Scattered Spider Targets VMware Servers: A Shift Toward Virtualized Infrastructures
The notorious hacking group Scattered Spider, believed to have ties to Beijing, has recently shifted its focus toward virtualized environments, specifically targeting ESXi hypervisors that manage critical infrastructure systems, including those in sectors such as power, water, and transportation. These virtualized environments play a key role in running large-scale operations, making them prime targets for cybercriminals seeking high-value disruptions.
Recent reports, including a detailed analysis from Google Mandiant security experts, reveal that virtualized environments are especially attractive to hackers. The reason behind this shift is clear: by targeting the hypervisors that manage multiple servers on a single physical machine, attackers can cause widespread disruption. Since a single physical server often hosts thousands of virtual machines (VMs) that drive crucial applications, any compromise could potentially bring down entire systems. This creates an ideal opportunity for hackers, not only to disrupt operations but also to exfiltrate sensitive data, making it easier to carry out social engineering attacks later on.
The group, also known under multiple aliases such as UNC3944, Star Fraud, Octo Tempest, Muddled Libra, and 0Ktapus, has a history of successful high-profile attacks. They were infamously behind the DragonForce Ransomware attacks that targeted UK retailers, and now, it appears they’re pivoting to more sophisticated strategies involving virtualized environments. Experts fear that these attacks could evolve into double or triple extortion campaigns, where cybercriminals not only hold data hostage but also threaten additional harm unless more payments are made.
As these hackers refine their techniques, organizations relying on virtualization for their critical infrastructure must reassess their cybersecurity posture, especially when it comes to securing ESXi servers and related virtual machines.
France’s Naval Group Denies Cyber Attack Allegations: A False Narrative to Damage Reputation?
In another unfolding cybersecurity story, Naval Group, a French defense contractor responsible for building submarines and other military technology, is facing a bizarre claim from hackers alleging they’ve breached the company’s servers. However, the company strongly refutes the allegations, describing them as part of a smear campaign aimed at damaging its reputation in the global defense market.
The controversy began when a hacker going by the pseudonym “Neferpitou” posted on dark web forums, claiming to have accessed over 1TB of sensitive data from Naval Group’s research and development (R&D) operations. The hacker promised to leak 13GB of stolen data to prove the infiltration’s authenticity. The announcement was widely circulated through encrypted messaging platforms like Signal and Telegram, with messages appearing as early as July 21, 2025.
According to Neferpitou, the stolen data included highly classified information, such as weapon-launching software, nuclear submarine blueprints, simulation software, and even internal communication between staff. This would, if true, be a massive security breach with serious national security implications. The hacker even went so far as to hint at more information leaks to come, heightening the tension around the potential fallout.
However, Naval Group quickly dismissed the claims. After conducting an internal review, they found that the data in question did not pertain to any of their ongoing projects, and the purported leak was essentially fabricated. The company suspects that this entire incident is part of a deliberate misinformation campaign designed to discredit them in the eyes of competitors and the public. This could be especially damaging to the company’s reputation, considering its role as a key player in the defense industry.
In a statement released on July 23, 2025, Naval Group assured the public that there had been no breach of its classified systems. The company further urged media outlets to stop disseminating the data leak rumors, calling them an attempt to undermine the firm’s standing both domestically and internationally.
Despite the false claims, Naval Group is taking the matter seriously. The company has launched an internal investigation to track the source of the rumors and has alerted law enforcement about the ongoing activity on dark web platforms. It is also working with cybersecurity experts to ensure that its systems are fully secure and that no actual data was compromised.
As of now, the hacking group’s claims remain unverified, and Naval Group is focused on clearing its name while reinforcing its security measures against potential future threats.
Join our LinkedIn group Information Security Community!
