Hackers from the Scattered Spider group, recognized for UK retail assaults, at the moment are focusing on US retailers, Google cybersecurity consultants have warned.
The infamous cybercriminal group Scattered Spider is now actively focusing on retail corporations in america, following a string of disruptive assaults in opposition to related companies in the UK.
This warning comes straight from cybersecurity consultants at Google Risk Intelligence Group (GTIG) and Google subsidiary Mandiant, who spotlight the group’s effectiveness at bypassing even sturdy safety measures.
“The US retail sector is at the moment being focused in ransomware and extortion operations that we suspect are linked to UNC3944, also referred to as Scattered Spider,” John Hultquist, Google’s cybersecurity analyst, acknowledged.
It’s value noting that Scattered Spider (aka UNC3944) is the main suspect within the latest assaults on UK retain giants Harrods, Co-op, and M&S, however UK’s Nationwide Cyber Safety Centre (NCSC), Mandiant and Google haven’t formally attributed them to any particular actor as but. Nevertheless, GTIG researchers recommend that the hackers focusing on US retailers share related strategies and procedures because the culprits behind the British incidents.
Researchers famous a potential linok between DragonForce ransomware operators and Scattered Spider. The previous took accountability for tried latest assaults on a number of UK retailers, utilizing ways much like Scattered Spider. Furthermore, each had been related to the now-defunct RaaS platform RansomHub.
Nevertheless, GTIG couldn’t verify the hyperlink between UNC3944/DragonForce and rising retail information leaks. Nonetheless, the growing presence of retail victims on information leak websites (11% in 2025, up from earlier years) means that risk actors discover this sector engaging on account of massive PII/monetary information holdings and their willingness to pay ransom to keep up transaction processing.
As per Hackread.com’s previous reporting, Scattered Spider is a financially motivated risk actor recognized for utilizing social engineering strategies. They gained notoriety for hacking on line casino giants MGM Resorts Worldwide and Caesars Leisure in 2023. They initially focused telecommunications corporations for SIM swapping and later began deploying ransomware to extort victims.
They’re additionally recognized for phishing makes an attempt and MFA bombing, the place they bombard targets with multi-factor authentication requests. Usually, UNC3944 goes after established enterprises, particularly organizations with massive assist desks and outsourced IT departments, as these are extra susceptible to their refined social engineering strategies.
GTIG’s evaluation reveals that since early 2023 UNC3944 has focused a various vary of sectors, together with Expertise, Telecommunications, Monetary Companies, Enterprise Course of Outsourcing (BPO), Gaming, Hospitality, Retail, and Media & Leisure organizations. Geographically, their main targets have been much more numerous, together with the US, Canada, the UK, Australia, Singapore and India.
The Retail & Hospitality ISAC, an information-sharing group that features main gamers like Albertsons, Costco, McDonald’s, and Lowe’s, has acknowledged the risk and is working with Google to supply its members with detailed briefings and steering on easy methods to strengthen their defences in opposition to this evolving risk. The warning from Google serves as a transparent sign for US retailers to be on excessive alert and to evaluate their safety protocols.
Chad Cragle, CISO at Deepwatch, a San Francisco, Calif.-based AI+Human Cyber Resilience Platform:
“Scattered Spider (UNC3944) makes use of refined social engineering to infiltrate and deploy ransomware. To defend in opposition to this group, safe privileged accounts, implement phishing-resistant MFA, and confirm each help-desk id request.“
“Retailers are notably susceptible, as they deal with massive quantities of fee information, handle intricate provide chains, and function underneath vital uptime stress that usually encourages ransom funds,“ Chad warned. “Nevertheless, organizations with invaluable information and demanding availability wants are equally in danger.“
