Two ‘Scattered Spider’ teens charged over attack on London’s transport network

Two teenagers are set to appear in court today after being charged with offences related to the cyberattack on Transport for London (TfL) in August 2024.

Owen Flowers, 18, from Walsall, was arrested for the second time this week, having previously been arrested and questioned in connection with the attack.

Flowers, who can now be named since turning 18 years of age, is alleged to have acted alongside another suspect, Thalha Jubair, 19, from East London, and other unknown individuals, to carry out the attack that caused widespread disruption for users of London’s transport network last year.

Both Flowers and Jubair were arrested at their homes at around lunchtime, in quick succession, on September 16, the National Crime Agency (NCA) said, which worked to secure charges against the pair on Wednesday, alongside City of London Police.

From there, they were held in different custody blocks and interviewed, including questioning related to offences separate from the TfL attack. 

Flowers and Jubair will appear at Westminster Magistrates’ Court today. The hearing will determine whether they are bailed or remanded in custody.

The Crown Prosecution Service (CPS) authorized the charges against the two young men on Wednesday, most of which fall under the Computer Misuse Act. 

Regarding TfL, Flowers and Jubair were both charged with conspiracy to commit an unauthorized act in relation to a computer causing/creating risk of serious damage to human welfare/national security.

Both face separate, additional charges.

Flowers was also accused of being connected to two other attacks on US healthcare organizations around the same time as the TfL hit – one on SSM Health Care Corporation and the other on Sutter Health.

The NCA said that Flowers was charged for infiltrating and damaging SSM’s network, and attempting to do the same with Sutter Health.

Aside from TfL, Jubair also faces a charge under the Regulation of Investigatory Powers Act 2000, for failing to surrender PINs and passwords for devices seized by law enforcement on March 19.

Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, told journalists ahead of the hearing that the hope and main objective for these charges is to ensure a sustained disruptive effect against these two individuals and their alleged cyber offences.

In a public statement, he said: “Today’s charges are a key step in what has been a lengthy and complex investigation.

“This attack caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure. 

“Earlier this year, the NCA warned of an increase in the threat from cyber criminals based in the UK and other English-speaking countries, of which Scattered Spider is a clear example.

“The NCA, UK policing, and our international partners, including the FBI, are collectively committed to identifying offenders within these networks and ensuring they face justice.”

Hannah Von Dadelszen, chief crown prosecutor at the CPS, said: “Our prosecutors have worked to establish that there is sufficient evidence to bring the case to trial and that it is in the public interest to pursue criminal proceedings.

“We have worked closely with the National Crime Agency as they carried out their investigation.”

Whether Flowers and/or Jubair will be bailed or remanded in custody will be determined by today’s hearing.

Nabbed Spiders

It can be revealed today that both Flowers and Jubair are alleged by UK authorities to be members of the cybercrime group known as Scattered Spider.

The evidential threshold for attributing individuals to groups, and those groups to specific attacks, is extremely high across law enforcement and the cybersecurity industry, making the revelation ever more notable.

Despite Scattered Spider being linked to various high-profile attacks, neither Flowers nor Jubair are currently officially linked by authorities to the attacks on British retail giants M&S, Co-op, and Harrods earlier this year.

The Register reported in two separate stories last year, concerning the attacks on US MGM Casinos and TfL, that in both cases a 17-year-old from Walsall was arrested on suspicion of their involvement. 

Despite Flowers matching that description, it’s understood that he is not officially being linked to the MGM case, although today it can be revealed he was charged for the TfL attack, and separate investigations remain ongoing.

When asked, the NCA did not provide an update on its investigation into the ongoing cyberattack on Jaguar Land Rover, despite the widespread allegations of links between the attack and Scattered Lapsus$ Hunters.

TfL recap

The attack on TfL occurred on August 31, 2024, and although the very worst possible consequence – disruption to the smooth running of public transport – was averted, the overall impact on the organization was severe.

Various back office functions were rendered unavailable, and in the early days of the attack some staff were told to work from home.

Limited numbers of ticketing machines at London Underground stations went offline, and users relying on contactless payments to access transport services were unable to view their journey histories online.

It was not until December 4, 2024, that TfL was able to issue photo travel cards – Zip cards for young people, and Oyster cards for the 18+ and 60+ age groups – or issue refunds to customers for incomplete pay-as-you-go journeys.

The refund and bank data of around 5,000 Oyster cardholders was also exposed, with the info potentially including bank account numbers and sort codes.

The Register reported at the time that a large portion of TfL’s IT infrastructure was pulled offline, which in turn affected the availability of live Tube arrival information from being displayed at platforms.

According to annual reports from London’s transport authority, the total costs related to the incident, including incident response and remediation measures, ran into the tens of millions.

A TfL spokesperson said: “We welcome this announcement by the National Crime Agency that two people have now been charged in relation to the cyber incident which impacted our operations last year, and continue to support them with their ongoing law enforcement investigation. 

“The security of our systems and customer data is extremely important to us. We continually monitor our systems to ensure only those authorised can gain access and continue to take the necessary actions to protect TfL.” ®

READ MORE HERE