UK-based Scattered Spider hackers turning attention to US retailers

UK-Based members of hacking group Scattered Spider are expanding cyber-attack operations to target US retailers, according to Google.

This follows a series of attacks on prominent British retailers, including Marks & Spencer, the Co-op, and Harrods.

Google cybersecurity experts are warning that US retailers are now in the crosshairs. Charles Carmakal, the chief technology officer at Google’s Mandiant cybersecurity unit, stated that this shift in focus is typical of Scattered Spider:

“They tend to focus on a particular industry sector and geography for a few weeks and then they move on to something else. And right now, they’re focused on retail organisations,” he told The Guardian. “They start in the UK, and now they’ve shifted to US organisations.”

When asked about the involvement of UK-based members in attacks on retailers like M&S, Carmakal confirmed, “Without specifically naming who the victims are I will say broadly Scattered Spider members in the UK are facilitating and contributing to intrusions.”

Scattered Spider’s tactics have prompted the UK’s National Cyber Security Agency to issue warnings to businesses, urging them to review their IT help desk procedures, particularly regarding password resets.

The group is known for contacting IT help desks, impersonating employees or contractors, and deceiving staff into providing access to company systems.

Carmakal revealed that younger members of the Scattered Spider network often carry out these phone calls, stating: “It’s not always the [threat] actors themselves … that are actually making the phone calls. They outsource some of that work to other members of the broader community, generally younger individuals who aggregate on Telegram and Discord and want to make a few hundred bucks.”

Scattered Spider stands out from other ransomware groups, which typically originate from Russia or former Soviet states, due to its members being native English speakers from countries like the UK, US, and Canada.

Carmakal described listening to “countless calls” made by these hackers to company employees, during which they engage in “extorting them, or trying to convince somebody to provide credentials or harassing somebody.”

This increased activity targeting US retailers was further emphasized by John Hultquist, the chief analyst at Google Threat Intelligence Group, who stated: “The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to … Scattered Spider… US retailers should take note.”