Scattered Spider, HAFNIUM Arrests
7–14–2025 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, July 14, 2025, and we’re back from a week of travel that made me miss a video. Apologies, but we’ve got a few things to catch up on - namely the long, slow process of justice as relates to a lot of the attacks and hacks that we talk about on this channel.
Scattered Spider, HAFNIUM Arrests
We’ve been talking over the past couple of weeks about Scattered Spider, and their attacks on UK retailers, insurance companies, and airlines. This week, we’re talking about some arrests, namely four made by the UK’s National Crime Agency.
“Two males aged 19, another aged 17, and a 20-year-old female were apprehended in the West Midlands and London this morning (10 July) on suspicion of Computer Misuse Act offences, blackmail, money laundering and participating in the activities of an organised crime group.
All four were arrested at their home addresses and had their electronic devices seized for digital forensic analysis.”
It will be interesting to see if this makes an impact on the activities of this group, or if it’s really as distributed and wide reaching as some of the reporting indicates.
Obviously, the judicial process in the UK is different than in the US, but it does give credence to the theory that Scattered Spider is young, Western, and active.
The UK authorities weren’t the only ones making arrests, however, as the Italians - acting on behalf of the United States - arrested Xu Zewei, a 33 year old Chinese national.
According to their press release, “Xu and his co-defendant, PRC national Zhang Yu (张宇), 44, are charged in a nine-count indictment, unsealed today in the Southern District of Texas, for their involvement in computer intrusions between February 2020 and June 2021, including the indiscriminate HAFNIUM computer intrusion campaign that compromised thousands of computers worldwide, including in the United States. Xu was arrested in Milan, Italy, and will face extradition proceedings.”
While this isn’t exactly swift justice, it does demonstrate the long-running view that’s sometimes necessary in combatting these threats.
It also comes at a time where we continue to see very real threats - particularly from an intelligence gathering perspective - with CNN reporting on Friday that powerful DC law firm Wiley Rein has been breached by supposed Chinese threat actors looking to target information that might be helpful on both trade and Taiwan.
Worth also noting that this isn’t the first time Wiley Rein has been targeted by Chinese threats actors. A publication from the American Bar Association in 2020 notes that Wiley Rein was breached by Chinese threat actors as far back as 2011.
As with many breaches, we’re missing details, but it’s possible that Wiley Rein fell victim to what’s being called “Citrix Bleed 2” - a vulnerability in Citrix systems so severe that when CISA added it to their Known Exploited Vulnerability list, they gave Federal agencies one day to patch it.
Security researchers are speculating that a significant amount of Citrix Bleed 2 attacks are emanating from China. They are counting hundreds of victims based on open source signals intelligence, dating back into June. Russia, as well, has seen threat actors take advantage of these weaknesses, which are now moving on to lower sophistication threat actors and moving into the “spray and pray” phase of exploitation.
In short - if you’re running vulnerable Citrix devices, you should patch and go pull IOCs for log investigation. As usual, being able to be made aware of these issues, address them rapidly, and maintain logs to validate or invalidate the presence of bad actors in your systems.
This isn’t glamorous work, but it remains critical in our defensive stacks - especially as attackers and their techniques evolve.
Fundraising
From a fundraising perspective, a solid week to get Q3 underway, with nearly $20B in newly committed capital, including a couple of very strong debuts:
BlueFive Capital, a Gulf-focused PE firm raised $2b for its debut fund; and
Haveli Investments, a software-focused PE firm raised $4.5b for its debut fund, per the WSJ.
On top of that, Blackstone announced a new $20B private credit vehicle - which seems to be an area of focus for private capital of late, what with the oft-delayed IPO.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.cnn.com/2025/07/11/politics/chinese-hackers-suspected-law-firm-hack
https://doublepulsar.com/citrixbleed-2-situation-update-everybody-already-got-owned-503c6d06da9f