Cyberattack on Marks & Spencer Linked to Scattered Spider Group
A significant cyberattack has recently disrupted operations at Marks & Spencer (M&S), the British retail giant, with connections to the infamous hacking group known as Scattered Spider. This group previously gained notoriety for its high-profile assault on MGM Resorts in 2023.
Reports indicate that the attack caused extensive outages, particularly affecting contactless payment systems and the Click and Collect service. Customers have expressed frustration due to these failures, compounded by online delivery delays. M&S was forced to pause online orders altogether, leading cybersecurity experts to suspect a ransomware scenario where critical data is encrypted with a ransom demanded for its release.
According to initial findings reported on April 23, 2025, the breach may have originated much earlier, potentially as far back as February, with the alleged theft of the NTDS.dit file. This vital database houses all user accounts and passwords within a Windows network managed by Active Directory Services. By accessing and decrypting this file, attackers could potentially identify plain-text passwords, facilitating lateral movement through M&S’s network.
Following this access, investigators revealed that the threat actors employed the DragonForce encryptor against virtual machines operating on VMware ESXi hosts, launching the main assault on April 24. Investigatory efforts are now focusing on Scattered Spider as the primary perpetrator of this incident.
The ramifications of this attack extend beyond just online disruption. M&S has acknowledged "pockets of limited availability" within its physical stores, as customers have reported significant stock shortages nationwide, indicative of potential supply chain disruptions. Furthermore, gift card transactions have also experienced setbacks, exacerbating the company’s operational challenges.
Financially, the impact has been profound. Reports suggest a staggering loss of approximately £650 million from M&S’s market valuation, while the suspension of online sales could be costing the company an estimated £3.5 million each day. Although M&S has not disclosed specific recovery timelines, they have characterized the decision to take systems offline as a precautionary measure. In-store staff remain apprehensive about the duration of these service interruptions.
Scattered Spider is characterized by its decentralized operation, functioning more as a collective of individuals than a traditional organized group. This makes tracking their activities particularly challenging. Known for leveraging advanced social engineering techniques and tools like BlackCat ransomware, this group has predominantly English-speaking members from Western Europe and the USA. Despite some arrests in the past, their ability to carry out complex attacks, such as the one on M&S, underscores their continued threat to major organizations.
The tactics and techniques associated with this incident can be analyzed through the lens of the MITRE ATT&CK framework. Initial access could correspond to techniques such as credential dumping or exploiting vulnerabilities in remote services. Additionally, the lateral movement observed suggests methods like remote service exploitation and the use of legitimate credentials. As businesses navigate this evolving threat landscape, the M&S incident serves as a stark reminder of the vulnerabilities that persist within even the most established organizations.
