The UK’s Marks & Spencer suffered a cyberattack in late April that broken the high-end retailer’s operations and is anticipated to price the corporate over $400 million.
That assault was shortly adopted by related incidents that struck two different iconic British retailers, Harrods and the Co-op, sparking widespread press protection and fueling shopper fears throughout the UK as cabinets ran empty and on-line ordering ceased.
All three incidents have been attributed to a unfastened collective of younger, native English-speaking hackers known as Scattered Spider, also called UNC3944, Starfraud, Scatter Swine, Muddled Libra, Octo Tempest, and 0katpus.
Earlier this month, Google warned that Scattered Spider will deliver its high-profile retail assaults to the US. Nonetheless, consultants say Scattered Spider is already focusing on prime US organizations, and CISOs ought to put together now for the way their organizations will cope with the aggressive hacking group.
“You’ll want to have a plan earlier than you get punched within the face,” Kristopher Russo, principal risk researcher at Palo Alto Networks, informed CSO. “Ensure you are practising in order that when it occurs, you’re prepared. It’s best to have your playbook in place, know precisely who to name, and know what to close down to assist isolate and cease the assault.”
Who’s Scattered Spider?
Scattered Spider is taken into account a part of a broader group of younger cybercriminals often known as The Com, though these teams are tough to pin down. They’re finest identified within the US for his or her audacious ransomware assaults on two Las Vegas on line casino homeowners, MGM Resorts and Caesars Leisure.
Within the latest spherical of assaults, they’ve joined forces with a potent ransomware-as-a-service actor, DragonForce. Though it poses as pro-Palestinian hacktivists, DragonForce may be one of many cybercrime teams working in Russia with the Kremlin’s tacit permission.
DragonForce’s latest rebrand announcement, wherein it now calls itself a “cartel,” included a warning to not assault targets within the Commonwealth of Impartial States, a 10-nation bloc centered on Russia and former Soviet republics. A rival gang, RansomHub, accused DragonForce of collaborating with Russia’s FSB intel arm.
“They’re greater than seemingly leaning into the Russian affiliate mannequin, so that they’re simply renting out instruments and infrastructure,” Mike Hamilton, area CISO at Lumifi Cyber, informed CSO. “That offers them lots of benefits.”
Nonetheless, the connection between DragonForce and Scattered Spider is murky, even when it’s clear that Scattered Spider is deploying DragonForce malware. That relationship is “one of many million-dollar questions,” Greg Linares, principal risk intelligence analyst at Huntress, informed CSO. “We all know that they’re utilizing Dragon Drive. However is it affiliated? Is it being paid? Or is it a false flag?”
Regardless of the case could also be, “I believe it’s actually necessary to understand that DragonForce is a really critical ransomware group,” Zach Edwards, senior risk researcher at Silent Push, informed CSO. “They’d be thought-about among the many prime [ransomware groups] as a result of their software program is nice; it successfully does what it says it would do.”
Vital shift to social engineering
Over the previous two years, many Scattered Spider members have been arrested and even convicted, together with one key member often known as “King Bob,” who was arrested in early 2024 and later pleaded responsible to the costs towards him. Six different important Scattered Spider members have been arrested in late 2024.
Resulting from these legislation enforcement actions, by early 2025, the group appeared to have halted its operations. “For us at Silent Push, round November and December of final 12 months, we have been seeing a drop off of their infrastructure,” Edwards mentioned. “Their phishing pages stopped being created. However in early 2025, we picked up their phishing kits coming stay once more and focusing on a wide range of manufacturers.”
Specialists say that moreover aligning with DragonForce, Scattered Spider has shifted its most popular mode of infiltration from phishing to socially engineering its approach into organizations.
“What’s necessary concerning the latest UK marketing campaign is the shift of their ways,” Edwards mentioned. “What we’re seeing proper now could be zero phishing kits stay. The brand new stuff right here within the US seems to be completely social engineering centered, the place they’re reaching out to assist desks, attempting to do password resets, and reaching out to workers to try to get their credentials.”
The group even makes use of SIM swapping to pose as legit workers looking for password resets. “We all know that they’ve SIM swapping capabilities,” Linares mentioned, with the Harrods assault attributed to SIM swapping. “We all know they’re seemingly working with people who work on the ISPs or the suppliers and serving to them get that info.”
“What they’ll do is usually they’ll name in pretending to be a legit worker of the corporate,” Austin Larsen, principal risk analyst at Google Mandiant, mentioned throughout a webinar on defending towards UNC3944. “Oftentimes, they arrive into these calls, into these assist desks geared up with lots of details about their goal consumer.”
He added, “They’re capable of present the Social Safety quantity, for instance, of their goal consumer, their deal with, or different private info. It’s a problem for assist desks to detect a few of these assaults, given how a lot analysis and knowledge the actor usually has going into these telephone calls.”
Give attention to the human elements as a primary line of protection
Given Scattered Spider’s spectacular success with social engineering within the UK, consultants say CISOs ought to first deal with their organizations’ softest targets, particularly the assistance desk staff and workers the hackers search to control.
“They know the way assist desks work,” Hamilton mentioned. “They do a bunch of analysis, they usually’ll get sufficient info on a consumer to have the ability to impersonate them on the assist desk for a password reset, after which they’re in.”
“What units this group aside is that their assault types are usually not technically advanced,” Palo Alto’s Russo mentioned. “These aren’t zero-day exploits of vulnerabilities. They aim folks, so that they’re going after the human ingredient.”
CISOs ought to present assist desk personnel with procedures for reporting suspicious password reset calls and information them on getting out of these conversations as shortly as attainable.
“What CISOs have to do is be sure that their people are ready for this sort of assault, that they’ve these purple flags in place in order that when a line is crossed in a name or a dialog, it ends,” Russo mentioned. “If there’s ever a query of identification once they’re speaking to someone, if there’s any slip-up, if something is lacking, that’s a purple flag to say, you realize what? I have to contact your supervisor and get verification.”
However the assist desk isn’t the one one which wants schooling. Specialists say all workers ought to pay attention to the group’s social engineering ways.
“They act like the worker to the assistance desk, however additionally they act as the assistance desk when calling workers,” Huntress’ Linares mentioned. “It really works each methods. I’ve seen that assault happen the place they name the worker and say, ‘Hey, we noticed that alert occur in your machine; we have to log in or get entry to that. Please run this script and this instrument so we are able to distant in.”
Pace is of the essence in these conditions. “Don’t give them an opportunity to maintain manipulating your folks as a result of the longer you possibly can preserve someone on the telephone or on-line, the extra seemingly you might be to have success getting them to violate their processes and procedures,” Russo mentioned.
Monitoring the hackers is a should
Sadly, adept Scattered Spider hackers can bamboozle even probably the most ready assist desk staff. Specialists say that CISOs ought to, subsequently, have detection and monitoring mechanisms to observe the intruders as soon as they’ve gained entry.
“What do they do with these legit consumer credentials?” Google’s Larsen requested. “They often begin by taking a look at inner documentation for his or her sufferer group. We see them, for instance, in SharePoint looking for key phrases akin to VPN, MFA, or community map, attempting to higher perceive what their sufferer setting appears like and the way they’ll additional broaden their entry into the setting. We additionally see them, for instance, looking out by way of chat platforms like Slack or Groups for any plain textual content secrets and techniques or credentials, particularly for VMware or vCenter.”
However after this section, they transfer extraordinarily shortly to fan out by way of the group’s belongings. “As soon as they transfer laterally utilizing no matter legitimate credentials they’ve or they’ll discover, we see them set up persistence shortly and fairly extensively, which makes remediation far tougher for victims,” Larsen mentioned attackers usually use legit distant entry utilities that antivirus options gained’t decide up. “So, an investigation utilizing EDR utilities or options is required.”
“If we are able to cease it, it’s excellent, however detection is a should,” Russo mentioned. “In the event that they’ve gotten in there, we have to detect them. Search for customers who’re doing stuff they don’t usually do. So, for instance, they’re in as this consumer, they’ve authenticated the community, after which they begin taking a look at completely different knowledge shops all in an enormous sequence. Properly, that’s not regular for that consumer to do. We have to detect that.”
Don’t pay the ransom
Within the case of Scattered Spider’s hacking of the 2 on line casino operators in 2023, Caesars emerged comparatively unscathed as a result of it paid the demanded ransom of $15 million, whereas MGM Resorts, which didn’t pay the ransom, acquired hosed for $145 million in bills and class-action lawsuit funds, amongst different prices.
Nonetheless, consultants say that regardless of these examples, it’s a foul concept to pay Scattered Spider a ransom in the event that they efficiently encrypt recordsdata and steal priceless knowledge.
“We all know that paying that ransom simply incentivizes them,” Lumifi’s Hamilton mentioned. “It offers them cash to maintain doing what they’re doing.”
Furthermore, “It’s usually sooner to revive from backups,” he added. “If in case you have good controls in place, you could have immutable backups, and you’ve got processes, and you realize precisely what the order of issues to return again up is, you are able to do that sooner than you possibly can apply a decryption key, which many occasions doesn’t work very nicely.”“If in case you have good controls in place, you could have immutable backups, and you could have processes, and you realize precisely what the order of issues to return again up is, you are able to do that sooner than you possibly can apply a decryption key, which many occasions doesn’t work very nicely.”
“For those who pay that ransom, they may nonetheless completely put all your knowledge on the web as a result of these are kids and they’re outrageous people,” Silent Push’s Edwards mentioned. “The decryption keys might not work. And paying positively doesn’t assure that the information gained’t leak. It’s not a assure in any approach.”
