Analytics Story: Scattered Lapsus$ Hunters
Description
Scattered Lapsus$ Hunters is a collaboration of three sophisticated threat actor groups (Scattered Spider, Lapsus$, and Shiny Hunters) known for devastating supply chain attacks, advanced social engineering, MFA bypass techniques, and credential theft. The group gained notoriety following their September 2025 attack on Jaguar Land Rover, causing three weeks of production shutdown and £50M+ weekly losses.
Why it matters
Scattered Lapsus$ Hunters represents a dangerous collaboration between Scattered Spider (UNC3944), Lapsus$, and Shiny Hunters - three threat actor groups that combine sophisticated social engineering expertise with advanced technical capabilities. Their September 2025 cyberattack on Jaguar Land Rover demonstrated the catastrophic potential of targeting critical supply chain infrastructure, resulting in a three-week production shutdown, tens of millions in weekly losses, and thousands of jobs at risk across the automotive supply chain. The group's attack methodology begins with sophisticated initial access through voice phishing (vishing), SMS phishing (smishing), and SIM swapping to compromise credentials and bypass multi-factor authentication. They employ advanced MFA bypass techniques including MFA fatigue attacks through repeated push notifications, SIM swapping to intercept SMS codes, and adversary-in-the-middle attacks on authentication flows. Once inside a network, they leverage legitimate remote management tools (AnyDesk, TeamViewer, ScreenConnect) to maintain persistence and evade detection, following a living-off-the-land approach that minimizes custom malware. For credential access, the group employs tools like Mimikatz for credential dumping, targets LSASS memory, extracts browser-stored credentials, and steals OAuth tokens and session cookies. They excel at lateral movement using RDP, Pass-the-Hash and Pass-the-Ticket techniques, and internal spearphishing. The group demonstrates deep understanding of cloud environments, targeting Azure AD, AWS, GCP, and O365 with techniques to disable MFA, create privileged accounts, assign administrative roles to service principals, and modify authentication policies. Data exfiltration occurs through cloud storage services (MEGA, Google Drive), file sharing platforms, and custom exfiltration channels. The impact phase includes stopping critical services, deploying ransomware, system shutdowns to maximize disruption, and data destruction. Previous notable attacks attributed to the constituent groups include Lapsus$ breaches of Microsoft, Nvidia, Okta, Samsung, and Ubisoft (2022), and Scattered Spider attacks on MGM Resorts and Caesars Entertainment (2023). The group targets telecommunications, retail, technology, manufacturing, and critical infrastructure sectors. Organizations should implement phishing-resistant MFA (FIDO2/WebAuthn), monitor RMM tool deployment, enable comprehensive logging, deploy EDR solutions, train employees on advanced social engineering tactics, segment critical production systems, and maintain offline backups of critical data. The detections in this analytic story cover the full attack lifecycle including MFA manipulation, unauthorized remote access software, credential theft, session hijacking, privilege escalation, defense evasion, data exfiltration, and production system disruption.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Ivanti VTM Audit | Other | ivanti_vtm_audit |
ivanti_vtm |
| AWS CloudWatchLogs VPCflow | aws:cloudwatchlogs:vpcflow |
aws_cloudwatchlogs_vpcflow |
|
| Cisco Secure Firewall Threat Defense Connection Event | Other | cisco:sfw:estreamer |
not_applicable |
| ASL AWS CloudTrail | aws:asl |
aws_asl |
|
| AWS CloudTrail ModifyDBInstance | aws:cloudtrail |
aws_cloudtrail |
|
| Okta | Other | OktaIM2:log |
Okta |
| Sysmon EventID 13 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| AWS CloudTrail DescribeEventAggregates | aws:cloudtrail |
aws_cloudtrail |
|
| Windows Event Log Security 4744 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4790 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4731 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4727 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4754 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4759 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4749 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4756 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4783 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Cisco IOS Logs | Other | cisco:ios |
cisco:ios |
| Sysmon EventID 1 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Powershell Script Block Logging 4104 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
|
| Windows Event Log Security 4624 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4703 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Sysmon EventID 22 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Windows Event Log Security 4688 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Sysmon for Linux EventID 1 | sysmon:linux |
Syslog:Linux-Sysmon/Operational |
|
| Azure Active Directory | azure:monitor:aad |
Azure AD |
|
| Windows Event Log Security 4769 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| G Suite Drive | Other | gsuite:drive:json |
http:gsuite |
| Sysmon EventID 11 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Windows Event Log Security 4720 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4732 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Sysmon EventID 7 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Windows Event Log Security 4781 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| O365 UserLoginFailed | Other | o365:management:activity |
o365 |
| Sysmon EventID 10 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Palo Alto Network Traffic | pan:traffic |
not_applicable |
|
| Azure Active Directory Disable Strong Authentication | azure:monitor:aad |
Azure AD |
|
| PingID | Other | XmlWinEventLog |
XmlWinEventLog:Security |
| Palo Alto Network Threat | pan:threat |
not_applicable |
|
| Azure Active Directory Add member to role | azure:monitor:aad |
Azure AD |
|
| Google Workspace | Other | gws:reports:login |
google_workspace |
| Cisco Network Visibility Module Flow Data | cisco:nvm:flowdata |
not_applicable |
|
| Nginx Access | Other | nginx:plus:kv |
/var/log/nginx/access.log |
| Azure Active Directory Enable account | azure:monitor:aad |
Azure AD |
|
| Azure Active Directory Update user | azure:monitor:aad |
Azure AD |
|
| Azure Active Directory Reset password (by admin) | azure:monitor:aad |
Azure AD |
|
| Windows Event Log Security 4663 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4794 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 1100 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Office 365 Universal Audit Log | Other | o365:management:activity |
o365 |
| Windows Event Log Security 4768 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Azure Active Directory User registered security info | azure:monitor:aad |
Azure AD |
|
| Azure Active Directory Set domain authentication | azure:monitor:aad |
Azure AD |
|
| Windows Event Log Security 4625 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Google Workspace login_failure | Other | gws:reports:admin |
gws:reports:admin |
| Sysmon EventID 17 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 18 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Suricata | Other | suricata |
not_applicable |
| Linux Auditd Execve | auditd |
auditd |
|
| O365 UserLoggedIn | Other | o365:management:activity |
o365 |
| Splunk Stream TCP | stream:tcp |
stream:tcp |
|
| Windows Event Log System 7036 | XmlWinEventLog |
XmlWinEventLog:System |
|
| AWS CloudTrail DeactivateMFADevice | aws:cloudtrail |
aws_cloudtrail |
|
| AWS CloudTrail DeleteVirtualMFADevice | aws:cloudtrail |
aws_cloudtrail |
References
- https://www.wired.com/story/jlr-jaguar-land-rover-cyberattack-supply-chain-disaster/
- https://wpsites.ucalgary.ca/jacobson-cpsc/2025/10/02/inside-the-jaguar-land-rover-cyberattack/
- https://claroty.com/blog/5-security-takeaways-from-the-jaguar-land-rover-cyberattack
Source: GitHub | Version: 2