UK retail attack threat actors being alerted for shifting focus towards US sector, potential risks identified
In the ever-evolving world of cybercrime, a new advanced persistent threat (APT) group known as Scattered Spider has emerged, causing concern among U.S. retail companies. This group, active since mid-2022, is notorious for its sophisticated techniques and focus on exploiting human vulnerabilities.
Comprised primarily of young, English-speaking hackers from the U.S. and U.K., Scattered Spider operates within a larger amorphous collective known as "the Com" or "Comm." This loose and fluid structure, which also includes groups like LAPSUS$, makes it challenging to disrupt the group due to its evolving nature and diverse membership.
Scattered Spider's methods are centred around social engineering and identity system exploitation rather than software vulnerabilities. They conduct extensive research on their targets using social media and breach data, allowing them to impersonate employees and executives convincingly during phone calls and other interactions.
The group also engages in phishing and credential harvesting, registering victim-specific domains that closely resemble the brands they impersonate. They hijack SMS one-time passwords (OTPs) and pressure users with push notifications until they approve access, bypassing multifactor authentication (MFA). Scattered Spider has also been known to exploit help desks, convincing IT support to reset passwords or MFA settings through psychological manipulation.
These tactics enable Scattered Spider to breach organisations, escalate privileges, steal sensitive data, and deploy ransomware quickly across both cloud and on-premises environments. While they have targeted various sectors, recent activities have expanded to include airlines and retail companies like Marks & Spencer and Harrods in the UK.
While specific details about Scattered Spider's targeting of U.S. retail companies are not detailed in the provided sources, their methods suggest they could easily adapt to target U.S. retailers using similar social engineering and identity exploitation tactics. The group's ability to bypass MFA and exploit human vulnerabilities makes them a significant threat to any organisation relying heavily on cloud services and identity-based access controls.
Recent incidents involving U.K. retailers such as Co-op and M&S have highlighted the impact of Scattered Spider's attacks. Co-op's systems have been targeted, resulting in major inventory shortages at many of its 2,300 grocery locations. M&S has confirmed that customer data was stolen in a recent attack, though payment-card information was masked and not usable.
In response to these attacks, various organisations are taking action. Pam Lindemoen, CSO at RH-ISAC, is collaborating with Google on a threat briefing. Kroll is currently responding to companies that have been targeted using the same techniques as Scattered Spider. The Retail & Hospitality ISAC is tracking incidents related to Scattered Spider and is providing updates and guidance for member companies.
As the threat of Scattered Spider continues to loom, experts like John Hultquist, chief analyst of Google's Threat Intelligence Group, are warning U.S. retailers to prepare for attacks. It is crucial for organisations to stay vigilant, strengthen their security measures, and educate their employees on the risks of social engineering and identity exploitation.
- The focus on threat intelligence is crucial for U.S. retail companies to understand the advanced techniques used by Scattered Spider, a new APT group that employs social engineering and identity system exploitation.
- In the face of rising ransomware attacks, the importance of privacy in incident response becomes paramount to protect sensitive data from Scattered Spider and similar groups.
- As Scattered Spider's tactics often bypass traditional cybersecurity measures like multifactor authentication, the adoption of advanced encryption technologies and strategies can help secure systems against potential breaches.
- Scattered Spider's activities in the sports sector, such as attacks on airlines and retailers like Marks & Spencer and Harrods, demonstrate the need for proactive cybersecurity strategies across various industries, including finance and technology.
- To combat Scattered Spider effectively, organizations should invest in education programs that sensitize employees to the risks of phishing, credential harvesting, and social engineering tactics used by this APT group.
