Data Is the New Diamond: Latest Moves by Hackers and Defenders

There have been several notable developments in recent weeks related to data theft activity from cybercriminals targeting Salesforce instances, including via the Salesloft Drift supply chain attack detailed in a recent Unit 42 Threat Brief. (To learn more about the history behind these Salesforce attacks and their impact to private sector organizations, please see my previous publication, "Heists in the Digital Age.")

Fallout From Salesloft Drift Attack

New developments seem to surface daily related to this supply chain attack, which Salesloft indicates may date as far back as March 2025 in terms of threat actor reconnaissance. The attacks are attributed by Google to UNC6395, a cluster of threat activity that appears focused on stealing sensitive credentials and data from various Salesforce objects (Account, Contact, Caseand Opportunityrecords). It is currently unclear if this activity is related or not to the aforementioned targeting of Salesforce tenants by UNC6040 and Bling Libra. However, one theme remains clear - cybercriminals see great value in stealing customer data from digital platforms like Salesforce and leveraging it for their own financial gain. Essentially, this data has become the digital equivalent to diamonds from physical heists in past decades.

Glimpses Into Telegram Claims

Threat actors claiming to be associated with Muddled Libra (aka Scattered Spider) and Bling Libra have launched various Telegram channels in recent weeks, including many labeled using a combination of the words "Scattered LAPSUS$ Hunters." In these channels, they boast of their vast data theft extortion activities, including those impacting various organizations within the retail industry. Several of the email addresses provided by the threat actors to facilitate communications with buyers or victims overlap with prior Unit 42 research into Bling Libra. Additionally, the threat actors claim to soon be launching a new RaaS dubbed "ShinySpider " which they assert could reach encryption speeds of one GB per second.

As of September 5, some of the Telegram channels associated with these threat actors have either been banned or disabled, while others remain active.

Affiliation With "The Com"

As noted in a recent Unit 42 Insights piece on Muddled Libra, many of the threat actors conducting these types of attacks are likely affiliated with "The Com." This means that they are relatively young and fluent in speaking English. This makes it extremely difficult for organizations to detect their social engineering activity.

To me, what really stands out about these Com-affiliated threat actors in terms of their effectiveness in achieving their goals is their focus on exploiting inherent flaws within people and processes of targeted organizations, not vulnerabilities inherent within technologies via zero-day exploits or other mechanisms. (See the 2025 Unit 42 Global Incident Response Report: Social Engineering Edition for more details of this trend.)

One of the members of Muddled Libra was recently sentenced to 10 years in federal prison, in addition to being ordered to pay more than $13 million in restitution. It will be interesting to see if this has some sort of short or long term deterrence effect on other cybercriminals associated with The Com, including those conducting the aforementioned social engineering attacks targeting Salesforce tenants. One news outlet recently quoted several security firms which indicated that the threat actors were indeed "spooked" by four arrests made by UK law enforcement officials in July.

Future Shift in Tactics

Salesforce announced that beginning this month it will restrict the ability of end users to leverage uninstalled connected applications. This should help prevent threat actors from using a modified version of their Data Loader or other applications. Threat actors will likely change their approach to accessing and exfiltrating sensitive data in response, including potentially targeting other third-party digital platforms for data theft extortion.

The Road Ahead for Retail Cyberattacks

One of the more notable trends across the retail threat landscape in recent years involves the shift in monetization tactics used by high profile threat actors.

For example, cybercriminal groups such as Rambunctious Libra (aka FIN6, Skeleton Spider) and Squeamish Libra (aka FIN7, Carbon Spider) traditionally used point-of-sale (POS) malware and digital skimming to steal payment card data from retailers. They would then resell it on now-defunct carding shops (e.g., Joker's Stash) as a means to cash out their intrusion operations.

Since that time, the rise and evolution of RaaS programs has provided these cybercriminal groups with a more lucrative and less resource-intensive method (affiliate model) to monetize their intrusion operations.

However, given the attention that law enforcement officials have placed on disrupting the ransomware ecosystem, it is highly possible, if not likely, that cybercriminal groups will shift to data theft extortion or other monetization tactics (e.g., payroll fraud, gift card fraud) to stay under the radar of authorities. Cybercrime is typically a copycat game, so if the playbooks used by entities like UNC6040 and Bling Libra prove to be effective and sustainable models, others will follow suit.

My Recommendations

Prior to joining Unit 42 earlier this summer, I spent five and a half years as an analyst and leader on a widely recognized cyber threat intelligence team for a prominent retail corporation. I've applied that experience below to make suggestions that could help defenders at similar organizations.

Actively participating within organizations like the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) can be incredibly impactful for defenders. This participation can be especially valuable for understanding high profile threat actors targeting the retail sector. Based on my prior and current experience working closely with this organization and its members, you'll likely gain unique insights into the infrastructure and tools used by these threat actors. You may also gain information such as audio recordings of vishing attempts that your security teams could use to better tailor awareness messaging.

Keep an eye out for real-world observations of social engineering attacks and how to mitigate them. For example, Salesforce released suggestions specific to their environment informing customers of social engineering threats and what can be done to mitigate or prevent impacts from them. The 2025 Unit 42 Global Incident Response Report: Social Engineering Edition also shares insights from across a variety of incident response cases and provides mitigation suggestions.

As I learned from leaders at my prior organization, cybersecurity is truly a team sport, and we are all better when we are in it together. Staying abreast of information from peer organizations and other defenders can help you put threats in context and build a defense strategy that works for you.