Britain’s Marks & Spencer suffered a cyber attack in late April that damaged the business of high-end retailers, which is expected to bring the company more than $400 million.
The attack then occurred similar incidents, which struck two other iconic British retailers, Harrods and the co-op, sparked widespread news coverage and sparked concerns among consumers across the UK as the shelves were empty and online ordering was stopped.
All three events are attributed to a scattered young, English-speaking young man called the scattered spider, also known as Unc3944, Starfraud, STARFRAUD, STACTS STACTER SWINE, MUDDLIDEL LIBRA, OCTO TEEMPEST and 0KATPUS.
Earlier this month, Google warned that the scattered spiders would bring high-profile retail attacks to the United States. But experts say the scattered spiders are targeting top U.S. organizations, and CISOs should now prepare for how their organizations deal with radical hacking teams.
“You need to make plans before punching the hole in the face,” Kristopher Russo, chief threat researcher at Palo Alto Networks, told CSO. “Make sure you are practicing so that when it happens, that’s fine.
Who are the scattered spiders?
Scattered spiders are considered part of the wider community of young cybercriminals, although these groups are difficult to fix. They are most famous in the US for their bold ransomware attacks on two Las Vegas casino owners, MGM Resorts and Caesars Entertainment.
In the latest round of attacks, they teamed up with powerful ransomware actor Dragonforce. Despite its composition as a pro-Palestine hacker, Longf may be one of the Cybercrime organizations that the Kremlin has default license to operate in Russia.
Dragonforce recently called the “cartel” rebranding announcement, including warnings against attacking the targets of the federal federal states, a group of 10 countries centered on Russia and the former Soviet republic. Competitor’s gang Ransomhub accused Dragonforce of working with Russia’s FSB Intel Arm.
“They’re likely to lean towards the Russian membership model, so they’re just renting tools and infrastructure,” Mike Hamilton, a live CISO at Lumifi Cyber, told the CSO. “It gives them a lot of advantages.”
But even though it is obvious that the scattered spiders are deploying the Dragon Castle malware, the relationship between the dragon bird and the scattered spiders is vague. Huntress’s main threat intelligence analyst Greg Linares told CSO that the relationship is “one of the million dollar issues.” “We know they are using Dragon Power. But is it affiliated? Is it paid? Or is it a fake flag?”
Anyway, “I think it’s really important to appreciate Dragonforce as a very serious ransomware group,” Zach Edwards, senior threat researcher at Silent Push, told CSO. “They will be considered top [ransomware groups] Because their software is good; it does what it says effectively. ”
A major shift to social engineering
Many scattered spider members have been arrested and even convicted over the past two years, including a major member known as “King Bob,” who was arrested in early 2024 and later pleaded guilty to the charges against him. At the end of 2024, six other scattered spider members were arrested.
Due to these enforcement actions, the organization appears to have ceased its operations by early 2025. “For us around November and December last year, we were driven by silence, we saw their infrastructure,” Edwards said. “Their phishing pages are no longer created. But in early 2025, we picked up their phishing kit and played various brands again.”
Experts say that in addition to being consistent with Dragonforce, Scacted Spider has also shifted its preferred penetration model from phishing to social engineering methods to organizations.
“The recent UK campaign is a shift in their tactics,” Edwards said. “What we’re seeing now is the zero phishing kit.
The group even used SIM exchanges to pose as a legal employee seeking a password reset. “We know they have SIM card swap capability,” Linares said. The Harrods attack is attributed to SIM card swap. “We know that they are likely to work with individuals who work at an ISP or provider and help them get that information.”
“What they usually do is pretend to be a legitimate employee of the company,” Austin Larsen, the leading threat analyst at Google Mandiant, said in a webinar on UND3944. “Generally, they will come across these calls and go into these help desks with a lot of information about their target users.”
He added: “They are able to provide social security numbers, such as their target users, addresses, or other personal information. Given that actors have often entered these calls, helping the desk detect some of these attacks is a challenge.”
Focus on human factors as the first line of defense
Given the impressive success of the scattered spiders in the UK’s social engineering, experts say CISOs should first focus on the softest goal of their organization, the help desk staff and staff that hackers seek to manipulate.
“They know how a help desk works,” Hamilton said. “They do a lot of research and they will get enough information about the user to be able to imitate a password on the help desk and then put it in the password.”
“What makes this group different is that their attack styles are not technically complex,” said Russo of Palo Alto. “These are not zero days of vulnerability.
CISO should provide a program to help desk staff report suspicious password reset calls and guide them to get rid of these conversations as soon as possible.
“What CISOs need to do is make sure their humans are ready for this attack to make sure they have these red flags so that when a line is crossed in a phone call or a conversation, it ends,” Russo said. “If there was an identity issue when they were talking to someone, if there was any slip and if anything was missing, that was a red flag, what do you know? I need to contact your manager and verify it.”
However, the service desk is not the only one who needs education. Experts say all employees should be aware of the group’s social engineering strategy.
“They behave like employees on the help desk, but they can also act as help desks when they call employees,” said Linares of Huntress. “Both ways work. I’ve seen the attack happen where they call employees, ‘Hey, we’ve seen an alert that happens on your machine; we need to log in or access that alert. Please run this script and this tool so we can get in remotely.”
In these cases, speed is essential. “Don’t give them a chance to continue manipulating your employees, because the longer you can keep someone on the phone or online, the more likely you are to successfully violate their processes and procedures,” Russo said.
Tracking hackers is a must
Unfortunately, skilled scattered spider hackers can stroll even the best-prepared help desk workers. Experts say that CISOs should therefore have detection and tracking mechanisms, and once the intruders gain access, they should pay attention to the intruders.
“How do they handle these legitimate user credentials?” Google’s Larsen asked. “They usually start by looking at internal documents from victim organizations.
But after this stage, they are very quick to follow through the organization’s assets. “Once we move with any valid credentials they have or any valid credentials they can find, we see them establishing durability quickly and extensively, which makes remediation of victims even more difficult,” Larson said. “Therefore, an investigation is needed using an EDR utility or solution.”
“If we can block it, that’s ideal, but it has to be detected,” Russo said. “If they get in there, we need to detect them. Looking for users who do what they don’t normally do. So, for example, they as users, they’ve authenticated the network and then they start looking at all the data stores in a big sequence. Well, well, that user isn’t normal. We need to detect that.”
Don’t pay the ransom
If Spider hacked two casino operators in 2023, Caesar appears relatively unscathed as it paid $15 million in demand for ransom, while MGM Resort, which did not pay the ransom, paid $145 million in fees and class action lawsuits, among other expenses.
However, experts say that despite these examples, paying a decentralized spider ransom is a bad idea if files are successfully encrypted and valuable data are stolen.
“We know that paying the ransom is just inspiring them,” said Hamilton of Lumifi. “It gives them money to keep doing their jobs.”
Additionally, “recovering from backups is usually faster,” he added. “If you have good control, there are immutable backups, and there are procedures, and you know exactly what the order of things to back up, you can execute that key faster, you can use a decryption key, and it doesn’t work properly many times.” “If you have good control, and you can use good commands, and you can do some commands, then you can do something, and you can do something, and you can do something, and you can do something, and you can do something, and you can do something, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can decrypt the key, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can decrypt the key, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can do it, and you can decrypt
“If you pay this ransom, they can still absolutely put all your data on the internet because that data is kids and they are outrageous individuals,” said Edwards of Silent Push. “The decryption key may not work properly. Paying for a fee is absolutely no guarantee that data will not be leaked. This is by no means guaranteed.”
