Retail Sector Under Scrutiny from Scattered Spiders

The teenage hacking group known as Scattered Spider has intensified its focus on specific sectors, with the retail industry now appearing to be a primary target. Recent reports indicate that prominent UK retailers, including Marks & Spencer, Co-op, and Harrods, have experienced a series of incidents that exhibit characteristics consistent with Scattered Spider’s typical modus operandi.

Mandiant, the cybersecurity arm of Google, has highlighted that retail organizations constituted 11% of the victims on cybercrime data leak platforms – a notable increase from 8.5% in 2024 and 6% in 2023. This statistic underscores the growing threat landscape for retailers, as they become attractive targets for cybercriminals due to their large repositories of personally identifiable information (PII) and financial data. In the context of the MITRE ATT&CK framework, tactics such as initial access and privilege escalation may have been employed to compromise these organizations.

Scattered Spider surfaced in mid-2022 from a group of young hackers identifying themselves as “The Community,” or the “Com.” They have successfully executed cyberattacks against at least 130 firms, including major entities like MGM Resorts and Clorox. Law enforcement’s recent efforts led to the arrests and indictments of some of its senior members, even as Mandiant observes that the group continues to adapt and evolve despite these setbacks.

Mandiant specified in a recent blog post that they consistently witness attacks aimed at certain industries, with financial services being a previous target and food services recently suffering similar attention. The overlap between Scattered Spider and the adversary group tracked as UNC3944 suggests a coordinated strategy that leverages social engineering, such as SIM-swapping and phishing, to exploit vulnerabilities in organizations.

The implications for retailers are significant. With a potential ransomware strain known as DragonForce reportedly linked to the attacks, companies like Co-op have had to suspend their online ordering systems due to breaches. This type of activity points to possible deployment of tactics from the MITRE ATT&CK framework, including the “Execution” and “Exfiltration” techniques that facilitate such ransomware operations.

Interestingly, the relationship between Scattered Spider and DragonForce is still being unequivocally defined. Reports suggest that DragonForce was affiliated with RansomHub, a ransomware-as-a-service model that ceased operations earlier this year. The evolution of these groups may allow them to better navigate law enforcement actions, as highlighted by Mandiant’s observations regarding their resilience attributed to broader community ties.

To combat this surge in threats, Mandiant emphasizes the necessity of robust verification processes within organizations. It is crucial that help desks undergo stringent checks to confirm employee identities, discouraging reliance on publicly available data. Furthermore, the effectiveness of traditional multi-factor authentication measures, such as SMS and voice calls, is increasingly questioned, pushing for the decoupling of identity verification methods from infrastructure platforms like Active Directory.