Scattered Spider snared financial orgs before targeting shops in Britain, America

May 28, 2025

In the last month, the Scattered Spider threat group has been in the public eye in the English-speaking world thanks to its recent high-profile attacks. After a long hiatus, the group has claimed responsibility for a wide range of attacks. In April, it claimed responsibility for ransomware attacks striking against retail businesses in the UK, including Marks & Spencer, Co-op, and Harrods. This month, the group has focused on US retailers, according to statements from Mandiant Consulting. Although the specific companies were not disclosed, the statement described 10 large-scale retail organizations facing sustained attacks, causing disruption of services. According to statements from M&S and Co-op, the first vector for the attacks were social engineering-based, allowing the attackers to reset the password of an employee and penetrate the network.

Scattered Spider is a notorious threat group with a long history now, and its activities can often be taken as a suggestion of where the current theme of attacks is going. According to statements from Palo Alto’s Unit 42, their attacks initially focused on financial services organizations, and this pivot to retailers represents a distinct shift. Again, the specific companies were not disclosed, but the principle threat researcher of Unit 42, Kristopher Russo, mentioned that all the affected companies were English-speaking.

"Early on, this group was focused on cryptocurrency theft," Russo said. "Business process outsourcers were a huge target for a while. We saw them shift to financial services, and now this retail shift seems to be the latest in the bouncing around that this group does."

Where will Scattered Spider strike next? Indications suggest their next campaign may be focused on cryptocurrency attacks. Unknown attackers have begun to attempt penetrating large-scale crypto exchanges, including Binance and Kraken, with social-engineering attacks similar to those employed by Scattered Spider. Those potentially affected by such attacks should redouble their efforts to inculcate vigilance into their employees, including extensive training operations with regular drills.

More from Blackwired

May 21, 2025

Pushing passkeys forward: Microsoft’s latest updates for simpler, safer sign-ins

Passwords are flawed; Microsoft backs passkeys—biometrics or codes—for better security and a passwordless future.

Read more
May 14, 2025

Using Blob URLs to Bypass SEGs and Evade Analysis

Hackers use Blob URIs to host phishing pages locally, bypassing detection and exfiltrating credentials undetected.

Read more
May 7, 2025

Claude AI Exploited to Operate 100+ Fake Political Personas in Global Influence Campaign

Claude AI was misused to run a propaganda network, showing new risks of AI in digital influence and fraud.

Read more

© 2024 Blackwired. All Rights Reserved.