Scattered Spider Linked to Cyberattacks on M&S and Co-op, Resulting in Damages Estimated at $592 Million

The cyber attacks in April 2025 targeting U.K. retailers Marks & Spencer and Co-op have been categorized as a unified cyber event. This assessment comes from the Cyber Monitoring Centre (CMC), an independent, non-profit organization established by the insurance industry to evaluate significant cyber incidents.

The CMC noted that a single threat actor claimed responsibility for both attacks, which occurred closely together and employed similar tactics, techniques, and procedures (TTPs). Consequently, the incidents have been classified as a single combined cyber event.

These disruptions are classified as a “Category 2 systemic event,” with anticipated financial repercussions estimated between £270 million ($363 million) and £440 million ($592 million).

In contrast, a concurrent cyber attack on Harrods has not yet been included in this classification due to insufficient information regarding its cause and impact.

The initial attack vector for the Marks & Spencer and Co-op incidents involved social engineering tactics, primarily targeting IT help desks. The CMC continues to investigate the attribution of these events, with preliminary findings suggesting the involvement of the cybercriminal group known as Scattered Spider (UNC3944).

This group, a subset of a larger cybercrime network referred to as The Com, has effectively exploited its English-speaking members to conduct advanced social engineering attacks, typically impersonating IT department personnel to gain unauthorized access.

The CMC highlighted the significant and overarching effects these incidents have, underscoring the profound implications not only for the two companies directly impacted but also for their suppliers, partners, and service providers.

Additionally, the Google Threat Intelligence Group (GTIG) has reported that Scattered Spider actors are now targeting major insurance companies in the United States. John Hultquist, Chief Analyst at GTIG, emphasized the importance of vigilance within the insurance sector, particularly in guarding against social engineering attempts aimed at help desks and call centers.

While discussions surrounding the potential threats posed by Iranian cyber capabilities to U.S. organizations have garnered attention, these actors have already started targeting critical infrastructure, with expectations of increasingly high-profile incidents as they shift focus between sectors.

In related developments, Tata Consultancy Services (TCS) confirmed that its systems or user accounts were not compromised during the Marks & Spencer attack. Previous reporting indicated that TCS is conducting an internal investigation to determine if its infrastructure was used as a launchpad for the attack.

This situation coincides with a new tactic from the Qilin ransomware operation, which offers legal assistance to increase pressure during ransom negotiations. The threat actors claim to have a dedicated team of journalists ready to assist with communication strategies and negotiations with victims.