Two British members of the Scattered Spider cybercrime group have pleaded guilty to a ransomware attack on Transport for London (TfL) in 2024.
The 2024 incident, said the National Crime Agency (NCA) this week, forced all 28,000 TfL employees to attend a TfL office for a password reset.
TfL’s annual report shows it suffered £29 million in loss and recovery costs after the incident, which took place between August 31 and September 4.
Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, West Midlands, both plead guilty to the attack. Flowers was initially arrested within days of the attack – police had raided his home on September 6.
They found hardware with evidence of other cybercriminal activity.
The two had been communicating by Telegram and “an online tool where multiple participants can work remotely on a common workspace.”
Scattered Spider’s well-documented playbook typically saw social engineering used to gain an initial access vector – e.g. calling IT help desks or identity administrators while impersonating employees, in order to manipulate staff into resetting credentials or approving MFA requests.
Cybersecurity firm Huntress suggested that high-profile attacks on Caesars, MGM Resorts, and Transport for London “all involved calling a help desk to reset credentials as the initial access vector” – TfL did not publish public Indicators of Compromise (IOCs) or detail the precise initial attack vector.
Paul Foster, head of the NCA’s National Cyber Crime Unit, said the case was made possible because TfL engaged with law enforcement early – “I would urge any other organisation to please do the same in such circumstances.”
He added: “The profile of offenders like Flowers and Jubair demonstrates the increasing threat from cyber criminals based in the UK and other English-speaking countries, epitomised by Scattered Spider.”
TfL said in its annual report that it had to suspend access to travel concessions for several months after the attack; access to both Oyster and contactless journey histories was finally restored in December.
It has since added “significant cybersecurity incident” to its set of core enterprise risks; breaking it out from “significant security incident”.
Jubair and Flowers were due to stand trial at Woolwich Crown Court on June 22 but changed their pleas to guilty on the first day of proceedings. They are due to be sentenced at the same court on 16 July.
The link has been copied!
