British authorities on Thursday announced the arrest of a 17-year-old male in connection with a cyber attack affecting Transport for London (TfL).
“The 17-year-old male was detained on suspicion of Computer Misuse Act offenses in relation to the attack, which was launched on TfL on 1 September,” the U.K. National Crime Agency (NCA) said.
The teenager, who’s from Walsall, is said to have been arrested on September 5, 2024, following an investigation that was launched in the incident’s aftermath.
The law enforcement agency said the unnamed individual was questioned and subsequently let go on bail.
“Attacks on public infrastructure such as this can be hugely disruptive and lead to severe consequences for local communities and national systems,” Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, said.
“The swift response by TfL following the incident has enabled us to act quickly, and we are grateful for their continued cooperation with our investigation, which remains ongoing.”
TfL has since confirmed that the security breach has led to the unauthorized access of bank account numbers and sort codes for around 5,000 customers and that it will be directly contacting those impacted.
“Although there has been very little impact on our customers so far, the situation is evolving and our investigations have identified that certain customer data has been accessed,” TfL said.
The London public transportation agency is also requiring around 30,000 members of its staff to complete an IT identity check by attending an appointment at a specified TfL location to reset their password and be verified in-person for access to TfL applications and data.
“This includes some customer names and contact details, including email addresses and home addresses where provided.”
It’s worth noting that West Midlands police previously arrested a 17-year-old boy, also from Walsall, in July 2024 in connection with a ransomware attack on MGM Resorts. The incident was attributed to the infamous Scattered Spider group.
It’s currently not clear if these two events refer to the same individual. Back in June, another 22-year-old U.K. national was arrested in Spain for his alleged involvement in several ransomware attacks carried out by Scattered Spider.
The dangerous e-crime group is part of a larger collective called The Com, a loose-knit ecosystem of various groups that have engaged in cybercrime, squatting, and physical violence. It’s also tracked as 0ktapus, Octo Tempest, and UNC3944.
According to a new report from EclecticIQ, Scattered Spider’s ransomware operations have increasingly honed in on cloud infrastructures within the insurance and financial sectors, echoing a similar analysis from Resilience Threat Intelligence in May 2024.
The group has a well-documented history of gaining persistent access to cloud environments via sophisticated social engineering tactics, as well as purchasing stolen credentials, executing SIM swaps, and utilizing cloud-native tools.
“Scattered Spider frequently uses phone-based social engineering techniques like voice phishing (vishing) and text message phishing (smishing) to deceive and manipulate targets, mainly targeting IT service desks and identity administrators,” security researcher Arda Büyükkaya said.
“The cybercriminal group abuses legitimate cloud tools such as Azure’s Special Administration Console and Data Factory to remotely execute commands, transfer data, and maintain persistence while avoiding detection.”
