Google has warned that the bad actors linked to the recent cyberattack on British retailer Marks & Spencer (M&S) is now setting its sights on U.S. retail companies.
The group, known as “Scattered Spider,” is described by cybersecurity analysts as a loosely connected network of hackers with varying levels of sophistication. Despite their decentralized structure, the group has proven highly effective at executing disruptive cyberattacks against major corporations.
John Hultquist, Chief Analyst at Google Threat Intelligence Group, told BleepingComputer, that the US retail sector is currently in the crosshairs of ransomware and extortion operations that Google suspects are linked to UNC3944, also known as Scattered Spider.
”The actor, which has reportedly targeted retail in the UK following a long hiatus, has a history of focusing their efforts on a single sector at a time, and we anticipate they will continue to target the sector in the near term. US retailers should take note,” he added.
Recent Incidents
M&S disclosed this week that the April 25 attack compromised customer data, including names, addresses, and order histories. While no payment or account password information was stolen, the company said the incident was due to the “sophisticated nature” of the breach. Online operations for M&S have remained frozen since the attack.
Co-op reported another cyber incident, saying malefactors had stolen data belonging to many current and former members. Also, Harrods disclosed on 1 May that it had to restrict internet access to certain sites following an attempted network infiltration, indicating a proactive response to a potential cyberattack, although nothing has been officially confirmed.
Scattered Spider has been known to target specific industries for extended periods. In 2023, it was linked to high-profile breaches at U.S. casino giants MGM Resorts and Caesars Entertainment.
Reluctant Victims
Cybersecurity experts and law enforcement face ongoing challenges in countering Scattered Spider, citing the group’s amorphous structure, the youth of many of its members, and the ongoing reluctance of victims to fully cooperate with investigations.
Christian Beckner, VP at the National Retail Federation, said that U.S. retailers are closely monitoring developments. “There aren’t geographic boundaries on these threats,” he said, adding that the group’s cross-border activity highlights the need for heightened vigilance across the sector.
Darren Guccione, CEO and Co-Founder of Keeper Security, said in the UK instances, malicious actors duped the companies’ IT teams in order to reset employee passwords and breach their networks.
Consider Passkeys
“Retailers have a large variety of cyber defences available to them. Passkeys provide a strong alternative to traditional passwords and can help defend against this type of breach. Passkeys add a layer of security through biometric or device-based authorisation, which makes them inherently phishing resistant,” Guccione adds. “Privileged Access Management (PAM) is another vital defence against cyber threats. Features like automated password rotation and just-in-time access limit a cybercriminal’s ability to gather or steal data, while session monitoring and recording can allow organisations to identify the root cause of a breach. By providing visibility and access management across the entire organisation, PAM solutions limit access sprawl, which significantly minimises the impact of any breach.”
To Err is Human
Guccione also warns of the “human element,” is a well-known risk factor in cybersecurity incidents. “Social engineering is a particularly manipulative type of scam that preys upon the humanity of the victim. Employee training is key to reducing the risk of the human element and preventing attacks of this nature. Anyone can fall for social engineering scams, but employees and their organisations are better equipped to combat them when they provide regular security training. Educating employees on how to spot deepfakes, verify requests and identify scams can provide another strong layer of protection against attacks.”
Complex Supply Chains
Scattered Spider has been known to use legitimate remote management software as for example Any Desk or TeamViewer to avoid detection but are also known to partner with ransomware groups, adds Boris Cipot, Senior Security Engineer at Black Duck.
“Their usual targets are in the hospitality and telecommunication sectors however, they have shifted towards retail which could have on one hand, monetary motivation, and on the other hand, a gap in deployment of cybersecurity tools and cybersecurity hygiene, which makes those targets easier to breach. The retail sector also has large amounts of highly sensitive personal data to offer, especially payment data, which is of great value for extortion or further sale,” Cipot says. “Additionally, the retail sector has complex supply chains making it harder to deploy resilient cybersecurity strategies. This opens another possibility to find exploitable holes in the systems. Furthermore, the retail sector is under high pressure during holiday seasons or events like Black Friday, Back to School etc. Attacks during this time can be more successful and with the added pressure on the target, they may be more willing to cooperate with the attacker as any amount of downtime can have devastating effects.”
Phishing-Resistant MFA
Scattered Spider (UNC3944) uses sophisticated social engineering to infiltrate and deploy ransomware, says Chad Cragle, CISO at Deepwatch. “To defend against this group, secure privileged accounts, implement phishing-resistant MFA, and verify every help-desk identity request. Retailers are particularly vulnerable, as they handle large amounts of payment data, manage intricate supply chains, and operate under significant uptime pressure that often encourages ransom payments. However, organizations with valuable data and critical availability needs are equally at risk.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.