Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?
The Scattered Spider group has been highly active in recent years
Scattered Spider appears to be the name on every security practitioner’s mind right now after reports linked the cyber criminal group to the M&S cyber attack.
The high street retailer has been battling a ‘cyber incident’ for well over a week, with an attack severely disrupting systems and forcing it to suspend online sales. Exact details on the attack remain scarce, but reports from BleepingComputer suggest Scattered Spider is enemy number one.
Adding more fuel to the fire, we now have similar incidents - albeit on what appear to be a less extreme scale - at two more high street retailers, the Cooperative Group and luxury department store Harrods.
There’s currently no evidence linking the group to these particular attacks, but speculation is still rife online regardless.
But what makes Scattered Spider such a formidable adversary for security teams?
Scattered Spider on the rise
Scattered Spider has rapidly emerged as a highly aggressive cyber criminal group, and has claimed responsibility for attacks on a flurry of organizations globally.
In late 2023, the group brought MGM Resorts to its knees in a ransomware attack, stealing customer’s personal information and costing the hotel and casino group an estimated $100 million in damages.
Naturally, this incident prompted a global manhunt for those involved in the group, which appeared to culminate in November 2024 when US prosecutors charged five people accused of involvement in its activities.
This included five Americans and one Scot, which didn’t exactly paint a familiar picture considering headline-grabbing arrests in recent years have frequently involved Russian nationals, for example.
But it’s this that makes the group somewhat tricky to pin down, according to Stefan Hostetler, Lead Threat Intelligence Researcher at Arctic Wolf.
Hostetler described Scattered Spider as a ‘geographically diverse and loosely knit group of threat actors” involved in ransomware and other financially-motivated cyber crime activities.
“Some people affiliated with the group refer to themselves as ‘the Comm’, and researchers have labeled them with names such as UNC3944, Scatter Swine, and Muddled Libra,” he said.
“They are known to participate in ransomware attacks using a handful of well-documented tactics and have demonstrated proficiency with cloud-hosted infrastructure.”
Adding to the potency of the group is the fact that ‘the Comm’ is believed to include affiliates of other ransomware gangs, according to Hostetler, such as BlackCat/ALPHV and the LAPSUS$ group.
How Scattered Spider operates
The group is known to primarily target organizations with social engineering techniques, according to Jake Moore, Global Cybersecurity Advisor at ESET.
“Scattered Spider has been linked to dozens of attacks over the last few years targeting all sectors,” he explained. “Their tactics often target the human element of an attack including social engineering and SIM swapping attacks before deploying ransomware on a target device.”
Hostetler noted their “favored technique” is phishing. This often involves creating bogus login pages that closely mimic corporate sign-in portals, for example.
Additionally, the group has been known to create fake domains on targeted brands - again this is used as a means to dupe unsuspecting users and give them an opportunity to break through an organization’s defenses.
“They’ve also been known to steal credentials via SMS phishing operations and pose as fake IT staff, in a bid to gain access to – and wreak havoc in – victim organizations,” Hostetler added.
MORE FROM ITPRO
- The new ransomware groups worrying security pros in 2025
- Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
- Building ransomware resilience to avoid paying out
-
Everpure wants you to get your data AI-readyNews With enterprises facing recurring data readiness issues, Everpure wants to streamline the process and deliver AI success
-
Everpure continues data management pivot with new Data Intelligence platform launchNews The move by Everpure aims to help enterprises maximize the use of AI-ready data and break down silos
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
New ransomware threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacksNews NTT researchers warn that the RaaS group is leveraging SystemBC malware to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation
-
Brit pleads guilty amid Scattered Spider hacking spree claimsNews Tyler Robert Buchanan faces 10 years in jail if found guilty
-
Security leaders overconfident about ransomware recovery
News Few manage to recover all their data, and many experience business disruption
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes
