Scattered Spider appears to be the name on every security practitioner’s mind right now after reports linked the cyber criminal group to the M&S cyber attack.
The high street retailer has been battling a ‘cyber incident’ for well over a week, with an attack severely disrupting systems and forcing it to suspend online sales. Exact details on the attack remain scarce, but reports from BleepingComputer suggest Scattered Spider is enemy number one.
Adding more fuel to the fire, we now have similar incidents - albeit on what appear to be a less extreme scale - at two more high street retailers, the Cooperative Group and luxury department store Harrods.
There’s currently no evidence linking the group to these particular attacks, but speculation is still rife online regardless.
But what makes Scattered Spider such a formidable adversary for security teams?
Scattered Spider on the rise
Scattered Spider has rapidly emerged as a highly aggressive cyber criminal group, and has claimed responsibility for attacks on a flurry of organizations globally.
In late 2023, the group brought MGM Resorts to its knees in a ransomware attack, stealing customer’s personal information and costing the hotel and casino group an estimated $100 million in damages.
Naturally, this incident prompted a global manhunt for those involved in the group, which appeared to culminate in November 2024 when US prosecutors charged five people accused of involvement in its activities.
This included five Americans and one Scot, which didn’t exactly paint a familiar picture considering headline-grabbing arrests in recent years have frequently involved Russian nationals, for example.
But it’s this that makes the group somewhat tricky to pin down, according to Stefan Hostetler, Lead Threat Intelligence Researcher at Arctic Wolf.
Hostetler described Scattered Spider as a ‘geographically diverse and loosely knit group of threat actors” involved in ransomware and other financially-motivated cyber crime activities.
“Some people affiliated with the group refer to themselves as ‘the Comm’, and researchers have labeled them with names such as UNC3944, Scatter Swine, and Muddled Libra,” he said.
“They are known to participate in ransomware attacks using a handful of well-documented tactics and have demonstrated proficiency with cloud-hosted infrastructure.”
Adding to the potency of the group is the fact that ‘the Comm’ is believed to include affiliates of other ransomware gangs, according to Hostetler, such as BlackCat/ALPHV and the LAPSUS$ group.
How Scattered Spider operates
The group is known to primarily target organizations with social engineering techniques, according to Jake Moore, Global Cybersecurity Advisor at ESET.
“Scattered Spider has been linked to dozens of attacks over the last few years targeting all sectors,” he explained. “Their tactics often target the human element of an attack including social engineering and SIM swapping attacks before deploying ransomware on a target device.”
Hostetler noted their “favored technique” is phishing. This often involves creating bogus login pages that closely mimic corporate sign-in portals, for example.
Additionally, the group has been known to create fake domains on targeted brands - again this is used as a means to dupe unsuspecting users and give them an opportunity to break through an organization’s defenses.
“They’ve also been known to steal credentials via SMS phishing operations and pose as fake IT staff, in a bid to gain access to – and wreak havoc in – victim organizations,” Hostetler added.
MORE FROM ITPRO
- The new ransomware groups worrying security pros in 2025
- Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
- Building ransomware resilience to avoid paying out
-
Microsoft’s huge AI spending still has investors sweating despite solid cloud growthNews Capital spending at Microsoft continues to surge, despite previous claims it would cool down
-
Lenovo Yoga Tab 11.1in reviewReviews A small tablet for taking notes, or an aid for presentations, the Yoga Tab is an affordable yet innovative little slab of technology
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
The number of ransomware groups rockets as new, smaller players emergeNews The good news is that the number of victims remains steady
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
-
Cyber professionals are losing sleep over late night attacksNews Hackers are biding their time and launching attacks when businesses can’t respond
-
Hackers behind Jaguar Land Rover announce their 'retirement' – should we believe them?News Is this really the end for Scattered Lapsus$ Hunters?
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
