Cybercriminals Involved in UK Retail Breaches Expanding Focus to U.S. Enterprises

Recent intelligence indicates that cybercriminals employing tactics associated with Scattered Spider, previously active against retail entities in the United Kingdom, have now expanded their focus to include retailers in the United States.

According to John Hultquist, Chief Analyst at Google Threat Intelligence Group, the U.S. retail sector is currently under threat from ransomware and extortion schemes believed to be orchestrated by the UNC3944 group, also known as Scattered Spider. “This actor, following a prolonged period of inactivity, has a record of concentrating their efforts on specific industry sectors. We expect them to maintain this focus in the foreseeable future, and U.S. retailers should be vigilant,” Hultquist warned.

This escalation follows notable attacks in the UK, including the breach of British retail titan Marks & Spencer (M&S). In that instance, assailants executed a ransomware attack, encrypting virtual machines on VMware ESXi hosts utilizing a DragonForce encryptor. This breach was linked to a group described as Octo Tempest by Microsoft, a designation for Scattered Spider.

The Co-op also encountered a significant cyber incident, confirming that attackers compromised data belonging to numerous current and former members. Additionally, Harrods recently reported restricting access to certain internet sites in response to an attempted cyber infiltration, although a conclusive breach has not yet been verified.

The DragonForce ransomware operation has claimed responsibility for all three mentioned attacks, and it has been revealed that the tactics employed by these attackers align with those traditionally associated with Scattered Spider actors. Emerging in December 2023, the DragonForce group has also begun marketing a new service enabling other cybercriminal organizations to utilize their resources under a white-label arrangement.

Since Scattered Spider shifted its attention to UK retailers in April, the UK National Cyber Security Centre (NCSC) issued guidance aimed at reinforcing cybersecurity measures across organizations. They have emphasized that the recent cyberattacks serve as a critical alert that any institution could be next.

The NCSC has so far refrained from attributing these events to any specific hacking entity, as they continue to collaborate with affected organizations to ascertain the details.

“While we possess some insights, we are not yet in a position to determine if these attacks are interconnected, if they represent a coordinated effort by a singular group, or if there is no correlation at all,” stated NCSC officials. “We are actively engaging with victims and law enforcement to clarify these matters.”

Overview of Scattered Spider

Scattered Spider, also referenced as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra, encompasses a dynamic consortium of threat actors recognized for infiltrating numerous high-profile organizations through sophisticated social engineering strategies, which include phishing, SIM swapping, and targeted multi-factor authentication (MFA) fatigue attacks.

The group’s activities intensified in September 2023, highlighted by a breach at MGM Resorts, where they utilized BlackCat ransomware to encrypt over 100 VMware ESXi hypervisors after gaining network access via impersonation tactics directed at the IT help desk.

Since that incident, Scattered Spider has collaborated with several other ransomware operations, such as RansomHub, Qilin, and DragonForce. Notable breaches associated with Scattered Spider also include those impacting Twilio, Coinbase, DoorDash, Caesars Entertainment, MailChimp, Riot Games, and Reddit.

A subset of Scattered Spider participants is believed to form part of a loosely organized community known as “Com,” engaged in cyberattacks and other violent activities often reported in the media.

The demographic of these cybercriminals is notably young, some as young as 16, predominantly English speakers who coordinate their operations through various digital platforms like Telegram and Discord.

Despite common references to “Scattered Spider” suggesting a unified gang, the term actually describes a loose aggregation of threat actors applying specific methodologies that complicate the tracking of their individual activities.

“These actors are noted for their aggressive and innovative tactics, which enable them to effectively bypass established security protocols,” Hultquist emphasized. “They have demonstrated considerable success in social engineering and leveraging third-party vulnerabilities to infiltrate their intended targets.”