A cybercrime gang believed to be responsible for three attacks in the U.K. in recent weeks has turned its attention toward the U.S. and has been able to compromise multiple targets in the sector, according to researchers from Google Threat Intelligence Group and Google subsidiary Mandiant.
Researchers said the same threat actors linked to attacks against U.K. companies are now using well-crafted social engineering techniques against U.S. retail companies.
The threat group, tracked as UNC3944 or Scattered Spider, is widely considered the prime suspect in the attacks on British firms Harrods, Co-op and M&S, but Mandiant and Google have not formally attributed the intrusions to any specific actor. Researchers said, however, that the hackers behind the U.S. attacks share the same techniques and procedures as the intruders in the British incidents.
“The actor, which has reportedly targeted retail in the U.K. following a long hiatus, has a history of focusing their efforts on a single sector at a time, and we anticipate they will continue to target the sector in the near term. US retailers should take note,” said John Hultquist, chief analyst of Google’s Threat Intelligence Group, in a statement.
Hultquist on Wednesday essentially warned retailers in a post on X to prepare themselves for attacks by the threat group.
Google researchers said a lack of visibility into the U.K. incidents — which are being investigated by a different incident response firm — is preventing them from making a formal attribution in those cases. Earlier this month, Mandiant released guidance on how to harden network systems against known Scattered Spider techniques, but cautioned they are not making any formal link to the U.K. attacks.
Officials from Kroll confirmed they currently are responding to companies that have been targeted using the same techniques.
“Kroll is actively working with clients in the retail sector to defend against attacks that match patterns of activity and indicators that match the actor we track as KTA243 (Aka Scattered Spider, Oktapus),” said Keith Wojcieszek, managing director of global threat intelligence, via email.
Scattered Spider rose to fame in recent years largely due to successful social-engineering attacks against high-profile targets, including MGM Resorts in Las Vegas. Scattered Spider is mainly comprised of young, male, English-speaking hackers from the U.S. and U.K. who have perfected a technique of using deceptive phishing attacks to breach corporate computer networks.
The U.S. Department of Justice charged five people linked to the group last November, though that prosecution was unrelated to the casino attacks. Authorities extradited one of the group’s alleged leaders, a British citizen, to the U.S. from Spain.
Charles Carmakal, CTO of Mandiant Consulting, confirmed to Cybersecurity Dive that the actors suspected in the U.S. attacks are calling help desks to trick workers into resetting passwords. Hultquist said some of these attacks have been successful but declined to provide specific details about targeted organizations.
The Retail & Hospitality ISAC, a threat information sharing group, said it was aware of the threats related to Scattered Spider but was unable to share specifics.
“We are tracking these incidents and publishing updates and guidance for our member companies, as well as collaborating with Google on a threat briefing,” Pam Lindemoen, CSO at RH-ISAC, told Cybersecurity Dive.
The U.K. attacks have resulted in considerable disruption. M&S earlier this week confirmed that customer data was stolen in that attack, though it cautioned that payment-card information was masked and not usable.
Co-op on Wednesday said hackers launched sustained attempts to crack its systems and gained access to customer data, with the resulting attack leading to major inventory shortages at many of its 2,300 grocery locations. Co-op is beginning to restore its computer systems in a controlled manner and plans to distribute fresh produce and chilled and frozen foods this weekend in order to refill store shelves that have seen limited supplies since earlier this month.
Attributing the attacks to Scattered Spider has been difficult, in part because the three retailers have provided limited information about how the attacks took place. British authorities have been working with them to learn more about how the hackers gained access.
The ransomware-as-a-service group DragonForce has claimed credit for the British attacks, adding another layer of difficulty to the attribution process. DragonForce provides encryption tooling and a dark-web site for attacks that contracted hackers carry out, according to GuidePoint Security.
DragonForce recently shifted to a cartel model that allows affiliates to build their own brands while using DragonForce tooling, according to researchers at SecureWorks. It is unclear what direct relationship, if any, exists between Scattered Spider and DragonForce.
Researchers at Palo Alto Networks say they have observed a marked increase in threat activity that mirrors the techniques of Scattered Spider, which they track as Muddled Libra. This includes voice phishing of help desks and employees and the malicious use of legitimate system-management tools.
“Despite recent arrests of individuals tied to Muddled Libra or Scattered Spider, we expect that the techniques they pioneered will continue to be actively used and adapted,” said Sam Rubin, SVP consulting and threat intelligence at Palo Alto Networks’ Unit 42 team. “Proven effective social engineering methods like these are routinely recycled, refined, and re-deployed by threat actors looking to exploit human and system vulnerabilities.
