Google has reported that members of a loosely connected hacking group, referred to as “scattered spiders,” are actively encouraging cyberattacks, impacting UK retailers and now extending into the US market.
This group has been implicated in attacks against prominent British retailers like Marks & Spencer, Co-op, and Harrods. Experts from Google’s cybersecurity team caution that other retailers across the Atlantic are also in their sights.
Charles Carmakal, the chief technology officer at Google’s Mandiant unit, noted this trend isn’t unusual for the scattered spider attackers. “These groups often concentrate on a specific industry and region for a while before shifting their focus,” he mentioned. “They began with UK retailers and have now targeted a US organization.”
When asked about British connections to the Marks & Spencer breach, he indicated that, while they aren’t naming specific victims, it’s clear that UK members of this group are involved in promoting and facilitating attacks.
The targeting of UK retailers has compelled the nation’s cybersecurity agencies to alert businesses about certain tactics used by these hackers.
A recent advisory recommended that companies implement measures allowing IT departments to assist employees in resetting their passwords. One strategy employed by scattered spiders, a term that describes a particular set of hacking methods rather than a unified group, involves calling help desks to impersonate employees and gain access to corporate systems.
Interestingly, some of these calls are made by younger individuals within the scattered spider network. “It’s not always that the main actor is making the call. Sometimes they outsource to others, often young people looking to earn a quick buck, collecting tasks via messaging platforms.”
Comprising native English speakers from countries like the UK, the US, and Canada, scattered spiders are somewhat unique among ransomware groups. Carmakal noted he has received numerous reports of these hackers reaching out to company personnel.
Typically, ransomware gangs deploy malicious software to lock users out of their systems, and these groups historically hail from Russia or former Soviet territories.
Carmakal’s remarks coincided with reports from French luxury brand Dior, which disclosed that some customer data had been accessed by “fraudulent external parties.” At this time, Dior has not clarified the nature of the breach or the perpetrators’ identity.
This week, Google’s experts reaffirmed that the scattered spider group is now targeting US retailers.
“We’re focused on delivering comprehensive services to our clients,” stated John Hultquist, chief analyst at Google Threat Intelligence Group. “After a noticeable gap, the actor has returned to targeting UK retail, usually concentrating on one sector at a time. It’s likely they’ll keep their focus on retailers for the foreseeable future, so US businesses should remain vigilant.”
