The **Scattered Spider** cybercriminal group, led by **Thalha Jubair (19)**, breached the **U.S. Federal Court Network** in January 2024 via a **helpdesk password reset attack**. After gaining access, the group **compromised multiple accounts**, including those of a **federal judge**, and **stole sensitive personnel data**—names, usernames, phone numbers, titles, and work locations of thousands of court employees. They also **searched for subpoenas** related to their group and **attempted unauthorized access to another magistrate judge’s account**. Additionally, they **used a compromised account to request emergency disclosure of customer financial data** from a third-party provider. The breach exposed **highly sensitive judicial and administrative records**, risking **operational disruption, reputational damage, and potential misuse of stolen identities**. The attack was part of a broader campaign where Scattered Spider **extorted over $115 million** from victims, employing **ransomware and data theft** tactics. The breach **threatened the integrity of federal judicial operations**, with implications for national security given the **targeting of judges and court systems**.
TPRM report: https://www.rankiteo.com/company/administrative-office-of-the-united-states-courts
"id": "adm4102141092025",
"linkid": "administrative-office-of-the-united-states-courts",
"type": "Cyber Attack",
"date": "1/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Thousands (court personnel and '
'users)',
'industry': 'Judicial/Legal',
'location': 'United States',
'name': 'United States Courts',
'type': 'Federal Government'},
{'industry': 'Transportation',
'location': 'United Kingdom',
'name': 'Transport for London',
'type': 'Government Agency'},
{'industry': ['Insurance',
'Retail',
'Aviation',
'Others'],
'location': 'United States',
'name': '47 Unnamed U.S. Entities',
'type': ['Private Companies',
'Critical Infrastructure']},
{'name': 'Seven Victim Companies (from complaint)'}],
'attack_vector': ['Helpdesk Impersonation (Password Reset)',
'Credential Theft',
'Administrative Account Takeover',
'Data Exfiltration',
'System Encryption'],
'data_breach': {'data_encryption': 'Yes (used in ransomware attacks)',
'data_exfiltration': 'Yes (downloaded from U.S. Courts '
'network)',
'file_types_exposed': ['Personnel databases',
'Email inboxes (including federal '
'judges)',
'Subpoena documents'],
'number_of_records_exposed': 'Thousands (exact number '
'unspecified)',
'personally_identifiable_information': ['Names',
'Usernames',
'Telephone numbers',
'Titles',
'Work locations'],
'sensitivity_of_data': 'High (includes PII of federal '
'employees and judicial records)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Employment Records',
'Judicial Subpoenas',
'Customer Account Information']},
'date_publicly_disclosed': '2024-07-18',
'description': 'A Justice Department complaint revealed that the Scattered '
'Spider cybercriminal group, including U.K. national Thalha '
'Jubair (19), conducted at least 120 cyberattacks over three '
'years, extorting at least $115 million from victims, '
'including 47 U.S. entities. The group breached the U.S. '
'federal court network via helpdesk social engineering, '
'stealing personnel data and searching for subpoenas. Jubair '
'was arrested in London and faces U.S. charges for '
'conspiracies involving computer fraud, wire fraud, and money '
"laundering. The group's tactics included calling help desks "
'to reset passwords, taking over administrative accounts, and '
'encrypting systems after data theft. Evidence tied Jubair to '
'servers, cryptocurrency wallets (including $36M seized), '
'Telegram accounts, and gaming/food delivery purchases. The '
'group also targeted Transport for London and industries like '
'insurance, retail, and aviation.',
'impact': {'brand_reputation_impact': ['High (targeting of federal systems '
'and critical infrastructure)',
'Public association with Scattered '
"Spider's high-profile attacks"],
'data_compromised': ['Personnel data (names, usernames, telephone '
'numbers)',
'Federal judge subpoenas',
'Thousands of names, titles, and work '
'locations of U.S. Courts users',
'Customer account information (requested via '
'financial services provider)'],
'financial_loss': '$115 million (ransom payments)',
'identity_theft_risk': ['High (PII of court personnel and users '
'exposed)'],
'legal_liabilities': ['Potential lawsuits from affected entities',
'Regulatory scrutiny for U.S. Courts and '
'victim companies'],
'operational_impact': ['Widespread disruption to U.S. businesses',
'Disruption to critical infrastructure',
'Federal court system compromise',
'Emergency disclosure requests to financial '
'services providers'],
'payment_information_risk': ['Moderate (customer account '
'information requested via financial '
'services provider)'],
'systems_affected': ['U.S. Federal Court Network',
'Seven victim companies (unnamed)',
'Transport for London (2023)',
'47 U.S. entities',
'Companies in insurance, retail, and aviation '
'industries']},
'initial_access_broker': {'backdoors_established': 'Yes (compromised '
'administrative accounts)',
'entry_point': 'Helpdesk password reset requests',
'high_value_targets': ['Federal court personnel '
'data',
'Subpoenas',
'Financial services customer '
'data'],
'reconnaissance_period': 'Ongoing since at least '
'May 2022'},
'investigation_status': 'Ongoing (Jubair arrested; extradition efforts '
'pending; additional co-conspirators under '
'investigation)',
'lessons_learned': ['Helpdesk authentication processes are critical targets '
'for social engineering attacks.',
'Multi-factor authentication (MFA) is essential for '
'administrative accounts.',
'Cryptocurrency transactions can be traced to identify '
'threat actors.',
'Telegram and gaming platforms can serve as evidence '
'sources in investigations.',
'Collaboration between international law enforcement '
'agencies is vital for disrupting cybercriminal '
'networks.'],
'motivation': ['Financial Gain',
'Data Theft for Extortion',
'Disruption of Critical Infrastructure'],
'post_incident_analysis': {'corrective_actions': ['DOJ/FBI disruption of '
'Scattered Spider '
'operations (server '
'seizures, arrests)',
'Heightened scrutiny of '
'helpdesk processes in '
'federal agencies',
'International law '
'enforcement collaboration '
'to track cryptocurrency '
'and threat actors'],
'root_causes': ['Inadequate authentication for '
'helpdesk password resets',
'Lack of MFA for administrative '
'accounts',
'Insufficient monitoring of '
'privileged account activity',
'Human error (falling for social '
'engineering)']},
'ransomware': {'data_encryption': 'Yes (critical systems encrypted after data '
'theft)',
'data_exfiltration': 'Yes (double extortion tactic)',
'ransom_demanded': ['$25 million (one victim)',
'$36.2 million (another victim)',
'Total: $115 million across all victims'],
'ransom_paid': '$115 million (total across all victims)'},
'recommendations': ['Implement stricter identity verification for helpdesk '
'password resets (e.g., MFA, challenge questions).',
'Monitor administrative accounts for unusual activity '
'(e.g., sudden data access or exfiltration).',
'Segment networks to limit lateral movement by attackers.',
'Train employees on recognizing social engineering '
'tactics, especially for helpdesk staff.',
'Enhance logging and monitoring of critical systems to '
'detect unauthorized access.',
'Coordinate with law enforcement proactively to share '
'threat intelligence.',
'Conduct regular audits of third-party vendors and '
'service providers for security vulnerabilities.'],
'references': [{'date_accessed': '2024-07-18',
'source': 'U.S. Department of Justice'},
{'date_accessed': '2024-07-18',
'source': 'FBI Statement (Brett Leatherman)'},
{'date_accessed': '2024-07-18',
'source': 'Westminster Magistrates Court Records (Thalha '
'Jubair and Owen Flowers)'}],
'regulatory_compliance': {'legal_actions': ['U.S. charges against Thalha '
'Jubair (computer fraud, wire '
'fraud, money laundering)',
'Potential extradition from U.K.',
'Up to 95 years in prison if '
'convicted'],
'regulatory_notifications': ['DOJ complaint filing',
'FBI statements',
'International law '
'enforcement '
'coordination']},
'response': {'communication_strategy': ['DOJ complaint unsealing',
'Public statements by FBI/DOJ '
'officials',
'Media coverage of arrests'],
'containment_measures': ['Seizure of servers and cryptocurrency '
'wallets ($36M)',
"Shutdown of Scattered Spider's "
'Telegram channel'],
'incident_response_plan_activated': 'Yes (FBI, DOJ, and '
'international law '
'enforcement)',
'law_enforcement_notified': 'Yes (FBI, DOJ, U.K. authorities)',
'third_party_assistance': ['U.K. National Crime Agency',
'West Midlands Police',
'City of London Police',
'Agencies in Canada, Romania, '
'Australia, and the Netherlands']},
'stakeholder_advisories': ['DOJ and FBI warnings about Scattered Spider '
'tactics',
'Advisories to critical infrastructure sectors'],
'threat_actor': ['Scattered Spider',
'Thalha Jubair (19, U.K. national)',
'Owen Flowers (18, U.K. national)',
'Unnamed U.S.-based co-conspirator'],
'title': 'Scattered Spider Cybercriminal Operation Extorts $115M, Breaches '
'U.S. Federal Court Network',
'type': ['Cyber Extortion',
'Data Breach',
'Ransomware',
'Social Engineering',
'Unauthorized Access'],
'vulnerability_exploited': ['Weak Helpdesk Authentication',
'Lack of Multi-Factor Authentication (MFA)',
'Human Error (Social Engineering)']}