Suppose you were one of the lucky people playing Pokémon during its golden age (no, Pokémon GO, we’re not talking about you). In that case, you will probably remember the immense struggle of deciding what evolution to pick for your Eevee. For those of you who weren’t that lucky, Eevee is a Pokémon that has multiple alternative evolutions (also known as “eeveelutions”) and whose future depends on its trainer’s decision. Talk about decision paralysis.

So why are we discussing Pokémon evolutions in this blog? Apparently, there’s a threat group out there that seems to have no doubt about Eevee’s best evolution. In fact, if you’re a member of the ShinyHunters threat group, you would likely pick Umbreon as your first choice, given that they used that Pokémon multiple times as their logo and during some of their attacks.

After a long period of inactivity, ShinyHunters made their return in the underground scene to advertise data allegedly stolen from US telecommunications company AT&T. Although Digital Shadows (now ReliaQuest) could not independently verify the integrity of ShinyHunters’ claims, we thought it would be interesting to retrace this threat group’s steps and analyze their origin and how they evolved over the past months.  

Who are ShinyHunters?

ShinyHunters is a financially motivated threat group that first emerged in May 2020 after posting 91M Tokopedia user records for sale on the Empire Market dark web marketplace. The group has since been primarily active on criminal forums, where we observed them engaging in the sale and disclosure of data sets obtained from organizations within various sectors, including education, media, and technology. Additionally, the group has progressively moved from selling breached data to exposing it for free, thus contributing to their wide popularity among other cybercriminals.

ShinyHunter’s first appearance in May 2020 on a cybercriminal forum

The group has maintained a low level of activity since July 2020, with extensive periods of inactivity that lasted between one or two months and were usually followed by a surge of victims being posted on criminal forums. Taking periods of public inactivity is not an uncommon theme within cybercriminals. Usually, these periods are a moment to improve or develop new products, as well as moments of high activity below the surface. 

Although ShinyHunters is mainly known for stealing and selling corporate data, that’s not the only malicious activity they conduct. In 2020, this threat group was also the protagonist of attacks against rival criminal forum Hackforums, when they defaced their website and replaced the forum’s material with Pokemon references. Later that month, ShinyHunters also updated their Raidforums bio to brag about the defacement. 

Wayback Machine’s evidence of ShinyHunters defacing HackForums

Learning from the most profitable cybercriminals

ShinyHunters is undoubtedly a very respected and well-known threat actor in the cybercriminal scene. However, according to cryptocurrency payments analyses, several security researchers have highlighted that this group has never been able to amass a great fortune compared to other cybercriminal activities. 

On the other hand, do you know who’s been able to skyrocket their revenues through cybercrime? You’ve guessed it correctly, ransomware gangs. That’s likely why ShinyHunters have adapted their tactics to include extortion attempts along with data breaches.

The first ShinyHunters’ extortion-based attack was publicly revealed in April 2021. During discussions observed on criminal forums, ShinyHunters claimed that the group began extorting victims they successfully infiltrate, especially those within the US. Similar to ransomware groups, ShinyHunters have recently begun extorting victims and putting their data up for auction. This strategy closely aligns with extortion-based threat actors, specifically ransomware groups who exfiltrate data and threaten to expose data unless the victim pays a ransom. In case you’d need a refresher on how ransomware groups conduct these attacks, here’s Digital Shadows (now ReliaQuest)’ Q2 ransomware roll up.

Auctioning the AT&T data

Now that we’ve gone through ShinyHunter’s glorious past, it is time to analyze the latest attack carried by this threat group. Spoiler: they employed yet another new extortion tactic. 

On 17 Aug 2021, the group created a post offering data sale for the American telecommunications company AT&T titled “AT&T Database +70M (SSN/DOB)” in an English-language cybercriminal forum. In this post, the group put the stolen data up for auction, marking the first time they publicly auctioned data. The auction was initially priced at USD 200,000 for the starting bid, USD 30,000 for subsequent bids, and USD 1,000,000 for the blitz price to bypass the auctions process.

ShinyHunters advertising AT&T database on an English-language cybercriminal forum

Many users replied to the post expressing interest in the offering, stating that they plan to wait until ShinyHunters leaks it for free (as ShinyHunters has traditionally done after having sold the original data for a while). However, this time things seem different as the threat group replied on the same day, stating that they won’t be leaking the data for free if it is sold.

At the time of writing, the original post has allegedly been deleted by the forum moderators. Security researchers initially imagined this removal confirmed AT&T claims that the data auctioned did not come from their systems. However, according to ShinyHunter’s good friend and known threat actor “pompompurin”, the forum moderators removed the post because it included social security numbers – a practice banned on that forum. 

Threat actor pompompurin clarifying on Twitter why ShinyHunters’ AT&T post was deleted

At the time of writing, Digital Shadows (now ReliaQuest) could not corroborate independently whether the auctioned data actually belongs to AT&T. Although this could well be a PR stunt by ShinyHunters, it is also realistically possible that the threat group successfully managed to infiltrate and extract sensitive data from the US telecommunications company. It certainly wouldn’t be the first time a compromised organization denies being breached before admitting it a few weeks later.

Concluding Thoughts

Across its 15 months of activity, ShinyHunters proved to be a careful threat actor focused on constantly developing their tactics to build a well-respected persona in the cybercriminal space. In the last months, the shift to extortion-based attacks is a strong signal of this group’s desire to adapt their TTPs and expand their revenue streams. As such, it will be very interesting to observe how ShinyHunters will keep evolving in the coming months.

In terms of attribution, not much is known about the individuals behind this threat group. However, several security researchers have pointed out that the TTPs used by ShinyHunters closely resembles the threat collective “GnosticPlayers” ones. GnosticPlayers is a threat group believed to be behind more than 40 breaches of large companies in 2019, released data in rounds, and contacted media outlets to claim responsibility for the breaches – same tactics adopted by ShinyHunters in their early days. 

However, ShinyHunters has since differentiated itself from GnosticPlayers, having transitioned from selling breached data to publicly extorting breached companies. As such, it is realistically possible that there were some overlaps between these two groups initially, with ShinyHunters progressively differentiating itself to increase their revenues and stay ahead of the curve.

MITRE Techniques and Associations for Shinyhunters in SearchLight

Ultimately, we’ll probably know more about the AT&T data breach and ShinyHunters’ future plans in the next few weeks. According to their known modus operandi, it is likely that this threat group will take some time off the scenes to develop new tactics and improve the existing ones. Emulating ransomware gangs can certainly be a profitable tactic for these attackers, and it is realistically possible that ShinyHunters will go down that road in the near future. All in all, having gained the support of the community by sharing an awful lot of data for free, it’s highly likely we’ll eventually hear again from this unique threat group.
At Digital Shadows (now ReliaQuest), we continue to scour the open, deep and dark web, including closed forums and technical sources for the latest cybercriminal activity and campaigns to keep our clients informed. If you’re curious about our intelligence, you can take SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) for a free test drive for seven days or get a customized demo to understand threats in your organization’s industry and geography.