The UK’s Marks & Spencer suffered a cyberattack in late April that broken the high-end retailer’s operations and is anticipated to value the corporate over $400 million.
That assault was rapidly adopted by related incidents that struck two different iconic British retailers, Harrods and the Co-op, sparking widespread press protection and fueling shopper fears throughout the UK as cabinets ran empty and on-line ordering ceased.
All three incidents have been attributed to a free collective of younger, native English-speaking hackers known as Scattered Spider, also called UNC3944, Starfraud, Scatter Swine, Muddled Libra, Octo Tempest, and 0katpus.
Earlier this month, Google warned that Scattered Spider will carry its high-profile retail assaults to the US. Nevertheless, consultants say Scattered Spider is already concentrating on high US organizations, and CISOs ought to put together now for a way their organizations will cope with the aggressive hacking group.
“You want to have a plan earlier than you get punched within the face,” Kristopher Russo, principal menace researcher at Palo Alto Networks, advised CSO. “Be sure to are working towards in order that when it occurs, you’re prepared. You need to have your playbook in place, know precisely who to name, and know what to close down to assist isolate and cease the assault.”
Who’s Scattered Spider?
Scattered Spider is taken into account a part of a broader group of younger cybercriminals generally known as The Com, though these teams are troublesome to pin down. They’re greatest recognized within the US for his or her audacious ransomware assaults on two Las Vegas on line casino homeowners, MGM Resorts and Caesars Leisure.
Within the latest spherical of assaults, they’ve joined forces with a potent ransomware-as-a-service actor, DragonForce. Though it poses as pro-Palestinian hacktivists, DragonForce could be one of many cybercrime teams working in Russia with the Kremlin’s tacit permission.
DragonForce’s latest rebrand announcement, wherein it now calls itself a “cartel,” included a warning to not assault targets within the Commonwealth of Unbiased States, a 10-nation bloc centered on Russia and former Soviet republics. A rival gang, RansomHub, accused DragonForce of collaborating with Russia’s FSB intel arm.
“They’re greater than possible leaning into the Russian affiliate mannequin, so that they’re simply renting out instruments and infrastructure,” Mike Hamilton, subject CISO at Lumifi Cyber, advised CSO. “That provides them plenty of benefits.”
Nevertheless, the connection between DragonForce and Scattered Spider is murky, even when it’s clear that Scattered Spider is deploying DragonForce malware. That relationship is “one of many million-dollar questions,” Greg Linares, principal menace intelligence analyst at Huntress, advised CSO. “We all know that they’re utilizing Dragon Power. However is it affiliated? Is it being paid? Or is it a false flag?”
Regardless of the case could also be, “I believe it’s actually necessary to understand that DragonForce is a really severe ransomware group,” Zach Edwards, senior menace researcher at Silent Push, advised CSO. “They’d be thought of among the many high [ransomware groups] as a result of their software program is sweet; it successfully does what it says it would do.”
Vital shift to social engineering
Over the previous two years, many Scattered Spider members have been arrested and even convicted, together with one key member generally known as “King Bob,” who was arrested in early 2024 and later pleaded responsible to the fees towards him. Six different important Scattered Spider members have been arrested in late 2024.
As a result of these regulation enforcement actions, by early 2025, the group appeared to have halted its operations. “For us at Silent Push, round November and December of final yr, we have been seeing a drop off of their infrastructure,” Edwards mentioned. “Their phishing pages stopped being created. However in early 2025, we picked up their phishing kits coming stay once more and concentrating on a wide range of manufacturers.”
Consultants say that moreover aligning with DragonForce, Scattered Spider has shifted its most well-liked mode of infiltration from phishing to socially engineering its method into organizations.
“What’s necessary concerning the latest UK marketing campaign is the shift of their techniques,” Edwards mentioned. “What we’re seeing proper now’s zero phishing kits stay. The brand new stuff right here within the US seems to be solely social engineering targeted, the place they’re reaching out to assist desks, attempting to do password resets, and reaching out to staff to attempt to get their credentials.”
The group even makes use of SIM swapping to pose as respectable staff in search of password resets. “We all know that they’ve SIM swapping capabilities,” Linares mentioned, with the Harrods assault attributed to SIM swapping. “We all know they’re possible working with people who work on the ISPs or the suppliers and serving to them get that data.”
“What they’ll do is commonly they’ll name in pretending to be a respectable worker of the corporate,” Austin Larsen, principal menace analyst at Google Mandiant, mentioned throughout a webinar on defending towards UNC3944. “Oftentimes, they arrive into these calls, into these assist desks outfitted with plenty of details about their goal person.”
He added, “They’re capable of present the Social Safety quantity, for instance, of their goal person, their tackle, or different private data. It’s a problem for assist desks to detect a few of these assaults, given how a lot analysis and knowledge the actor usually has going into these telephone calls.”
Deal with the human elements as a primary line of protection
Given Scattered Spider’s spectacular success with social engineering within the UK, consultants say CISOs ought to first concentrate on their organizations’ softest targets, particularly the assistance desk staff and staff the hackers search to govern.
“They understand how assist desks work,” Hamilton mentioned. “They do a bunch of analysis, they usually’ll get sufficient data on a person to have the ability to impersonate them on the assist desk for a password reset, after which they’re in.”
“What units this group aside is that their assault types should not technically complicated,” Palo Alto’s Russo mentioned. “These aren’t zero-day exploits of vulnerabilities. They aim individuals, so that they’re going after the human aspect.”
CISOs ought to present assist desk personnel with procedures for reporting suspicious password reset calls and information them on getting out of these conversations as rapidly as doable.
“What CISOs must do is be sure that their people are ready for this type of assault, that they’ve these purple flags in place in order that when a line is crossed in a name or a dialog, it ends,” Russo mentioned. “If there may be ever a query of id once they’re speaking to any person, if there’s any slip-up, if something is lacking, that’s a purple flag to say, you understand what? I must contact your supervisor and get verification.”
However the assist desk will not be the one one which wants schooling. Consultants say all staff ought to concentrate on the group’s social engineering techniques.
“They act like the worker to the assistance desk, however in addition they act as the assistance desk when calling staff,” Huntress’ Linares mentioned. “It really works each methods. I’ve seen that assault happen the place they name the worker and say, ‘Hey, we noticed that alert occur in your machine; we have to log in or get entry to that. Please run this script and this device so we are able to distant in.”
Pace is of the essence in these conditions. “Don’t give them an opportunity to maintain manipulating your individuals as a result of the longer you’ll be able to hold any person on the telephone or on-line, the extra possible you’re to have success getting them to violate their processes and procedures,” Russo mentioned.
Monitoring the hackers is a should
Sadly, adept Scattered Spider hackers can bamboozle even essentially the most ready assist desk staff. Consultants say that CISOs ought to, due to this fact, have detection and monitoring mechanisms to comply with the intruders as soon as they’ve gained entry.
“What do they do with these respectable person credentials?” Google’s Larsen requested. “They often begin by taking a look at inside documentation for his or her sufferer group. We see them, for instance, in SharePoint trying to find key phrases akin to VPN, MFA, or community map, attempting to higher perceive what their sufferer surroundings seems like and the way they’ll additional broaden their entry into the surroundings. We additionally see them, for instance, looking out by means of chat platforms like Slack or Groups for any plain textual content secrets and techniques or credentials, particularly for VMware or vCenter.”
However after this section, they transfer extraordinarily rapidly to fan out by means of the group’s belongings. “As soon as they transfer laterally utilizing no matter legitimate credentials they’ve or they’ll discover, we see them set up persistence rapidly and fairly extensively, which makes remediation far tougher for victims,” Larsen mentioned attackers typically use respectable distant entry utilities that antivirus options received’t decide up. “So, an investigation utilizing EDR utilities or options is required.”
“If we are able to cease it, it’s superb, however detection is a should,” Russo mentioned. “In the event that they’ve gotten in there, we have to detect them. Search for customers who’re doing stuff they don’t usually do. So, for instance, they’re in as this person, they’ve authenticated the community, after which they begin taking a look at completely different information shops all in an enormous sequence. Properly, that’s not regular for that person to do. We have to detect that.”
Don’t pay the ransom
Within the case of Scattered Spider’s hacking of the 2 on line casino operators in 2023, Caesars emerged comparatively unscathed as a result of it paid the demanded ransom of $15 million, whereas MGM Resorts, which didn’t pay the ransom, bought hosed for $145 million in bills and class-action lawsuit funds, amongst different prices.
Nevertheless, consultants say that regardless of these examples, it’s a foul concept to pay Scattered Spider a ransom in the event that they efficiently encrypt recordsdata and steal invaluable information.
“We all know that paying that ransom simply incentivizes them,” Lumifi’s Hamilton mentioned. “It offers them cash to maintain doing what they’re doing.”
Furthermore, “It’s typically quicker to revive from backups,” he added. “When you have good controls in place, you will have immutable backups, and you’ve got processes, and you understand precisely what the order of issues to return again up is, you are able to do that quicker than you’ll be able to apply a decryption key, which many instances doesn’t work very effectively.”“When you have good controls in place, you will have immutable backups, and you will have processes, and you understand precisely what the order of issues to return again up is, you are able to do that quicker than you’ll be able to apply a decryption key, which many instances doesn’t work very effectively.”
“In the event you pay that ransom, they might nonetheless completely put all your information on the web as a result of these are kids and they’re outrageous people,” Silent Push’s Edwards mentioned. “The decryption keys might not work. And paying positively doesn’t assure that the info received’t leak. It’s not a assure in any method.”
