A cybercrime gang believed to be responsible for three recent cyberattacks on U.K. retailers has turned its attention toward the U.S. and has compromised multiple targets in the sector, according to researchers from Google Threat Intelligence Group and Google subsidiary Mandiant.
Researchers said the same threat actors linked to attacks against U.K. companies are now using well-crafted social engineering techniques against U.S. retail companies.
The threat group, tracked as UNC3944 or Scattered Spider, is widely considered the prime suspect in the attacks on British firms Harrods, Co-op and M&S, but Mandiant and Google have not formally attributed the intrusions to any specific actor.
Researchers said, however, that the hackers behind the U.S. attacks share the same techniques and procedures as the intruders in the U.K. incidents.
“The actor, which has reportedly targeted retail in the U.K. following a long hiatus, has a history of focusing their efforts on a single sector at a time, and we anticipate they will continue to target the sector in the near term. US retailers should take note,” said John Hultquist, chief analyst of Google’s Threat Intelligence Group, in a statement.
Hultquist on Wednesday warned retailers in a post on X to prepare themselves for attacks by the threat group.
Google researchers said a lack of visibility into the U.K. incidents — which are being investigated by a different incident response firm — is preventing them from making a formal attribution in those cases. Earlier this month, Mandiant released guidance on how to harden network systems against known Scattered Spider techniques, but cautioned they are not making any formal link to the U.K. attacks.
Officials from Kroll confirmed they currently are responding to companies that have been targeted using the same techniques.
“Kroll is actively working with clients in the retail sector to defend against attacks that match patterns of activity and indicators that match the actor we track as KTA243 (Aka Scattered Spider, Oktapus),” said Keith Wojcieszek, managing director of global threat intelligence, via email.
Scattered Spider rose to fame in recent years largely due to successful social-engineering attacks against high-profile targets, including MGM Resorts in Las Vegas. Scattered Spider is mainly comprised of young, male, English-speaking hackers from the U.S. and U.K. who have perfected a technique of using deceptive phishing attacks to breach corporate computer networks.
Charles Carmakal, CTO of Mandiant Consulting, confirmed to Cybersecurity Dive that the actors suspected in the U.S. attacks are calling help desks to trick workers into resetting passwords. Hultquist said some of these attacks have been successful but declined to provide specific details about targeted organizations.
The Retail & Hospitality ISAC, a threat information sharing group, said it was aware of the threats related to Scattered Spider but was unable to share specifics.
“We are tracking these incidents and publishing updates and guidance for our member companies, as well as collaborating with Google on a threat briefing,” Pam Lindemoen, chief security officer at RH-ISAC, told Cybersecurity Dive.
The U.K. attacks have resulted in considerable disruption. M&S earlier this week confirmed that customer data was stolen in that attack, though it cautioned that payment-card information was masked and not usable.
Co-op on Wednesday said hackers launched sustained attempts to crack its systems and gained access to customer data, with the resulting attack leading to major inventory shortages at many of its 2,300 grocery locations. Co-op is beginning to restore its computer systems in a controlled manner and plans to distribute fresh produce and chilled and frozen foods this weekend in order to refill store shelves that have seen limited supplies since earlier this month.
Attributing the attacks to Scattered Spider has been difficult, in part because the three retailers have provided limited information about how the attacks took place. U.K. authorities have been working with them to learn more about how the hackers gained access.
The ransomware-as-a-service group DragonForce has claimed credit for the U.K. attacks, adding another layer of difficulty to the attribution process. DragonForce provides encryption tooling and a dark-web site for attacks that contracted hackers carry out, according to GuidePoint Security.
