Different hacking group may be behind Qantas attack

The incident reportedly involved cyber criminals using AI to impersonate a Qantas employee and then tricking a customer service operator in Manila into divulging crucial information.

While no group has publicly claimed responsibility, reports initially suggested that a hacking collective known as Scattered Spider may be behind the attack. In total, nearly 6 million customers were thought to be affected.

“A wave of data breaches impacting companies like Qantas, Allianz Life, LVMH, and Adidas has been linked to the ShinyHunters extortion group, which has been using voice phishing attacks to steal data from Salesforce CRM instances,” Bleeping Computer wrote on 30 July.

The current thinking of Bleeping Computer and some experts is that there is significant overlap in the membership of both ShinyHunters and Scattered Spider, as well as an overlap in tactics, techniques, and procedures between the groups – a theory that Australian Aviation sister publication Cyber Daily shares.

“According to Recorded Future intelligence, the overlapping TTPs between known Scattered Spider and ShinyHunters attacks indicate likely some crossover between the two groups,” Allan Liska, an intelligence analyst for Recorded Future, told Bleeping Computer.

Bleeping Computer has now linked ShinyHunters to a string of attacks that targeted Salesforce CRM platforms, including Allianz Life, Louis Vuitton, Adidas, and now Qantas. While Qantas has not confirmed it was a Salesforce instance that was compromised in its attack, there has been some speculation, both from the media and within the industry, that it was just that platform targeted in the attack.

VIEW ALL

Additionally, Google’s Threat Intelligence Group warned in June that a threat actor it attributed as UNC6040 was actively targeting Salesforce instances using the company’s own Data Loader application.

“In some of the intrusions using Data Loader, threat actors utilised modified versions of Data Loader to exfiltrate Salesforce data from victim organisations,” GTIG said in a recent blog post.

“In these interactions, UNC6040 also directly requested user credentials and multifactor authentication codes to authenticate and add the Salesforce Data Loader application, facilitating data exfiltration.”

GTIG noted that when making contact with its victims, this threat actor claimed to have links to the ShinyHunters group.

While correspondence between Qantas and its hackers has been released in court documents obtained by Cyber Daily, the name by which the hackers introduced themselves was redacted. However, Bleeping Computer has learned through its channels that the identity of the hackers was ShinyHunters, which seems to fit the length of the redacted copy within the correspondence that Australian Aviation and Cyber Daily have previously seen.

Several individuals with links to ShinyHunters were recently arrested in France, and the group has claimed a string of other high-profile attacks, often targeting vulnerabilities in third-party applications. AT&T, Ticketmaster, and Pizza Hut are all on the hacker’s previous hit list.

Despite the arrests, the collective appears to still be active, suggesting a wider group of individuals. Both Scattered Spider and ShinyHunters are thought to have links to or be a part of a wider, more shadowy collective known only as The Com. Little is known about this larger group, barring that they are technically proficient and known to be English speakers.

Qantas has been contacted for comment.