Scattered Spider: The Rising Threat in UK Retail Cybersecurity
In April and May, the hacking collective known as Scattered Spider wreaked havoc across some of the biggest retail brands in the United Kingdom. The repercussions of these attacks are still evident today, as affected stores grapple with restoring normal business operations.
A History of Disruption
Scattered Spider is not new to the cybercrime scene. Earlier in 2023, the group executed a similarly disruptive attack on MGM Resorts, which had widespread consequences for hotel and casino operations throughout the United States. Initially, Scattered Spider utilized the now-defunct ALPHV ransomware-as-a-service (RaaS) model but has since shifted its focus to partnering with DragonForce’s RaaS, enabling them to escalate their tactics and capabilities.
Understanding Scattered Spider’s Strategy
Targeting the Big Players
Unlike many groups in the cybercriminal landscape that often target vulnerable businesses, Scattered Spider aims for larger organizations. The group’s first step is to conduct meticulous reconnaissance on potential victims. This involves acquiring stolen credentials from the dark web and engaging initial access brokers to gather endpoint telemetry. Additionally, they leverage publicly available platforms like LinkedIn to construct detailed profiles of their targets.
According to Daniel Collyer from threat intelligence firm SOS Intelligence, Scattered Spider particularly seeks out victims with "complex IT environments and high tolerance for operational risk." These characteristics make such organizations more susceptible to extortion threats.
Utilizing Social Engineering Techniques
Once they have gathered sufficient intelligence on their victim, Scattered Spider employs advanced social engineering tactics to infiltrate networks. Phishing and voice phishing, also known as vishing, are common methods, with hackers often impersonating staff members.
The group’s proficiency in English makes identifying these scams particularly challenging. They may pose as an employee claiming to be locked out of their computer and utilize SIM swapping techniques to bypass multifactor authentication (MFA) systems. Another method is leveraging MFA fatigue by overwhelming users with multiple authentication requests until they unwittingly approve one.
Gaining Access and Moving Within Networks
Once inside a network, Scattered Spider works to acquire additional credentials. They often employ tools like Cobalt Strike and Windows administrative utilities to escalate privileges and move laterally through the network. During this phase, they focus on finding identity management systems such as Okta or Active Directory, remote access tools, and sensitive data repositories. Depending on the victim’s size, this reconnaissance phase can take anywhere from a few hours to several days.
Exfiltration and Ransomware Deployment
Having mapped out the victim’s network and identified valuable data, the next step is exfiltration. As highlighted by Collyer, "Before deploying ransomware, Scattered Spider usually exfiltrates a trove of sensitive data." This approach underpins their double extortion strategy; even if victims can restore systems from backups, they may still feel compelled to pay the ransom to prevent sensitive information from being publicly disclosed.
Exfiltration processes typically involve compressing sensitive files and uploading them to malicious infrastructure or cloud storage services. In some cases, the hackers leave behind backdoors, allowing them future access if desired.
Once the data has been secured, the ransomware, powered by DragonForce, is deployed. This software can encrypt files at an alarming rate, occasionally seizing even backup servers. A ransom note is left behind, directing victims to a negotiation site on the darknet. If negotiations fail or a victim refuses to pay, their stolen data is published on DragonForce’s darknet leak site.
The Nature of the Threat
What amplifies the danger posed by Scattered Spider is the precision and systematic approach of their attacks. They exhibit a deep understanding of the IT infrastructures found in Western organizations and are skilled in impersonation tactics. Their demeanor while communicating with victims can shift from calm expertise to a pressured sense of urgency, especially when pretending to be employees in need of technical support.
More Than Just a Ransomware Group
While deploying ransomware is part of their strategy, Scattered Spider also incorporates aggressive, tailored techniques typically associated with state-sponsored threat actors. Collyer describes this operational model as a mix of “part ransomware gang, part APT,” making the group’s threat difficult to categorize within traditional classifications.
For cybersecurity defenders, this hybrid approach results in strategic confusion and progressively escalates risk levels. Collyer notes, “In short, Scattered Spider is dangerous not just because of what they do, but how they do it.” Their blend of psychological manipulation, identity compromise, and rapid operating methods establishes them as one of today’s most formidable threats against organizations, especially in sectors like retail, where data integrity is vital.
