A sophisticated hacking group known as Scattered Spider is actively facilitating cyber-attacks on major retailers in the UK and US, cybersecurity experts from Google have revealed. The group, made up of English-speaking hackers largely based in the UK, US, and Canada, has been linked to recent data breaches at top UK retailers including Marks & Spencer, the Co-op, and Harrods.
According to Charles Carmakal, Chief Technology Officer at Google’s Mandiant cybersecurity division, the group has shifted its focus across the Atlantic, with US retail companies now squarely in its crosshairs. “They tend to focus on a particular industry sector and geography for a few weeks and then they move on,” Carmakal said. “Right now, they’re focused on retail organisations. They start in the UK, and now they’ve shifted to US organisations.”
While Carmakal did not confirm the specific victims by name, he stated broadly that “Scattered Spider members in the UK are facilitating and contributing to intrusions.” This comes as Marks & Spencer warns that both staff and customer data may have been compromised in a recent cyber-attack, with employee email addresses and full names believed to have been accessed by hackers.
The UK’s National Cyber Security Centre (NCSC) has issued an advisory urging businesses to review their IT help desk procedures. One of Scattered Spider’s key tactics involves calling help desks while impersonating employees or contractors to gain access to internal systems. “They’re making telephone calls, calling up help desks, pretending to be employees and convincing help desks to reset passwords,” Carmakal explained.
Younger members of the network, often active on platforms like Telegram and Discord, are reportedly responsible for these social engineering calls. Carmakal noted that these individuals are often paid a few hundred dollars to carry out the impersonation scams.
Scattered Spider stands out in the cybercrime world for its use of native English speakers and its dynamic approach to targeting, often locking on to one industry at a time for ransomware and extortion schemes. These attacks typically involve infecting a company’s systems with malware that encrypts data, which is only released once a ransom is paid.
French luxury brand Dior also announced this week that it had suffered a data breach involving an “unauthorised external party,” though no payment data was stolen. It is unclear whether this attack is connected to Scattered Spider.
In light of the growing threat, Google’s cybersecurity experts have warned US retailers to brace for impact. “The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to Scattered Spider,” said John Hultquist, Chief Analyst at Google Threat Intelligence Group.
“With a pattern of focusing on one sector at a time, Scattered Spider’s pivot to US retail is a warning shot. We expect the group to continue targeting the sector in the near term,” Hultquist added.
Retailers on both sides of the Atlantic are now racing to tighten security protocols as the threat of cyber attacks looms larger than ever.
