Cybersecurity experts from Google have issued a warning about the Scattered Spider hacking group, which is now shifting its focus from the UK to retail sectors in the United States.
Scattered Spider, a group infamous for its disruptive attacks on UK retailers, is now actively targeting US retail companies. This escalation follows a series of similar attacks in the UK, raising concerns among cybersecurity professionals.
John Hultquist, a cybersecurity analyst at Google’s Threat Intelligence Group, stated that the US retail sector has become a focal point for ransomware and extortion activities, which they suspect are linked to Scattered Spider, also known as UNC3944. The group has demonstrated a concerning ability to circumvent robust security measures.
Scattered Spider is believed to be involved in recent high-profile attacks targeting major UK retailers such as Harrods, Co-op, and M&S. While formal attribution to these specific incidents has not been made by the UK’s National Cyber Security Centre or Mandiant, the similarities in attack methodologies suggest a direct connection to the activities of UNC3944 in the United States.
Researchers have also noted potential links between Scattered Spider and DragonForce ransomware operators. Both groups have utilized similar tactics, and both had affiliations with the now-defunct RansomHub Ransomware-as-a-Service (RaaS) platform. Despite the absence of confirmed links between these groups and the increase in retail data leaks, the rise in reported incidents (11% in 2025 compared to previous years) suggests an increasing interest by adversaries in the retail sector due to the valuable personally identifiable information (PII) and financial data it holds.
The methods employed by Scattered Spider are characterized by sophisticated social engineering techniques. Traditionally focused on telecommunications for SIM swapping attacks, the group expanded its tactics to include ransomware for extortion. Their operational playbook features phishing attempts and multi-factor authentication (MFA) bombing, increasing the effectiveness of their strategies against organizations with large help desks and outsourced IT departments.
Since early 2023, Scattered Spider has targeted a broad spectrum of industries, including technology, telecommunications, financial services, business process outsourcing, gaming, hospitality, retail, and media and entertainment. Their geographical targets span across the US, Canada, the UK, Australia, Singapore, and India.
In response to these threats, the Retail & Hospitality Information Sharing and Analysis Center (ISAC), which includes major retailers like Albertsons, Costco, and McDonald’s, is collaborating with Google to provide its members with actionable insights into enhancing their cybersecurity preparedness against this evolving threat landscape. Retailers are particularly vulnerable due to their management of substantial payment data and intricate supply chains, which can compel them to meet ransom demands to ensure business continuity.
Chad Cragle, Chief Information Security Officer at Deepwatch, emphasized the need for robust security measures, highlighting that organizations must secure privileged accounts, implement phishing-resistant MFA, and thoroughly verify help-desk identity requests. Given the increasing frequency of attacks targeting sectors with valuable data and critical operational needs, all businesses must remain vigilant against potential breaches.
