Hackers behind UK Retail Attacks Now Targeting US Companies
Google has warned that hackers using the Scattered Spider tactics against retail chains in the United Kingdom have also started targeting retailers in the United States. The threat actors, known as Octo Tempest and DragonForce, have been linked to a long list of high-profile attacks on major companies worldwide.
"The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944, also known as Scattered Spider," said John Hultquist, Chief Analyst at Google Threat Intelligence Group. "We anticipate they will continue to target the sector in the near term. US retailers should take note."
Last month, British retail giant Marks & Spencer (M&S) was breached in a ransomware attack where threat actors encrypted virtual machines on VMware ESXi hosts with a DragonForce encryptor. This attack was attributed to Octo Tempest, Microsoft's name for Scattered Spider.
Co-op also experienced another cyber incident, confirming that attackers stole data from many current and former members. Harrods also disclosed on May 1st that it was forced to restrict internet access to sites after attackers tried to infiltrate its network, suggesting an active response to a cyberattack even though a breach has yet to be confirmed.
The DragonForce ransomware operation has claimed all three attacks, and BleepingComputer has learned that the attackers who orchestrated them have used the same social engineering tactics linked to Scattered Spider threat actors.
Scattered Spider: A Loose Collective of Threat Actors
Scattered Spider (also tracked as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra) is a term used to describe a fluid collective of threat actors known for breaching many high-profile organizations worldwide in sophisticated social engineering attacks that also involve phishing, SIM swapping, multi-factor authentication (MFA) bombing (also known as targeted MFA fatigue).
Their attacks escalated in September 2023 when they breached MGM Resorts, using the BlackCat ransomware to encrypt over 100 VMware ESXi hypervisors after breaching the network by impersonating an employee when calling the IT help desk.
Since then, they've also acted as affiliates for various other ransomware operations, including RansomHub, Qilin, and, now, DragonForce. Other attacks linked to Scattered Spider include those on Twilio, Coinbase, DoorDash, Caesars, MailChimp, Riot Games, and Reddit.
Some Scattered Spider threat actors are also believed to be part of the "Com," a loosely connected community involved in cyberattacks and violent acts that have often attracted media attention. These cybercriminals are as young as 16, and most are English speakers who frequent the same Telegram channels, Discord servers, and hacker forums where they plan and conduct their attacks in real time.
US Retailers on High Alert
"These actors are aggressive, creative, and particularly effective at circumventing mature security programs. They have had a lot of success with social engineering and leveraging third parties to gain entry to their targets," Hultquist told BleepingComputer today.
US retailers should take note of the warning from Google Threat Intelligence Group and strengthen their cybersecurity defenses to prevent potential attacks. The UK National Cyber Security Centre (NCSC) has published guidance to help UK organizations strengthen their cybersecurity defenses, and US companies may also benefit from reviewing these resources.
Fighting Back Against Scattered Spider
Google fixes high severity Chrome flaw with public exploit Google Chrome to block admin-level browser launches for better security Steel giant Nucor Corporation facing disruptions after cyberattack
To learn more about Scattered Spider tactics and how to harden your defenses, you can review our previous reporting and a new CTM360 report. Top 10 MITRE ATT&CK techniques behind 93% of attacks Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
FBI: US officials targeted in voice deepfake attacks since April Android 16 expands 'Advanced Protection' with device-level security