A ransomware gang that recently hit major UK retailers such as Marks & Spencer is now setting its sights on US companies, according to a warning from Google’s security team. The cyber attacks are likely perpetrated by remnants of the “Scattered Spider” or “Octo Tempest” group that victimized MGM, Twilio, Coinbase, Reddit and other targets during a spree that began in 2023.
The cyber attacks generally lead with social engineering of an IT help desk employee into giving up access to a company account, an approach aided by many members of the group apparently being based in the US and UK. The attackers then deploy the “DragonForce” ransomware and exfiltrate sensitive data.
“Scattered Spider” returns, campaign against UK retailers was only the beginning
Threat actor “UNC3944” is behind the cyber attacks on UK retailers, and has been previously referred to as “DragonForce” for the ransomware it opts to use. However, security researchers quickly noticed some similarities to the Scattered Spider group that grabbed headlines in 2023 for wreaking havoc on the casino floors of MGM’s Vegas properties among other escapades. The UNC3944 members denied being part of Scattered Spider in public statements, but further research has produced stronger ties such that the so-called hacking collective is now being implicated by most major sources. However, the UK NCSC has yet to formally declare that any particular threat actor is responsible.
From late April into May of this year, the hackers landed successful cyber attacks against Marks & Spencer and Co-op. Harrods reported being targeted during this period, but claims that it contained the attackers and has yet to confirm any data breach. In both of the successful attacks, the hackers called up the IT help desk by phone and social engineered an employee into resetting an account password. This tracks with Scattered Spider’s prior MO at numerous of its targets, including its infamous hacks on MGM and Caesars.
This appears to be something of an unexpected resurgence for the group, which was heavily targeted by international law enforcement in 2024 resulting in arrests of seven members in the US and UK. But further research has indicated that members operate as a loose collective that in some cases belong to other cybercrime gangs, using certain central hacker forums and Discord and Telegram channels to drop in and organize cyber attacks. As with the members that were arrested in 2024, most of the group appears to be very young (as young as 16) and mostly residents of the US and UK that speak fluent English and have cultural competency for social engineering schemes that the usual Russia- or Asia-based criminal hackers cannot match.
Cyber attacks may be shifting to US targets
Google’s cybersecurity team is now warning that the hackers have moved on from UK retailers and are planning on directing cyber attacks against US targets. But what happened with the UK retailers should serve as a warning for what US companies that are breached might expect; Marks & Spencer is still working to restore all of its online functionality and operations, weeks after it was hit by the ransomware.
It is unclear exactly who Scattered Spider is planning on targeting, but US retailers are already assuming they will be first in line. The National Retail Federation, the world’s biggest retail trade association, has said that it has alerted members to the risk and is closely tracking developments. And the Retail & Hospitality ISAC, which counts McDonalds and Costco among its members, has said that it is working with Google security staff to prepare a briefing on the threat. John Hultquist, one of Google’s security analysts, noted that the group has an established pattern of focusing on one business sector for an extended period of time and it it reasonable to assume they will continue focusing on retail for at least some weeks after the success they experienced in penetrating the UK retailers.
The group has long experience calling up IT help desks and massaging employees into making a mistake, evidenced by numerous of its earlier attacks in addition to the hits on the UK retailers. But it also has a number of other tricks in its bag, such as a high level of skill at pulling off SIM swaps. And the researchers note that it appears to be using DragonForce’s “white label” ransomware service to deploy its own custom encryptor, something it did not do in previous attacks (when it instead made use of stock AlphV/BlackCat or RansomHub ransomware).
Boris Cipot, Senior Security Engineer at Black Duck, provides some additional intelligence for organizations that may find themselves targeted by the wily hackers: “Scattered Spider is a well-known, sophisticated cybercriminal group mostly known for hacking the casino operators MGM Resorts International and Caesars Entertainment. They usually deploy social engineering techniques to pursue employees into handing over credentials. Amongst their other techniques SIM swapping and MFA fatigue attacks are common. They are known to use legitimate remote management software as for example Any Desk or TeamViewer to avoid detection but are also known to partner with ransomware groups. Their usual targets are in the hospitality and telecommunication sectors however, they have shifted towards retail which could have on one hand, monetary motivation, and on the other hand, a gap in deployment of cybersecurity tools and cybersecurity hygiene, which makes those targets easier to breach. The retail sector also has large amounts of highly sensitive personal data to offer, especially payment data, which is of great value for extortion or further sale. Additionally, the retail sector has complex supply chains making it harder to deploy resilient cybersecurity strategies. This opens another possibility to find exploitable holes in the systems. Furthermore, the retail sector is under high pressure during holiday seasons or events like Black Friday, Back to School etc. Attacks during this time can be more successful and with the added pressure on the target, they may be more willing to cooperate with the attacker as any amount of downtime can have devastating effects.”
Chad Cragle, CISO at Deepwatch, adds some insights about the unique challenges retailers might face from these cyber attacks: “Scattered Spider (UNC3944) uses sophisticated social engineering to infiltrate and deploy ransomware. To defend against this group, secure privileged accounts, implement phishing-resistant MFA, and verify every help-desk identity request. Retailers are particularly vulnerable, as they handle large amounts of payment data, manage intricate supply chains, and operate under significant uptime pressure that often encourages ransom payments. However, organizations with valuable data and critical availability needs are equally at risk.”
Martin Jartelius, CISO at Outpost24, expands on why the criminals will almost certainly use the same approach they ran successfully against the UK retailers: “A transition from one primarily English-speaking region to another is less adaption of scripts and makes good sense. Social engineering is related to marketing in that it aims to entice a desired behavior in another individual, which requires both a well-tailored script and an element of culture suited for those you target for it to work out. We see this in smaller fraud as well, where a method is reused, and in those cases scripts, that is ways of working the social engineering, is even sold between criminals.”
