactor authentication and independently verify any access changes.
-
Enforcing privileged access management – Apply least-privilege policies, automate credential rotation, and monitor administrator activity in real-time.
-
Detecting impersonation and anomalies – Continuously track for spoofed domains and unusual activity across SaaS, cloud, and internal environments.
These attacks thrive on human trust and excessive privileges. Organizations that strengthen identity security and implement a robust privileged access management platform will be better positioned to withstand this evolving threat."
