Intelligence from Google’s threat team and subsidiary Mandiant indicates that the “Scattered Spider” group can be attributed as the attackers of major UK retailers in recent weeks, and that the hackers are likely to turn their attention to cyber attacks on US targets in the coming weeks.
The group has shown a predilection for sticking with one industry segment for a matter of weeks when it finds success, which it did with UK retailers Marks & Spencer and Co-op. This suggests a change of focus to US retailers, something the industry is already bracing for, but its primary approach of calling up IT help desks could be adapted to a wide variety of targets.
US retailers prepare for “Scattered Spider” cyber attacks
The attacks on the UK retailers appear to just have been the warm-up act for the seemingly revived Scattered Spider group, which grabbed big headlines with a series of major cyber attacks in 2023 before being hit hard by law enforcement in 2024. After several months of laying low, the group is back to its old tricks but with a few new twists.
The group has shown a few different approaches, but the one that racked up some of its biggest hits in 2023 (and worked on the UK retailers more recently) is to simply call up the target’s IT help desk and get them to reset an employee password. It is now using DragonForce ransomware in its cyber attacks, a ransomware-as-a-service provider that allows for “white labeling” and customization of its product.
The Google team did not get into specifics about its intelligence, but major US retailers appear to be anticipating cyber attacks after warnings about Scattered Spider were issued by the National Retail Federation and the Retail & Hospitality ISAC.
UK retailers still grappling with ransomware aftermath weeks later
The initial attacks on the UK retailers were attributed to a threat group labeled as “UNC3944” and not formally recognized as anything but a known DragonForce affiliate. However, security researchers were quick to spot connections to Scattered Spider and it now appears all but confirmed that the group that terrorized MGM Resorts and others over a year ago is back on another spree of cyber attacks.
By late 2024, seven members of Scattered Spider had been identified and arrested for that prior crime wave. The group took a hiatus going into early 2025, but seems to once again be active and coordinating attacks on Telegram and Discord. The group is unique among the big ransomware threats as it is primarily composed of very young residents of the UK and US, most of whom seem to speak English natively and thus have a leg up in social engineering.
The Google researchers note the group has a prior established pattern of sticking with certain business sectors for weeks. In 2023 they were primarily focused on telecoms and hospitality, with the shift to UK retailers being a new development. Given the way it has previously done business, US retailers should be on high alert for cyber attacks that target their IT help desks at least into the early summer.
