.png)
8 hours ago
3
UK-based members of the Scattered Spider hacking community are actively “facilitating” cyber-attacks, according to Google, as disruption to British retailers spreads to the US.
A group of hackers labelled “Scattered Spider” have been linked with attacks on UK retailers Marks & Spencer, the Co-op and Harrods, with Google cybersecurity experts warning this week that unnamed retailers across the Atlantic are being targeted as well.
Charles Carmakal, the chief technology officer at Google’s Mandiant cybersecurity unit, said that the threat had moved to the US in a pattern typical of Scattered Spider assailants.
“They tend to focus on a particular industry sector and geography for a few weeks and then they move on to something else,” he said. “And right now they’re focused on retail organisations. They start in the UK, and now they’ve shifted to US organisations.”
Asked if UK members of Scattered Spider were involved in hacking M&S, he said: “Without specifically naming who the victims are I will say broadly Scattered Spider members in the UK are facilitating and contributing to intrusions.”
The targeting of retailers in the UK, and the techniques associated with Scattered Spider, has prompted the country’s cybersecurity agency to warn companies to look out for specific tactics.
In an advisory note, the National Cyber Security Agency told businesses to look at how their IT help desks help staff members reset passwords. One gambit associated with Scattered Spider – a name coined for a set of hacking tactics rather than an homogenous group – is to ring up IT help desks and pretend to be employees or contractors in order to gain access to company systems.
“What we’re seeing is they’re making telephone calls, calling up help desks, pretending to be employees and convincing helpdesks to reset passwords,” said Carmakal.
Carmakal added that the task of ringing up helpdesks was sometimes carried out by younger members of the Scattered Spider network.
“It’s not always the [threat] actors themselves … that are actually making the phone calls. They outsource some of that work to other members of the broader community, generally younger individuals that aggregate on Telegram and Discord and want to make a few hundred bucks.”
Scattered Spider is unusual among hacking groups deploying ransomware because it is composed of native English speakers from countries such as the UK, US and Canada. Carmakal said he had listened to “countless calls” that Scattered Spider hackers have made to company employees, “whether they were extorting them, or trying to convince somebody to provide credentials or harassing somebody”.
after newsletter promotion
Ransomware gangs infect their targets’ computer systems with malicious software that effectively locks up their internal files, which the criminals then offer to release in exchange for a payment. Typically, these gangs are from Russia or former Soviet states.
Carmakal’s comments came as French luxury brand Dior said this week an “unauthorised external party” had accessed some customer data. The scale of the breach and the identity of the attacker remains unclear, although Paris-based Dior said no payment information had been taken.
This week Google’s cybersecurity specialists said Scattered Spider was targeting US retailers.
“The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to … Scattered Spider,” said John Hultquist, the chief analyst at Google Threat Intelligence Group. “The actor, which has reportedly targeted retail in the UK following a long hiatus, has a history of focusing their efforts on a single sector at a time, and we anticipate they will continue to target the sector in the near term. US retailers should take note.”
