Hacking group Scattered Spider linked to M&S cyber attack

The recent cyberattack that crippled Marks & Spencer (M&S), forcing the retailer to halt online sales and disrupting store operations, has been linked to the notorious hacking group Scattered Spider.

Sources indicate that the attack, which disrupted contactless payments, click-and-collect orders and online deliveries, bears the hallmarks of Scattered Spider. While not officially confirmed, the nature of the disruption suggests a ransomware attack.

Reports indicate that the hackers may have initially infiltrated M&S systems as early as February, allegedly stealing the Windows domain’s NTDS.dit file. This file contains crucial data that, if cracked, could provide attackers with passwords to navigate the network. The attackers reportedly deployed the DragonForce encryptor against M&S’s virtual machines on April 24th.

Scattered Spider is characterized as a fluid collective of individuals, rather than a tightly organized group, making their actions difficult to track. The group has been implicated in high-profile cyberattacks, including the 2023 MGM Resorts breach. It is best known for its advanced social engineering techniques and is believed to consist of members primarily based in the US and Western Europe.

Certainly, the cyberattack has caused significant turmoil for the retailer, leading to substantial financial losses and operational disruptions. Cybersecurity experts assisting M&S in the investigation have focused on Scattered Spider due to the group’s known tactics, although the use of DragonForce, a “ransomware as a service” tool, complicates definitive attribution.

Says Nathaniel Jones, VP of Security & AI Strategy at Darktrace:

“The alleged confirmation that Scattered Spider is behind the M&S attack via the DragonForce encryptor highlights the sophisticated threat this group poses to major organisations. Their approach is dangerous – they are thought to be native-English speakers who don’t just exploit technical vulnerabilities but manipulate people, especially IT help desks, through phishing, Multi Factor Authentication (MFA) bombing, and SIM swapping to gain access.

“From the outside looking in, it appears M&S is looking to contain any malicious activity by taking likely impacted systems offline. Unfortunately, we can see how quickly these incidents can cripple retail operations across both digital and physical channels, with the suspension of online orders showing the cascading impact on revenue streams.

“Resilience is on display here, as M&S will come back online with sustained crisis management support from both NCSC and NCA. This incident highlights why cybersecurity must be a fundamental business priority, not just an IT concern – especially when defending against social engineering tactics that bypass traditional security measures.”