The UK Marx and Spencer faced a cyber attack in late April that damaged the operation of the high-end retailer and IS Expected cost The company is more than $ 400 million.
After that attack, two other reputed British retailers killed after similar incidents, Harods And Co-opePromoting comprehensive press coverage and consumer fears in Britain, as the shelves closed empty and online order.
All three incidents have been attributed to a loose collective of young, native English -speaking hackers, called scattered Spider, also known as UnC3944, Starfraud, Spater Swine, MUDDLED Libra, Octo Tempest and 0KATPUS.
Earlier this month, Google warned that scattered spider would bring their high-profile retail attack to the US. However, experts say that scattered spider are already targeting top American outfits, and Sisos should now prepare how their organizations will treat the aggressive hacking group.
“You need a plan before punching the face,” the leading threat researcher of Palo Alto Network Christopher Ruso told CSO. “Make sure you are practicing so that when this happens, you get ready. You must have your playbook, really know who to call, and find out what to stop to isolate and stop the attack.”
Who is a scattered spider?
Scattered spider is considered part of a broad community of young cyber criminals Known as comHowever, it is difficult to pin these groups. They are best known for their adventurous ransomware attacks in America Two Las Vegas Casino OwnerMGM Resorts and Kaiser Entertainment.
In the recent times of the attacks, they have joined the army with a powerful Rainsmware-e-Service actor, Dragon ForceAlthough it is a Palestinian hecticist supporter, the Dragonforce can be one of the cybercrime groups working in Russia with the silence permission of the Kremlin.
Dragonforce’s recent Rebrand Declaration, which is now it Calls himself A “cartel,” Involved A warning to not attack the goals in the Commonwealth of independent states, a 10-nation block focused on Russia and former Soviet republics. A rival gang, Ranasamahb, accused Dragonforce of collaborating with Russia’s FSB Intel Arm.
The CSO told CSO, “They are more than the possibility of bending in the Russian -affiliated model, so they are just renting equipment and infrastructure.” “It gives them a lot of benefits.”
However, the relationship between the dragonforce and the scattered spider is marki, even though it is clear that scattered spider dragonforce is deploying malware. The relationship is one of the “Million-Dollar questions,” told the CSO by Principal Threat Intelligence Analyst Greg Linres at Huntress. “We know that they are using the Dragon Force. But is it associated? Is it being paid? Or is it a wrong flag?”
Whatever the case, “I think it is really important to appreciate that Dragonforce is a very serious ransomware group,” Silent Push Senior Threvic Researcher Zach Edwards told the CSO. “They will be considered among the top (ransomware groups) because their software is good; it effectively does what it says.”
Important changes in social engineering
In the last two years, several scattered spider members have been arrested and even convicted, including a prominent member known as “King Bob”, who was arrested. In the beginning of 2024 And later convicted for allegations against him. Six Other In the end of 2024, important scattered spider members were arrested.
Due to these law enforcement operations, in early 2025, the group stopped its operation. Edwards said, “In the silent push around November and December last year, we were seeing the decline of their infrastructure.” “Their fishing pages stopped to be made. But in the beginning of 2025, we are coming to their fishing kit again and live again. Targeted Different types of brands. ,
Experts say that in addition to aligning with dragonforce, scattered spider has moved his favorite mode of infiltration from fishing to socially engineering in its own way.
“What is important about the recent Britain’s campaign is a change in their strategy,” Edwards said. “Now what we are seeing is zero phishing kit live. In America, new goods here seem to be especially focused on social engineering, where they are reaching to help the desk, trying to reset passwords, and reaching the employees to reach and get their credentials.”
The group uses even SIM swapping that poses as legitimate employees seeking password reset. “We know that they have sim swapping capabilities,” Linres said, SIM is responsible for swapping with the Herodes attack. “We know that they are working with individuals who work in ISPs or providers and help them to get that information.”
“What he will do will often call to pretend to be a legitimate employee of the company,” said Google Mandiant chief threat analyst Austin Larsen said. During a webinar On defending against UNC3944. “Often, they come in these calls, in these help the desks are equipped with a lot of information about their target users.”
He said, “They are able to provide social security numbers, for example, for their target users, their addresses, or other personal information. It is a challenge to help find some of these attacks, seeing how much research and information the actor has usually given in these phone calls.”
Focus on human factors as the first line of defense
Given the impressive success of the spider scattered with social engineering in the UK, experts say that Sisos should first focus on the most soft goals of their organizations, ie help desk workers and employees manipulate hackers.
Hamilton said, “They know how the desk works.” “They do a group of research, and they will get enough information on a user to replicate them on the help desk for the password reset, and then they can enter.”
Russo of Palo Alto said, “What separates this group is that their attack styles are not technically complicated.” “These are not exploiting zero-day of weaknesses. They target people, so they are going after human element.”
CISOS should provide help to desk personnel with procedures to report suspicious password reset calls and guide them to get out of those conversations as soon as possible.
“What Sisos needs to do, make sure that their humans are ready for such an attack, that they have these red flags so that when a line is crossed in a call or conversation, it ends,” Russo said. “If there is a question of identity when they are talking to someone, if there is a slip-up, if anything is missing, there is a red flag to say, you know that I need to contact your manager and verify.”
But the help desk is not the only one that requires education. Experts say that all employees should know about the group’s social engineering strategy.
“They work at the help desk like an employee, but they also work as a help desk while calling the employees,” said Linres of Huntress. “It works in both ways. I have seen that there is an attack where they call the employee and say,” Hey, we saw that the alert is on your machine; we need to log in or reach it. Please run this script and this tool so that we can remote. “
The speed is essence in these conditions. “Don’t give them a chance to manipulate your people as you can keep someone on the phone or online, the more likely you will get success to violate your procedures and processes,” Russo said.
Tracking hackers is a necessity
Unfortunately, skilled Spider Hackers can also tie the most prepared help desk workers in bamboo. Experts say that the CISO, therefore, once access, should have the mechanism detecting and tracking mechanisms to follow the intruders.
“What do they do with these legitimate user credentials?” Larsen of Google asked. “They usually begin by looking at internal documentation for their aggrieved organization. We see them, for example, in Sharepoint, searching a keywords like VPN, MFA, or network map, trying to understand better what they look like and how they can expand their access to the environment.
But after this stage, they walk very quickly to fan through the property of the organization. Larsen said, “Once they use whatever valid credentials they later use, we can see them quickly and very largely, which makes them far more difficult for the victims,” Larsen said that the attackers often use valid remote access utilities that will not pick up the antiweezed remote access utilities. “So, an inquiry is required using EDR utilities or solutions.”
“If we can stop it, it is ideal, but finding it is necessary to find out,” Russo said. “If they have reached there, we need to find out of them. Looking for users that they are not doing normally. Therefore, for example, they are as this user, they have certified the network, and then they start looking at all different data stores in a large sequence. Well, it is not normal for the user.
Do not give ransom
In the case of hacking of scattered spider of two casino operators in 2023, Kaiser emerged relatively unheardly because it paid $ 15 million was demanded, while MGM resorts, which did not pay the ransom, Done For $ 145 million in spending between other costs and square-carriage prosecution.
However, experts say that despite these examples, paying a ransom to the scattered spider is a bad idea if they successfully encrypted files and steal valuable data.
“We know that paying ransom just encourages them,” said Lumifi’s Hamilton. “It gives them money what they are doing.”
In addition, “is often sharp to restore from backup,” he said. “If you have good control in place, you have irreversible backup, and you really know what the order of things to come back, you can do that you can apply a decryption key, which does not work very well many times.” Decription key, which does not work very well many times. ,
“If you pay that ransom, they can still put all your data on the Internet because they are children and they are derogatory persons,” said Edwards of Silent Push. “Decription keys cannot work. And paying certainly does not guarantee that the data will not leak. It is not a guarantee in any way.”
