Introduction

The recent surge in cyber-attacks orchestrated by the hacker group Scattered Spider, also known as UNC3944 or Muddled Libra [3], has significantly impacted major UK retailers, particularly in the retail and finance sectors [9]. These attacks have exposed vulnerabilities within these industries, highlighting the severe threat posed by cybercriminals capable of large-scale disruption.

Description

Hackers associated with the group Scattered Spider [11], also known as UNC3944 or Muddled Libra [3], are conducting a series of cyber-attacks targeting prominent UK retailers [9] [11], particularly in the retail and finance sectors [9]. Notable victims include Marks & Spencer (M&S) [2], the Co-op [10] [11], Harrods [2] [5] [7] [10] [11], and recently [1] [2], Victoria’s Secret [2]. These high-profile incidents have exposed the vulnerabilities of major British retailers and many UK businesses [8], highlighting the significant threat posed by cybercriminals who can disrupt or dismantle organizations on a large scale.

In April 2025 [9] [10], M&S experienced a significant cyber attack that disrupted online orders, contactless payments [4] [10], and store stock management [10], leading to an estimated £300 million loss in profits [10]. The attack, which occurred over the Easter weekend [9] [10], exploited a third-party contractor and involved sophisticated social engineering techniques to bypass the company’s digital defenses [4]. Initially affecting click-and-collect services [10], the incident prompted M&S to issue an apology on its website for the unavailability of online ordering [10]. In-store operations faced challenges as staff reverted to manual processes [4], resulting in stock shortages and increased food waste [4]. M&S has reported substantial financial losses amounting to millions of pounds each day due to these sustained cyber attacks, with a full recovery of online functionalities expected by July [4].

On May 13, 2025 [7], M&S confirmed that customer personal data had been stolen in a ransomware attack attributed to DragonForce [7], which is linked to Scattered Spider. This incident followed a previous cyber-attack on Harvey Nichols [9], which announced on September 18, 2024 [9], that it had discovered unauthorized access to customer information [9], including names [2] [4] [9] [10] [11], addresses [9] [11], phone numbers [9], company names [2] [9], and email addresses [9] [11]. Just days before the M&S incident, on May 2, 2025 [7], Harrods reported an attempted cyber attack allegedly by DragonForce [7], resulting in restricted access to their systems [7]. On the same day [7], Co-op UK acknowledged a cyber attack that compromised customer data [7], with hackers claiming to have accessed information on 20 million members of their membership scheme [7]. Following these incidents [5], Victoria’s Secret experienced a cyberattack that led to the temporary shutdown of its website and some in-store services, causing a decline in the company’s shares by over 6% [2]. M&S has warned of a potential £300 million hit to its operating profits due to the disruption caused by these cyber incidents [2], which halted online sales for a significant period [2].

These attacks have involved ransomware initiated through help-desk interactions, where attackers manipulated support staff into resetting employee passwords [5]. An internal technical support contractor for M&S is currently examining whether it played a role in the attack [6]. This led to the deployment of the DragonForce encryptor [5], which compromised internal systems and resulted in the theft of personal data, including names [2] [4] [9] [10] [11], contact details [4], and order histories of thousands of customers, as well as email addresses and full names of staff.

The National Cyber Security Centre (NCSC) has issued warnings about the tactics used by Scattered Spider [11], which include impersonating employees and utilizing social engineering techniques shared on platforms like Discord and Telegram. This group, composed of English-speaking cybercriminals [5], often in their twenties [5], employs various hacking methods [11], including SIM swapping and multi-factor authentication (MFA) fatigue attacks, overwhelming users with multiple authentication requests to bypass security measures [3]. Once they gain access to privileged accounts [3], they extract the Active Directory database file NTDS.dit from the domain controller [3], which contains hashed passwords [3]. The group employs tools like hashkiller for offline password cracking [3], facilitating lateral movement within networks [3]. Their tactics combine social engineering with technical escalation [3], posing significant risks to enterprises and challenging even advanced endpoint detection and response (EDR) systems [3].

Additionally, on May 20, 2025 [7], the logistics company Peter Green Chilled experienced a ransomware attack [7], reportedly by Scattered Spider [7] [11], disrupting supplies of refrigerated goods to major British supermarkets [7]. Although several suspects were arrested in 2024 [5], the full composition of this community remains uncertain [5], with potential copycat actors employing similar strategies [5]. Cybersecurity expert Darren Williams has emphasized the importance of treating third-party cybersecurity with the same rigor as internal measures [6], highlighting that organizations risk becoming the weakest link in a series of attacks [6]. The recent attack on Adidas [1], which compromised customer data [1] [7], further underscores the vulnerabilities retailers face not only from their own systems but also from third-party service providers [1]. Law enforcement faces challenges in combating Scattered Spider due to its dispersed structure and sophisticated tactics [11]. As the retail sector becomes increasingly targeted [11], the NCSC emphasizes the need for robust cybersecurity measures to protect against these opportunistic threats [11], particularly in light of the ongoing risks associated with Ransomware-as-a-Service (RaaS) operations like DragonForce, which has claimed responsibility for network breaches and data theft [5]. Research indicates that numerous large and medium-sized UK businesses fear that a serious cyber incident could cripple their operations or threaten their survival [8], underscoring the critical need for organizations to operate under the assumption that breaches may occur.

Conclusion

The recent wave of cyber-attacks by Scattered Spider has underscored the critical vulnerabilities within the UK retail and finance sectors. These incidents highlight the necessity for robust cybersecurity measures and the importance of treating third-party cybersecurity with the same rigor as internal systems. As cyber threats continue to evolve, organizations must remain vigilant and proactive in their defense strategies to mitigate potential disruptions and safeguard their operations. The ongoing challenges faced by law enforcement in combating such dispersed and sophisticated groups further emphasize the need for a coordinated and comprehensive approach to cybersecurity.

References

[1] https://www.retailtouchpoints.com/topics/security/data-security/victorias-secret-latest-hit-in-growing-swath-of-retail-cyber-attacks
[2] https://www.siliconrepublic.com/enterprise/victorias-secret-latest-retailer-to-be-hit-by-cyberattack
[3] https://blog.mastek.com/scattered-spider-attacks-ransomware-threat-to-uk-retail-firms
[4] https://www.course2career.com/blog/ms-cyberattack-lessons-2025
[5] https://outpost24.com/blog/threat-context-monthly-may-2025-scattered-spider-lumma-stealer/
[6] https://www.silicon.co.uk/security/cyberwar/victoria-secret-adidas-hack-616208
[7] https://www.cm-alliance.com/cybersecurity-blog/may-2025-biggest-cyber-attacks-ransomware-attacks-and-data-breaches
[8] https://www.digit.fyi/ms-cyber-attack-stoking-fears-across-british-businesses/
[9] https://taylorhampton.co.uk/percy-nal-data-and-caterpil-leaks-ms-cyber-attack/
[10] https://www.bbc.co.uk/news/articles/c23mz5eg091o
[11] https://www.cybersecurityintelligence.com/blog/scattered-spider-hackers-get-busy-8459.html