Analytics Story: Scattered Lapsus$ Hunters
Description
Scattered Lapsus$ Hunters is a collaboration of three sophisticated threat actor groups (Scattered Spider, Lapsus$, and Shiny Hunters) known for devastating supply chain attacks, advanced social engineering, MFA bypass techniques, and credential theft. The group gained notoriety following their September 2025 attack on Jaguar Land Rover, causing three weeks of production shutdown and £50M+ weekly losses.
Why it matters
Scattered Lapsus$ Hunters represents a dangerous collaboration between Scattered Spider (UNC3944), Lapsus$, and Shiny Hunters - three threat actor groups that combine sophisticated social engineering expertise with advanced technical capabilities. Their September 2025 cyberattack on Jaguar Land Rover demonstrated the catastrophic potential of targeting critical supply chain infrastructure, resulting in a three-week production shutdown, tens of millions in weekly losses, and thousands of jobs at risk across the automotive supply chain. The group's attack methodology begins with sophisticated initial access through voice phishing (vishing), SMS phishing (smishing), and SIM swapping to compromise credentials and bypass multi-factor authentication. They employ advanced MFA bypass techniques including MFA fatigue attacks through repeated push notifications, SIM swapping to intercept SMS codes, and adversary-in-the-middle attacks on authentication flows. Once inside a network, they leverage legitimate remote management tools (AnyDesk, TeamViewer, ScreenConnect) to maintain persistence and evade detection, following a living-off-the-land approach that minimizes custom malware. For credential access, the group employs tools like Mimikatz for credential dumping, targets LSASS memory, extracts browser-stored credentials, and steals OAuth tokens and session cookies. They excel at lateral movement using RDP, Pass-the-Hash and Pass-the-Ticket techniques, and internal spearphishing. The group demonstrates deep understanding of cloud environments, targeting Azure AD, AWS, GCP, and O365 with techniques to disable MFA, create privileged accounts, assign administrative roles to service principals, and modify authentication policies. Data exfiltration occurs through cloud storage services (MEGA, Google Drive), file sharing platforms, and custom exfiltration channels. The impact phase includes stopping critical services, deploying ransomware, system shutdowns to maximize disruption, and data destruction. Previous notable attacks attributed to the constituent groups include Lapsus$ breaches of Microsoft, Nvidia, Okta, Samsung, and Ubisoft (2022), and Scattered Spider attacks on MGM Resorts and Caesars Entertainment (2023). The group targets telecommunications, retail, technology, manufacturing, and critical infrastructure sectors. Organizations should implement phishing-resistant MFA (FIDO2/WebAuthn), monitor RMM tool deployment, enable comprehensive logging, deploy EDR solutions, train employees on advanced social engineering tactics, segment critical production systems, and maintain offline backups of critical data. The detections in this analytic story cover the full attack lifecycle including MFA manipulation, unauthorized remote access software, credential theft, session hijacking, privilege escalation, defense evasion, data exfiltration, and production system disruption.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Okta | Other | OktaIM2:log |
Okta |
| Sysmon EventID 10 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Office 365 Universal Audit Log | Other | o365:management:activity |
o365 |
| Sysmon EventID 13 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Azure Active Directory Add member to role | azure:monitor:aad |
Azure AD |
|
| Azure Active Directory | azure:monitor:aad |
Azure AD |
|
| G Suite Drive | Other | gsuite:drive:json |
http:gsuite |
| Suricata | Other | suricata |
not_applicable |
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Sysmon EventID 1 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Windows Event Log Security 4688 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| AWS CloudWatchLogs VPCflow | aws:cloudwatchlogs:vpcflow |
aws_cloudwatchlogs_vpcflow |
|
| Cisco Secure Firewall Threat Defense Connection Event | Other | cisco:sfw:estreamer |
not_applicable |
| Windows Event Log Security 4703 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Sysmon EventID 11 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Cisco IOS Logs | Other | cisco:ios |
cisco:ios |
| Windows Event Log Security 4663 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Cisco Network Visibility Module Flow Data | cisco:nvm:flowdata |
not_applicable |
|
| Google Workspace | Other | gws:reports:login |
google_workspace |
| Windows Event Log Security 4794 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4624 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Powershell Script Block Logging 4104 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
|
| ASL AWS CloudTrail | aws:asl |
aws_asl |
|
| O365 UserLoggedIn | Other | o365:management:activity |
o365 |
| Windows Event Log Security 4769 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Azure Active Directory Update user | azure:monitor:aad |
Azure AD |
|
| Azure Active Directory User registered security info | azure:monitor:aad |
Azure AD |
|
| Windows Event Log Security 4790 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4759 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4744 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4731 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4749 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4756 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4727 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4783 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4754 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Azure Active Directory Set domain authentication | azure:monitor:aad |
Azure AD |
|
| Linux Auditd Execve | auditd |
auditd |
|
| Nginx Access | Other | nginx:plus:kv |
/var/log/nginx/access.log |
| Sysmon EventID 17 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 18 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Windows Event Log Security 4768 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Ivanti VTM Audit | Other | ivanti_vtm_audit |
ivanti_vtm |
| Sysmon EventID 22 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon for Linux EventID 1 | sysmon:linux |
Syslog:Linux-Sysmon/Operational |
|
| AWS CloudTrail ModifyDBInstance | aws:cloudtrail |
aws_cloudtrail |
|
| O365 UserLoginFailed | Other | o365:management:activity |
o365 |
| PingID | Other | XmlWinEventLog |
XmlWinEventLog:Security |
| Windows Event Log Security 4720 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Splunk Stream TCP | stream:tcp |
stream:tcp |
|
| Azure Active Directory Disable Strong Authentication | azure:monitor:aad |
Azure AD |
|
| Windows Event Log Security 1100 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Palo Alto Network Threat | pan:threat |
not_applicable |
|
| Windows Event Log System 7036 | XmlWinEventLog |
XmlWinEventLog:System |
|
| Google Workspace login_failure | Other | gws:reports:admin |
gws:reports:admin |
| AWS CloudTrail DeleteVirtualMFADevice | aws:cloudtrail |
aws_cloudtrail |
|
| AWS CloudTrail DeactivateMFADevice | aws:cloudtrail |
aws_cloudtrail |
|
| Sysmon EventID 7 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| AWS CloudTrail DescribeEventAggregates | aws:cloudtrail |
aws_cloudtrail |
|
| Windows Event Log Security 4781 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Palo Alto Network Traffic | pan:traffic |
not_applicable |
|
| Windows Event Log Security 4625 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Azure Active Directory Reset password (by admin) | azure:monitor:aad |
Azure AD |
|
| Azure Active Directory Enable account | azure:monitor:aad |
Azure AD |
|
| Windows Event Log Security 4732 | XmlWinEventLog |
XmlWinEventLog:Security |
References
- https://www.wired.com/story/jlr-jaguar-land-rover-cyberattack-supply-chain-disaster/
- https://wpsites.ucalgary.ca/jacobson-cpsc/2025/10/02/inside-the-jaguar-land-rover-cyberattack/
- https://claroty.com/blog/5-security-takeaways-from-the-jaguar-land-rover-cyberattack
Source: GitHub | Version: 2