Google’s cybersecurity team has raised the alarm that the same hacking group behind recent attacks on British retailers is now targeting US stores.
The tech giant’s Threat Intelligence Group (GTIG) says “aggressive” hackers linked to the Scattered Spider collective, believed responsible for DragonForce ransomware attacks on Marks & Spencer and Co-op, have shifted their focus to American retailers.
“The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944, also known as Scattered Spider,” John Hultquist, chief analyst at GTIG wrote.
“The actor, which has reportedly targeted retail in the UK following a long hiatus, has a history of focusing their efforts on a single sector at a time, and we anticipate they will continue to target the sector in the near term. US retailers should take note,” Hultquist said.
For privacy reasons, Google has not named any American victims of these ongoing attacks, though the incidents are still under investigation. Scattered Spider is known for its ability to bypass even sophisticated security measures through social engineering techniques.
Hultquist described the group as “aggressive, creative, and highly adept at circumventing even the most mature security programmes and defences,” noting their particular success with social engineering and leveraging third parties to gain entry to targets.
Mandiant, part of Google Cloud’s threat intelligence operation, has emphasised that hardening identity verification and authentication practices is crucial for defending against these attacks. The gang is especially effective at impersonating users contacting IT helpdesks.
In the UK, reports suggest that M&S insurers may face claims of up to £100 million following their ransomware attack, which has severely disrupted the retailer’s food supply chains and resulted in the theft of customer data.
The luxury sector has also been targeted, with French fashion house Dior revealing on Wednesday that customer data had been stolen in a cyberattack. The LVMH subsidiary said in a statement that “an unauthorised third party accessed certain customer data,” though it insisted no financial information was compromised. The stolen information reportedly included names, email and postal addresses, and telephone numbers of clients.
The cyber attacks have caused significant disruption to British retail operations, with M&S still struggling to fully restore its online services and supply chain management.
