Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?

The Scattered Spider group has been highly active in recent years

Scattered Spider concept image showing digitized spider on a computer screen.
(Image credit: Getty Images)

Scattered Spider appears to be the name on every security practitioner’s mind right now after reports linked the cyber criminal group to the M&S cyber attack.

The high street retailer has been battling a ‘cyber incident’ for well over a week, with an attack severely disrupting systems and forcing it to suspend online sales. Exact details on the attack remain scarce, but reports from BleepingComputer suggest Scattered Spider is enemy number one.

Adding more fuel to the fire, we now have similar incidents - albeit on what appear to be a less extreme scale - at two more high street retailers, the Cooperative Group and luxury department store Harrods.

There’s currently no evidence linking the group to these particular attacks, but speculation is still rife online regardless.

But what makes Scattered Spider such a formidable adversary for security teams?

Scattered Spider on the rise

Scattered Spider has rapidly emerged as a highly aggressive cyber criminal group, and has claimed responsibility for attacks on a flurry of organizations globally.

In late 2023, the group brought MGM Resorts to its knees in a ransomware attack, stealing customer’s personal information and costing the hotel and casino group an estimated $100 million in damages.

Naturally, this incident prompted a global manhunt for those involved in the group, which appeared to culminate in November 2024 when US prosecutors charged five people accused of involvement in its activities.

This included five Americans and one Scot, which didn’t exactly paint a familiar picture considering headline-grabbing arrests in recent years have frequently involved Russian nationals, for example.

But it’s this that makes the group somewhat tricky to pin down, according to Stefan Hostetler, Lead Threat Intelligence Researcher at Arctic Wolf.

Hostetler described Scattered Spider as a ‘geographically diverse and loosely knit group of threat actors” involved in ransomware and other financially-motivated cyber crime activities.

“Some people affiliated with the group refer to themselves as ‘the Comm’, and researchers have labeled them with names such as UNC3944, Scatter Swine, and Muddled Libra,” he said.

“They are known to participate in ransomware attacks using a handful of well-documented tactics and have demonstrated proficiency with cloud-hosted infrastructure.”

Adding to the potency of the group is the fact that ‘the Comm’ is believed to include affiliates of other ransomware gangs, according to Hostetler, such as BlackCat/ALPHV and the LAPSUS$ group.

How Scattered Spider operates

The group is known to primarily target organizations with social engineering techniques, according to Jake Moore, Global Cybersecurity Advisor at ESET.

“Scattered Spider has been linked to dozens of attacks over the last few years targeting all sectors,” he explained. “Their tactics often target the human element of an attack including social engineering and SIM swapping attacks before deploying ransomware on a target device.”

Hostetler noted their “favored technique” is phishing. This often involves creating bogus login pages that closely mimic corporate sign-in portals, for example.

Additionally, the group has been known to create fake domains on targeted brands - again this is used as a means to dupe unsuspecting users and give them an opportunity to break through an organization’s defenses.

“They’ve also been known to steal credentials via SMS phishing operations and pose as fake IT staff, in a bid to gain access to – and wreak havoc in – victim organizations,” Hostetler added.

MORE FROM ITPRO

TOPICS
Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.