The UK’s Marks & Spencer suffered a cyberattack in late April that broken the high-end retailer’s operations and is predicted to value the corporate over $400 million.
That assault was rapidly adopted by related incidents that struck two different iconic British retailers, Harrods and the Co-op, sparking widespread press protection and fueling shopper fears throughout the UK as cabinets ran empty and on-line ordering ceased.
All three incidents have been attributed to a unfastened collective of younger, native English-speaking hackers known as Scattered Spider, also called UNC3944, Starfraud, Scatter Swine, Muddled Libra, Octo Tempest, and 0katpus.
Earlier this month, Google warned that Scattered Spider will convey its high-profile retail assaults to the US. Nonetheless, specialists say Scattered Spider is already focusing on high US organizations, and CISOs ought to put together now for the way their organizations will take care of the aggressive hacking group.
“That you must have a plan earlier than you get punched within the face,” Kristopher Russo, principal risk researcher at Palo Alto Networks, instructed CSO. “Be sure to are working towards in order that when it occurs, you’re prepared. It’s best to have your playbook in place, know precisely who to name, and know what to close down to assist isolate and cease the assault.”
Who’s Scattered Spider?
Scattered Spider is taken into account a part of a broader group of younger cybercriminals often called The Com, though these teams are troublesome to pin down. They’re finest identified within the US for his or her audacious ransomware assaults on two Las Vegas on line casino homeowners, MGM Resorts and Caesars Leisure.
Within the latest spherical of assaults, they’ve joined forces with a potent ransomware-as-a-service actor, DragonForce. Though it poses as pro-Palestinian hacktivists, DragonForce could be one of many cybercrime teams working in Russia with the Kremlin’s tacit permission.
DragonForce’s latest rebrand announcement, by which it now calls itself a “cartel,” included a warning to not assault targets within the Commonwealth of Unbiased States, a 10-nation bloc centered on Russia and former Soviet republics. A rival gang, RansomHub, accused DragonForce of collaborating with Russia’s FSB intel arm.
“They’re greater than doubtless leaning into the Russian affiliate mannequin, so that they’re simply renting out instruments and infrastructure,” Mike Hamilton, area CISO at Lumifi Cyber, instructed CSO. “That offers them a variety of benefits.”
Nonetheless, the connection between DragonForce and Scattered Spider is murky, even when it’s clear that Scattered Spider is deploying DragonForce malware. That relationship is “one of many million-dollar questions,” Greg Linares, principal risk intelligence analyst at Huntress, instructed CSO. “We all know that they’re utilizing Dragon Power. However is it affiliated? Is it being paid? Or is it a false flag?”
Regardless of the case could also be, “I feel it’s actually necessary to understand that DragonForce is a really severe ransomware group,” Zach Edwards, senior risk researcher at Silent Push, instructed CSO. “They’d be thought-about among the many high [ransomware groups] as a result of their software program is nice; it successfully does what it says it’s going to do.”
Vital shift to social engineering
Over the previous two years, many Scattered Spider members have been arrested and even convicted, together with one key member often called “King Bob,” who was arrested in early 2024 and later pleaded responsible to the fees in opposition to him. Six different vital Scattered Spider members had been arrested in late 2024.
Attributable to these legislation enforcement actions, by early 2025, the group appeared to have halted its operations. “For us at Silent Push, round November and December of final yr, we had been seeing a drop off of their infrastructure,” Edwards mentioned. “Their phishing pages stopped being created. However in early 2025, we picked up their phishing kits coming reside once more and focusing on quite a lot of manufacturers.”
Specialists say that apart from aligning with DragonForce, Scattered Spider has shifted its most popular mode of infiltration from phishing to socially engineering its means into organizations.
“What’s necessary in regards to the latest UK marketing campaign is the shift of their ways,” Edwards mentioned. “What we’re seeing proper now’s zero phishing kits reside. The brand new stuff right here within the US seems to be solely social engineering centered, the place they’re reaching out to assist desks, making an attempt to do password resets, and reaching out to staff to attempt to get their credentials.”
The group even makes use of SIM swapping to pose as professional staff searching for password resets. “We all know that they’ve SIM swapping capabilities,” Linares mentioned, with the Harrods assault attributed to SIM swapping. “We all know they’re doubtless working with people who work on the ISPs or the suppliers and serving to them get that data.”
“What they’ll do is commonly they’ll name in pretending to be a professional worker of the corporate,” Austin Larsen, principal risk analyst at Google Mandiant, mentioned throughout a webinar on defending in opposition to UNC3944. “Oftentimes, they arrive into these calls, into these assist desks outfitted with a variety of details about their goal person.”
He added, “They’re capable of present the Social Safety quantity, for instance, of their goal person, their tackle, or different private data. It’s a problem for assist desks to detect a few of these assaults, given how a lot analysis and data the actor usually has going into these telephone calls.”
Deal with the human elements as a primary line of protection
Given Scattered Spider’s spectacular success with social engineering within the UK, specialists say CISOs ought to first deal with their organizations’ softest targets, particularly the assistance desk employees and staff the hackers search to govern.
“They understand how assist desks work,” Hamilton mentioned. “They do a bunch of analysis, and so they’ll get sufficient data on a person to have the ability to impersonate them on the assist desk for a password reset, after which they’re in.”
“What units this group aside is that their assault kinds are usually not technically advanced,” Palo Alto’s Russo mentioned. “These aren’t zero-day exploits of vulnerabilities. They aim individuals, so that they’re going after the human factor.”
CISOs ought to present assist desk personnel with procedures for reporting suspicious password reset calls and information them on getting out of these conversations as rapidly as attainable.
“What CISOs have to do is be sure that their people are ready for this type of assault, that they’ve these crimson flags in place in order that when a line is crossed in a name or a dialog, it ends,” Russo mentioned. “If there’s ever a query of id once they’re speaking to someone, if there’s any slip-up, if something is lacking, that’s a crimson flag to say, you realize what? I have to contact your supervisor and get verification.”
However the assist desk is just not the one one which wants training. Specialists say all staff ought to pay attention to the group’s social engineering ways.
“They act like the worker to the assistance desk, however additionally they act as the assistance desk when calling staff,” Huntress’ Linares mentioned. “It really works each methods. I’ve seen that assault happen the place they name the worker and say, ‘Hey, we noticed that alert occur in your machine; we have to log in or get entry to that. Please run this script and this device so we are able to distant in.”
Pace is of the essence in these conditions. “Don’t give them an opportunity to maintain manipulating your individuals as a result of the longer you’ll be able to preserve someone on the telephone or on-line, the extra doubtless you’re to have success getting them to violate their processes and procedures,” Russo mentioned.
Monitoring the hackers is a should
Sadly, adept Scattered Spider hackers can bamboozle even probably the most ready assist desk employees. Specialists say that CISOs ought to, subsequently, have detection and monitoring mechanisms to observe the intruders as soon as they’ve gained entry.
“What do they do with these professional person credentials?” Google’s Larsen requested. “They often begin by inside documentation for his or her sufferer group. We see them, for instance, in SharePoint trying to find key phrases akin to VPN, MFA, or community map, making an attempt to higher perceive what their sufferer atmosphere appears like and the way they will additional develop their entry into the atmosphere. We additionally see them, for instance, looking out via chat platforms like Slack or Groups for any plain textual content secrets and techniques or credentials, particularly for VMware or vCenter.”
However after this part, they transfer extraordinarily rapidly to fan out via the group’s belongings. “As soon as they transfer laterally utilizing no matter legitimate credentials they’ve or they will discover, we see them set up persistence rapidly and fairly extensively, which makes remediation far tougher for victims,” Larsen mentioned attackers typically use professional distant entry utilities that antivirus options gained’t decide up. “So, an investigation utilizing EDR utilities or options is required.”
“If we are able to cease it, it’s very best, however detection is a should,” Russo mentioned. “In the event that they’ve gotten in there, we have to detect them. Search for customers who’re doing stuff they don’t usually do. So, for instance, they’re in as this person, they’ve authenticated the community, after which they begin totally different knowledge shops all in an enormous sequence. Effectively, that’s not regular for that person to do. We have to detect that.”
Don’t pay the ransom
Within the case of Scattered Spider’s hacking of the 2 on line casino operators in 2023, Caesars emerged comparatively unscathed as a result of it paid the demanded ransom of $15 million, whereas MGM Resorts, which didn’t pay the ransom, received hosed for $145 million in bills and class-action lawsuit funds, amongst different prices.
Nonetheless, specialists say that regardless of these examples, it’s a nasty concept to pay Scattered Spider a ransom in the event that they efficiently encrypt information and steal precious knowledge.
“We all know that paying that ransom simply incentivizes them,” Lumifi’s Hamilton mentioned. “It provides them cash to maintain doing what they’re doing.”
Furthermore, “It’s typically sooner to revive from backups,” he added. “You probably have good controls in place, you’ve immutable backups, and you’ve got processes, and you realize precisely what the order of issues to return again up is, you are able to do that sooner than you’ll be able to apply a decryption key, which many occasions doesn’t work very nicely.”“You probably have good controls in place, you’ve immutable backups, and you’ve got processes, and you realize precisely what the order of issues to return again up is, you are able to do that sooner than you’ll be able to apply a decryption key, which many occasions doesn’t work very nicely.”
“In the event you pay that ransom, they might nonetheless completely put your whole knowledge on the web as a result of these are youngsters and they’re outrageous people,” Silent Push’s Edwards mentioned. “The decryption keys might not work. And paying positively doesn’t assure that the information gained’t leak. It’s not a assure in any means.”