Google on Thursday warned that the hacking group behind the recent cyberattacks on high-street UK retailers is now turning to US companies.
“Shields up US retailers. They’re here,” John Hultquist, chief analyst at Google Threat Intelligence Group, said on X (formerly Twitter).
Hultquist pointed to a May 7 Mandiant blog post detailing the activities of UNC3944, also known as Scattered Spider, which relies on social engineering, SIM swapping, ransomware deployment, and extortion in attacks against high-profile targets across a broad range of industries.
“We have regularly observed UNC3944 conduct waves of targeting against a specific sector, such as financial services organizations in late 2023 and food services in May 2024,” Mandiant said.
Mandiant shared its observations of Scattered Spider tactics, techniques, and procedures (TTPs) shortly after the DragonForce ransomware group claimed the attacks on UK retailers Co-op, Harrods, and Marks & Spencer (M&S). This week, M&S confirmed that customer data was stolen in the attack.
Various reports have attributed the attacks to the Scattered Spider extortion group, and Mandiant noted that DragonForce recently claimed control of the RansomHub ransomware-as-a-service (RaaS), and that Scattered Spider was a RansomHub affiliate in 2024.
The cybersecurity company also warned that financially motivated groups, including UNC3944, likely view retailers as attractive targets, due to the large amount of personally identifiable information (PII) and financial data they possess.
“Further, these companies may be more likely to pay a ransom demand if a ransomware attack impacts their ability to process financial transactions,” Mandiant said.
Responding to a SecurityWeek inquiry, Google said it is not attributing the cyberattacks against the UK retailers to Scattered Spider or DragonForce, but believes that the same hacking group is now targeting the US retail sector and that the attacks will continue for the near future.
“The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944, also known as Scattered Spider,” Hultquist said.
“These actors are aggressive, creative, and particularly effective at circumventing mature security programs. They have had a lot of success with social engineering and leveraging third parties to gain entry to their targets. Mandiant has provided a hardening guide based on our experience with more details on their tactics and steps organizations can take to defend themselves,” he continued.
“There’s an obvious theme of targeting retailers and this latest activity is a clear sign of additional possible attacks against the sector. The opportunity for other retailers to put their shields up is now,” Hultquist said.
Mandiant CTO Charles Carmakal says that less than 10 US retailers have been targeted, and that some of the victims have proactively taken their systems offline to contain the intrusions, albeit at the expense of their own operations.
“We can confirm this group has targeted multiple retail organizations in the US, mostly by calling help desks to reset passwords. This group is resourceful, and fast, making it challenging for defenders to keep up,” Carmakal told SecurityWeek.
*Updated with additional information from GTIG and Mandiant.
Related: In Other News: Scattered Spider Still Active, EncryptHub Unmasked, Rydox Extraditions
Related: Suspected Scattered Spider Hacker Pleads Guilty
Related: Recently Charged Scattered Spider Suspect Did Poor Job at Covering Tracks
