Google on Thursday warned that the hacking group behind the recent cyberattacks on high-street UK retailers is now turning to US companies.
“Shields up US retailers. They’re here,” John Hultquist, chief analyst at Google Threat Intelligence Group, said on X (formerly Twitter).
Hultquist pointed to a May 7 Mandiant blog post detailing the activities of UNC3944, also known as Scattered Spider, which relies on social engineering, SIM swapping, ransomware deployment, and extortion in attacks against high-profile targets across a broad range of industries.
“We have regularly observed UNC3944 conduct waves of targeting against a specific sector, such as financial services organizations in late 2023 and food services in May 2024,” Mandiant said.
Mandiant shared its observations of Scattered Spider tactics, techniques, and procedures (TTPs) shortly after the DragonForce ransomware group claimed the attacks on UK retailers Co-op, Harrods, and Marks & Spencer (M&S). This week, M&S confirmed that customer data was stolen in the attack.
Various reports have attributed the attacks to the Scattered Spider extortion group, and Mandiant noted that DragonForce recently claimed control of the RansomHub ransomware-as-a-service (RaaS), and that Scattered Spider was a RansomHub affiliate in 2024.
The cybersecurity company also warned that financially motivated groups, including UNC3944, likely view retailers as attractive targets, due to the large amount of personally identifiable information (PII) and financial data they possess.
“Further, these companies may be more likely to pay a ransom demand if a ransomware attack impacts their ability to process financial transactions,” Mandiant said.
Last week, Google told SecurityWeek that it had not independently confirmed that Scattered Spider or DragonForce were involved in the UK retailer attacks.
However, Hultquist now warns that ransomware and extortion operations currently targeting US retailers are likely linked to Scattered Spider. Based on previously observed tactics, the group is likely to continue to target the US retail sector for a while, he says.
On Thursday, Mandiant warned on X that Scattered Spider is relying on “advanced social engineering and third-party access” in recent attacks.
Related: In Other News: Scattered Spider Still Active, EncryptHub Unmasked, Rydox Extraditions
Related: Suspected Scattered Spider Hacker Pleads Guilty
Related: Recently Charged Scattered Spider Suspect Did Poor Job at Covering Tracks
Related: US Charges Five Alleged Scattered Spider Members