Scattered Spider breaks America: High Street hackers sink fangs into US retailers
Group linked to the blockbuster M&S cyberattack is now believed to be targeting retailers on the other side of the Atlantic.
A shadowy hacking group blamed for a cyberattack which brought British High Street giant M&S to its knees has allegedly turned its attention to targets in the US.
Scattered Spider, also known by the less glamorous name UNC3944, is now believed to have turned its attention to American retailers after sharpening its fangs during high-profile incidents here in Britain.
"The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944, also known as Scattered Spider," said John Hultquist, Chief Analyst at Google Threat Intelligence Group.
"The actor, which has reportedly targeted retail in the UK following a long hiatus, has a history of focusing their efforts on a single sector at a time, and we anticipate they will continue to target the sector in the near term. US retailers should take note.
"These actors are aggressive, creative, and particularly effective at circumventing mature security programs."
Is Scattered Spider behind the cyberattack on Marks and Spencer?
A threat actor using the same tactics as Scattered Spider has been blamed for hitting British retailers with DragonForce ransomware.
The group is believed to primarily target large enterprises across sectors like tech, telecoms, finance, BPO, gaming, hospitality, retail, and media. Its focus is on English-speaking countries - especially the US, UK, Canada, and Australia -with recent activity in Singapore and India.
The group is said to be made up of teenagers based in the UK and the US, who focus on organisations with extensive help desks or outsourced IT functions, using social engineering to breach their victims' networks.
Rex Booth, CISO at SailPoint, told Machine: "They’re responsible for numerous high-profile attacks, including the MGM/Caesars compromise in 2023 which netted them a $15M ransom payment.
"They’re uniquely dangerous because much of the West is accustomed to this image of cyber criminals from Eastern Europe and Asia. Because most of Scattered Spider are native English speakers, they’re able to execute social engineering attacks without raising concerns as readily. It makes them very effective at exploiting the human side of cybersecurity.
READ MORE: European Vulnerability Database steps into the breach amid fears for future of Mitre's CVE program
"Authorities in the US, UK and Canada have all collaborated to arrest various members of the group, but their exploits continue.
"One of the more effective techniques that the group uses is known as multi-factor authentication (MFA) fatigue. MFA is one of the best tools we have to prevent account takeovers, but it still depends on user vigilance.
"In an MFA fatigue attack, an attacker floods a user with MFA authentication requests until they finally authorise either out of confusion or exasperation. At that point, the attacker can then bypass one of the strongest defences available."
A noiseless patient spider preparing to strike
M&S hasn't yet confirmed that Scattered Spider is to blame for the attack, which forced the iconic brand to suspend online shopping through its app and website for the past three weeks.
Dr. Darren Williams, CEO and Founder of BlackFog, also told us: "Scattered Spider is a name that should raise concerns. Whilst they’ve been quiet for the last couple of years, this group has a track record of high-impact breaches.
"Scattered Spider are also known for their highly effective social engineering tactics, often targeting employees to gain initial access to enterprise networks. They’ve previously used BlackCat’s ransomware and have been linked more recently to newer variants like RansomHub and Qilin, showing their ability to evolve their methods.
"If this group is behind the Marks and Spencer cyber attack, it’s a further warning that any company can be a target. The retailer has assured customers that personal data has not been compromised, however, the operational and financial consequences are significant.
"We might not be able to stop these groups from launching attacks but it’s vital to have measures in place, not only to stop criminals from gaining a foothold but also to stop data exfiltration, which in most cases is their ultimate goal."
Situational assessment: AI and a grim threat landscape
Unfortunately, we are likely to see growing numbers of cyber attacks in the future as AI lowers the barrier of entry for threat actors and increases the blast radius of attacks.
The NCSC recently warned that AI is intensifying the risk threat actors pose to critical national infrastructure. It warned that by 2027, bad guys could exploit vulnerabilities within hours, not days.
It urged organisations to embed security into AI systems immediately or risk falling behind as attackers leverage AI to increase the speed, scale and sophistication of cyberattacks.
Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, said: "AI is becoming one of the defining forces in cybersecurity – not just because of its ability to automate defences, but because it’s fundamentally changing the shape and speed of attacks.
"Threat actors are no longer relying on blunt force or basic phishing emails. With Generative AI, they can craft highly convincing messages, deepfake audio and video and even create new malware variants on demand. That makes traditional awareness training feel outdated. Security strategies must now account for nuance – how to spot what looks and sounds real when it isn’t.
READ MORE: The UK is facing "two terrible tragedies" in the AI age, Baroness warns
"At the same time, AI has the potential to dramatically strengthen defences. From real-time threat detection to behaviour-based authentication, the tools are already here. The challenge lies in how we use them – and how quickly. Organisations must urgently adopt a security-by-design approach to every AI deployment and prioritise AI-specific threat modelling.
"This means stress-testing systems not only for traditional vulnerabilities but for how they could be exploited by AI-enhanced attackers. It also means educating staff to recognise new patterns – fake audio, AI-generated social engineering and more.
“Cybersecurity is no longer just the CISO’s job – it’s cultural. Everyone across the business, from finance to HR, needs to know what modern threats look like and feel empowered to act. The organisations that succeed won’t be those with the biggest tools, but those that embed security thinking into their everyday decision-making."
Do you have a story or insights to share? Get in touch and let us know.
