WEBINAR | From Deal to Defense: Unifying Cybersecurity Post-M&A
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 15, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Suppose you were one of the lucky people playing Pokémon during its golden age (no, Pokémon GO, we’re not talking about you). In that case, you will probably remember the immense struggle of deciding what evolution to pick for your Eevee. For those of you who weren’t that lucky, Eevee is a Pokémon that has multiple alternative evolutions (also known as “eeveelutions”) and whose future depends on its trainer’s decision. Talk about decision paralysis.
So why are we discussing Pokémon evolutions in this blog? Apparently, there’s a threat group out there that seems to have no doubt about Eevee’s best evolution. In fact, if you’re a member of the ShinyHunters threat group, you would likely pick Umbreon as your first choice, given that they used that Pokémon multiple times as their logo and during some of their attacks.
After a long period of inactivity, ShinyHunters made their return in the underground scene to advertise data allegedly stolen from US telecommunications company AT&T. Although Digital Shadows (now ReliaQuest) could not independently verify the integrity of ShinyHunters’ claims, we thought it would be interesting to retrace this threat group’s steps and analyze their origin and how they evolved over the past months.
ShinyHunters is a financially motivated threat group that first emerged in May 2020 after posting 91M Tokopedia user records for sale on the Empire Market dark web marketplace. The group has since been primarily active on criminal forums, where we observed them engaging in the sale and disclosure of data sets obtained from organizations within various sectors, including education, media, and technology. Additionally, the group has progressively moved from selling breached data to exposing it for free, thus contributing to their wide popularity among other cybercriminals.
The group has maintained a low level of activity since July 2020, with extensive periods of inactivity that lasted between one or two months and were usually followed by a surge of victims being posted on criminal forums. Taking periods of public inactivity is not an uncommon theme within cybercriminals. Usually, these periods are a moment to improve or develop new products, as well as moments of high activity below the surface.
Although ShinyHunters is mainly known for stealing and selling corporate data, that’s not the only malicious activity they conduct. In 2020, this threat group was also the protagonist of attacks against rival criminal forum Hackforums, when they defaced their website and replaced the forum’s material with Pokemon references. Later that month, ShinyHunters also updated their Raidforums bio to brag about the defacement.
ShinyHunters is undoubtedly a very respected and well-known threat actor in the cybercriminal scene. However, according to cryptocurrency payments analyses, several security researchers have highlighted that this group has never been able to amass a great fortune compared to other cybercriminal activities.
On the other hand, do you know who’s been able to skyrocket their revenues through cybercrime? You’ve guessed it correctly, ransomware gangs. That’s likely why ShinyHunters have adapted their tactics to include extortion attempts along with data breaches.
The first ShinyHunters’ extortion-based attack was publicly revealed in April 2021. During discussions observed on criminal forums, ShinyHunters claimed that the group began extorting victims they successfully infiltrate, especially those within the US. Similar to ransomware groups, ShinyHunters have recently begun extorting victims and putting their data up for auction. This strategy closely aligns with extortion-based threat actors, specifically ransomware groups who exfiltrate data and threaten to expose data unless the victim pays a ransom. In case you’d need a refresher on how ransomware groups conduct these attacks, here’s Digital Shadows (now ReliaQuest)’ Q2 ransomware roll up.
Now that we’ve gone through ShinyHunter’s glorious past, it is time to analyze the latest attack carried by this threat group. Spoiler: they employed yet another new extortion tactic.
On 17 Aug 2021, the group created a post offering data sale for the American telecommunications company AT&T titled “AT&T Database +70M (SSN/DOB)” in an English-language cybercriminal forum. In this post, the group put the stolen data up for auction, marking the first time they publicly auctioned data. The auction was initially priced at USD 200,000 for the starting bid, USD 30,000 for subsequent bids, and USD 1,000,000 for the blitz price to bypass the auctions process.
Many users replied to the post expressing interest in the offering, stating that they plan to wait until ShinyHunters leaks it for free (as ShinyHunters has traditionally done after having sold the original data for a while). However, this time things seem different as the threat group replied on the same day, stating that they won’t be leaking the data for free if it is sold.
At the time of writing, the original post has allegedly been deleted by the forum moderators. Security researchers initially imagined this removal confirmed AT&T claims that the data auctioned did not come from their systems. However, according to ShinyHunter’s good friend and known threat actor “pompompurin”, the forum moderators removed the post because it included social security numbers – a practice banned on that forum.
At the time of writing, Digital Shadows (now ReliaQuest) could not corroborate independently whether the auctioned data actually belongs to AT&T. Although this could well be a PR stunt by ShinyHunters, it is also realistically possible that the threat group successfully managed to infiltrate and extract sensitive data from the US telecommunications company. It certainly wouldn’t be the first time a compromised organization denies being breached before admitting it a few weeks later.
Across its 15 months of activity, ShinyHunters proved to be a careful threat actor focused on constantly developing their tactics to build a well-respected persona in the cybercriminal space. In the last months, the shift to extortion-based attacks is a strong signal of this group’s desire to adapt their TTPs and expand their revenue streams. As such, it will be very interesting to observe how ShinyHunters will keep evolving in the coming months.
In terms of attribution, not much is known about the individuals behind this threat group. However, several security researchers have pointed out that the TTPs used by ShinyHunters closely resembles the threat collective “GnosticPlayers” ones. GnosticPlayers is a threat group believed to be behind more than 40 breaches of large companies in 2019, released data in rounds, and contacted media outlets to claim responsibility for the breaches – same tactics adopted by ShinyHunters in their early days.
However, ShinyHunters has since differentiated itself from GnosticPlayers, having transitioned from selling breached data to publicly extorting breached companies. As such, it is realistically possible that there were some overlaps between these two groups initially, with ShinyHunters progressively differentiating itself to increase their revenues and stay ahead of the curve.
Ultimately, we’ll probably know more about the AT&T data breach and ShinyHunters’ future plans in the next few weeks. According to their known modus operandi, it is likely that this threat group will take some time off the scenes to develop new tactics and improve the existing ones. Emulating ransomware gangs can certainly be a profitable tactic for these attackers, and it is realistically possible that ShinyHunters will go down that road in the near future. All in all, having gained the support of the community by sharing an awful lot of data for free, it’s highly likely we’ll eventually hear again from this unique threat group.At Digital Shadows (now ReliaQuest), we continue to scour the open, deep and dark web, including closed forums and technical sources for the latest cybercriminal activity and campaigns to keep our clients informed. If you’re curious about our intelligence, you can take SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) for a free test drive for seven days or get a customized demo to understand threats in your organization’s industry and geography.