Introduction
Scattered Spider [1] [2] [3] [4] [5] [6] [7] [8], also known as UNC3944 or Octo Tempest [1], is a collective of young hackers implicated in significant cyberattacks on major UK retailers. Emerging in 2022, the group has evolved from SIM-swapping to sophisticated social engineering [3], posing a global threat. Their activities have notably impacted companies like Marks & Spencer, Harrods [1] [2] [3] [4] [5] [7] [8], and the Co-op [2] [4] [5], causing substantial financial and operational disruptions.
Description
Scattered Spider [1] [2] [3] [4] [5] [6] [7] [8], a loose collective of young hackers also known as UNC3944 or Octo Tempest, has been implicated in significant cyberattacks targeting prominent UK retailers [1], including Marks & Spencer [1] [2] [3] [4] [6] [7], Harrods [1] [2] [3] [4] [5] [7] [8], and the Co-op [2] [4] [5]. Emerging in 2022, the group has evolved from its origins as a SIM-swapping crew into a notable global threat [1], primarily composed of individuals from the US and UK. They have transitioned from basic SIM-swapping techniques to employing sophisticated social engineering methods [3], exploiting IT service providers like Tata Consultancy Services (TCS) to gain access to client networks [3]. Throughout April and May [7], they executed ransomware attacks that took systems offline [7], significantly impacting operations and costing millions of pounds daily [7].
In late April 2025 [8], Marks & Spencer experienced a major cyberattack attributed to Scattered Spider [8], which utilized the DragonForce ransomware variant [5] [8]. The attackers likely gained access through social engineering tactics [6], potentially involving a third party with credentials [6]. They cracked passwords and accessed privileged accounts [8], allowing them to move laterally through the network [8], steal data [7] [8], and deploy ransomware [7] [8]. This incident compromised the personal data of approximately 9.4 million customers [4], including names [1] [2] [3] [4] [7], email addresses [4], postal addresses [4], and dates of birth [4]. The disruption led to empty shelves across M&S’s 1,400 stores [8], the disabling of contactless and Click and Collect services [8], and a halt in online orders [8], with disruptions expected to last until July [8]. The financial impact of the attack is estimated at around £300 million [8], significantly affecting M&S’s online sales [5], with reports suggesting a total loss of approximately £700 million in business value. Following the incident, the hackers sent an extortion email to M&S CEO Stuart Machin [4], written in broken English [4] [5], which included a link to the darknet for ransom negotiations and was sent using an employee’s email address. M&S has not disclosed whether a ransom has been paid [5].
Scattered Spider is also under investigation by the UK’s National Crime Agency for their involvement in over 100 targeted attacks across various industries, including retail [4]. A report from ReliaQuest highlights an analysis of over 600 domains associated with the group [1], examining indicators of compromise from early 2022 to early 2025 [1], alongside domain impersonation alerts identified by its GreyMatter Digital Risk Protection service in the past six months [1]. Early evidence from the Marks & Spencer hack further suggests the group’s involvement in these coordinated attacks. They employ sophisticated tactics [7], beginning with reconnaissance that involves purchasing stolen credentials from the darknet and gathering information from public sources like LinkedIn [7], enabling them to create detailed profiles of their victims [7], particularly those with complex IT environments [7]. Once they infiltrate a network [7], they exfiltrate sensitive data and deploy ransomware to encrypt files [7], often including backup servers [7]. A ransom note is left [7], directing victims to a darknet negotiation site [7], and if negotiations fail [7], the stolen data is published on DragonForce’s darknet leak site [7].
The ransomware group DragonForce [4] [5], which operates as a Ransomware-as-a-Service (RaaS) [4], has been linked to the attack, although no formal connection between Scattered Spider and DragonForce has been established. DragonForce has also been associated with other attacks [4], including an attempted hack of Harrods and the infiltration of IT networks at the Co-op [4], and is rumored to have connections to Russia and a pro-Palestinian group in Malaysia [5]. Speculation suggests that Scattered Spider may have utilized DragonForce’s ransomware in the M&S incident, further complicating the landscape of these cyber threats.
Conclusion
The activities of Scattered Spider underscore the evolving nature of cyber threats, highlighting the need for robust cybersecurity measures and vigilance. The significant financial and operational impacts on affected companies like Marks & Spencer emphasize the importance of proactive defense strategies and incident response plans. As cyber threats continue to grow in complexity, organizations must prioritize cybersecurity to mitigate risks and protect sensitive data. The ongoing investigations and analyses of Scattered Spider’s tactics will provide valuable insights for enhancing cybersecurity frameworks and preventing future attacks.
References
[1] https://www.infosecurity-magazine.com/news/scattered-spider-tech-vendor/
[2] https://www.bbc.co.uk/news/articles/cr58pqjlnjlo
[3] https://digitrendz.blog/newswire/business/14374/scattered-spider-hackers-impersonate-tech-vendors-to-attack-helpdesks/
[4] https://inews.co.uk/news/what-we-know-ms-hack-abusive-email-3736962
[5] https://www.mirror.co.uk/money/gloating-email-ms-hackers-ceo-35348009
[6] https://www.bearded365guy.com/blog/5-cybersecurity-lessons-every-business-can-learn-from-the-m-s-cyber-attack
[7] https://www.cyberdaily.au/security/12197-hacked-anatomy-of-a-scattered-spider-ransomware-attack
[8] https://assured.co.uk/2025/ai-autopsy-five-lessons-from-the-ms-ransomware-attack/
