David Jones@gcp.cybersecuritydive.com
//
The UK's National Cyber Security Centre (NCSC) has issued an advisory following a series of cyberattacks targeting major UK retailers, including Marks & Spencer (M&S), Co-op, and Harrods. These incidents, which began in April 2025, have prompted warnings for organizations to remain vigilant and implement robust cybersecurity measures. The NCSC is working closely with affected organizations to understand the nature of the intrusions and provide targeted advice to the broader retail sector.
The NCSC's advice strongly suggests the involvement of Scattered Spider, a group of English-speaking cyber criminals previously linked to breaches at MGM Resorts and Caesars Entertainment in the U.S. Scattered Spider is believed to have deployed ransomware to encrypt key systems at M&S, causing significant disruption, including the suspension of online sales. Authorities are urging security teams to implement multi-factor authentication, monitor for risky logins, and review help desk login procedures to mitigate potential ransomware attacks.
While investigations are ongoing to determine if the attacks are linked or the work of a single actor, reports suggest that a group called DragonForce may also be involved. DragonForce operates as a ransomware-as-a-service, providing tools and infrastructure for contracted hackers. The NCSC emphasizes that all organizations should follow the advice on its website to ensure they have appropriate measures in place to prevent attacks and effectively respond to and recover from them.
Recommended read:
References :
- bsky.app: Beware phony IT calls after Co-op and M&S hacks, says UK cyber centre. The NCSC advice is the strongest hint yet the hackers are using tactics most commonly associated with a collective of English-speaking cyber criminals nicknamed Scattered Spider.
- slcyber.io: Scattered Spider Linked to Marks & Spencer Cyberattack
- www.cybersecuritydive.com: UK authorities warn of retail-sector risks following cyberattack spree
- cyble.com: Multiple cyberattacks have recently struck some of the UK’s most iconic retailers, prompting concern from industry leaders and cybersecurity authorities. Among the affected organizations are Harrods, Marks & Spencer, and the Co-op, all of which have confirmed incidents targeting their digital infrastructure in late April and early May 2025.
- research.checkpoint.com: For the latest discoveries in cyber research for the week of 5th May, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Three major UK retailers – Co-op, Harrods and Marks & Spencer (M&S) – were hit by cyberattacks that disrupted operations and compromised sensitive data. The attacks are believed linked to the Scattered
- www.itpro.com: Following recent attacks on retailers, the NCSC urges other firms to make sure they don't fall victim too
- www.ncsc.gov.uk: A joint blog post by the NCSC’s National Resilience Director, Jonathon Ellison, and Chief Technology Officer, Ollie Whitehouse.
- BleepingComputer: UK shares security tips after major retail cyberattacks
@www.cybersecurity-insiders.com
//
Following a series of cyberattacks targeting major UK retailers including Marks & Spencer, Co-op, and Harrods, the National Cyber Security Centre (NCSC) has issued an urgent alert, urging organizations to bolster their defenses. The attacks, which involved ransomware and data theft, have caused significant operational disruptions and data breaches, highlighting the increasing risk faced by the retail sector. The NCSC anticipates that similar attacks are likely to escalate and emphasizes that preparation is key to ensuring business continuity and minimizing financial losses.
The NCSC advises businesses to take immediate and proactive measures to mitigate risks. A key recommendation is to isolate and contain threats quickly by severing internet connectivity immediately to prevent malware from spreading further across networks. It's equally important to ensure that backup servers remain isolated and unaffected by the attack, so they can be used for disaster recovery. The security agency is also calling on firms to review their password reset policies, and in particular how IT help desks authenticate workers when they make a reset request, especially in the case of senior employees with escalated privileges.
To enhance cyber resilience, the NCSC stresses the importance of implementing multi-factor authentication (MFA) across the board. The agency also warns organizations to be constantly on the lookout for ‘risky logins’ within Microsoft Entra ID Protection, where sign-in attempts are flagged as potentially compromised due to suspicious activity or unusual behaviour. The Information Commissioner's Office (ICO) has similar advice warning organizations to make sure that accounts are protected by a strong password, and that passwords aren't being reused across multiple accounts. While attacks against UK retailers have rocked the industry in recent weeks, the NCSC's guidance aims to help businesses avoid falling victim to similar incidents.
Recommended read:
References :
- DataBreaches.Net: Marks & Spencer breach linked to Scattered Spider ransomware attack
- Davey Winder: Harrods is the latest major U.K. retailer to confirm a cyberattack as M&S continues to struggle with ransomware strike fallout.
- securityaffairs.com: Luxury department store Harrods suffered a cyberattack
- The Register - Security: British govt agents step in as Harrods becomes third mega retailer under cyberattack
- www.itpro.com: Harrods hit by cyber attack as UK retailers battle threats
- Graham Cluley: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a attack. No organisation is 100% safe.
- techcrunch.com: UK retail giant Co-op warns of disruption as it battles cyberattack
- Bloomberg Technology: DragonForce hacking gang takes credit for UK retail attacks
- NCSC News Feed: NCSC statement: Incident impacting retailers
- Resources-2: Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
- Zack Whittaker: Bloomberg reporting that DragonForce ransomware gang "and its partners" were behind cyberattacks targeting U.K. retail giants Marks & Spencer, Co-op and Harrods. The gang also claimed to have stolen customer data.
- doublepulsar.com: DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door
- Metacurity: Harrods becomes the third top UK retailer to fend off a cyberattack
- hackread.com: UK Retailer Harrods Hit by Cyber Attack After M&S, Co-op
- NPR Topics: Technology: Harrods, the iconic luxury department store, has become the latest British retailer to fall victim to a cyberattack.
- bsky.app: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a #ransomware attack.
- www.sentinelone.com: DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists
- securityaffairs.com: DragonForce group claims the theft of data after Co-op cyberattack
- BleepingComputer: Cybersecurity firm BleepingComputer reported the Co-op's confirmation of significant data theft, contrasting with previous downplayed assessments of the incident.
- DataBreaches.Net: Co-op hackers boast of ‘stealing 20 million customers’ data’ – as retailer admits impacts of ‘significant’ attack
- www.bbc.co.uk: The BBC reports on DragonForce's attacks on Co-op, details data theft.
- www.thetimes.com: The Sunday Times article details the DragonForce attack on Marks & Spencer.
- Help Net Security: The Co-op hack is detailed with an update of stolen data and the impact on the company's systems.
- arcticwolf.com: Uptick in Ransomware Threat Activity Targeting Retailers in the UK
- Rescana: Detailed Report on the DragonForce Cyber Attack on Co-op Introduction: The DragonForce cyber attack on Co-op has emerged as a significant...
- Tech Monitor: The Co-op Group has acknowledged a substantial data breach in a cyberattack that was reportedly perpetrated by the DragonForce group.
- arcticwolf.com: Uptick in Ransomware Threat Activity Targeting Retailers in the UK
- www.techradar.com: Hackers claim to have stolen private information on 20 million Co-op shoppers
- cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
- cyble.com: Multiple cyberattacks have recently struck some of the UK’s most iconic retailers, prompting concern from industry leaders and cybersecurity authorities.
- www.cybersecurity-insiders.com: NCSC issues alert against more ransomware attacks on retailers
- www.itpro.com: In an official statement, addressed the situation, saying: “The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers, and the public.
- cyberinsider.com: Cyber Insider reports on Co-op Confirms Member Data Breach Following Cyberattack Incident
- CyberInsider: Co-op has officially confirmed that hackers accessed and exfiltrated member data in a recent cyberattack, marking a significant escalation in a wave of coordinated intrusions targeting UK retail giants.
- research.checkpoint.com: Three major UK retailers – Co-op, Harrods and Marks & Spencer (M&S) – were hit by cyberattacks that disrupted operations and compromised sensitive data.
- Thomas Fox-Brewster: The Wiretap: A ‘Ransomware Cartel’ Causes Chaos
Dissent@DataBreaches.Net
//
British retailer Marks & Spencer (M&S) has been hit by a significant cyberattack, causing disruptions to its online order system and in-store contactless payments. The incident, which began last week, led to the temporary suspension of online orders and refunds for some customers. Cyber security experts now suspect the infamous Scattered Spider hacking collective is behind the attack, potentially crippling the retailer's systems and its ecommerce operation.
BleepingComputer reports that the ongoing outages at M&S are likely the result of a ransomware attack. The Scattered Spider group, known for targeting major organizations, is believed to have initially breached M&S's systems as early as February, allegedly stealing the NTDS.dit file from the Windows domain. This file contains user account and password information, enabling the attackers to move laterally across the network and gain control over more systems. The group then reportedly deployed the DragonForce encryptor against M&S’s virtual machines running on VMware ESXi hosts, launching the main attack on April 24th.
The cyberattack's impact extends beyond online services. M&S has acknowledged "pockets of limited availability" in its physical stores, with reports of empty shelves nationwide, indicating disruptions to the supply chain. Scattered Spider, also known as Octo Tempest, is a cybercriminal collective known for its sophisticated social engineering tactics, phishing, and multi-factor authentication (MFA) bombing, posing a significant threat to large enterprises. The attack on M&S underscores the urgent need for organizations to bolster their cybersecurity defenses and remain vigilant against evolving threats.
Recommended read:
References :
- bsky.app: Cyber security website @bleepingcomputer.com now reporting that the M&S hackers could be from Scattered Spider
- hackread.com: Scattered Spider Suspected in Major M&S Cyberattack
- research.checkpoint.com: British retailer Marks & Spencer (M&S) experienced a cyber-attack that caused disruptions to its online order system and in-store contactless payments.
- ComputerWeekly.com: The infamous Scattered Spider hacking collective may have been behind the ongoing cyber attack on Marks and Spencer that has crippled systems at the retailer and left its ecommerce operation in disarray.
- DataBreaches.Net: Marks & Spencer breach linked to Scattered Spider ransomware attack
- BleepingComputer: Marks and Spencer breach linked to Scattered Spider ransomware attack.
- Tech Monitor: Cyberattack at Marks & Spencer, suspected to involve Scattered Spider hackers.
- www.bleepingcomputer.com: Marks & Spencer breach linked to Scattered Spider ransomware attack
- www.helpnetsecurity.com: Threat actors are from Scattered Spider, and that M&S’s virtual machines on VMware ESXi hosts have been encrypted with the DragonForce encryptor
- Help Net Security: Marks & Spencer cyber incident linked to ransomware group
- blog.checkpoint.com: The incident report details the significant disruptions to the retailer's systems, prompting the suspension of online orders and refunds for impacted customers.
- Check Point Research: The British retailer Marks & Spencer (M&S) experienced a cyber-attack that caused disruptions to its online order system and in-store contactless payments.
- Danny Palmer: The Co-op has been forced to shut down parts of its IT system after discovering an attempted hack only days after the fellow retailer Marks & Spencer faced a serious cyber incident.
- Silicon Republic: M&S woes continue as Scattered Spider ransomware suspected
- ComputerWeekly.com: The infamous Scattered Spider hacking collective may have been behind the ongoing cyber attack on Marks and Spencer that has crippled systems at the retailer and left its ecommerce operation in disarray.
- www.cybersecurity-insiders.com: DragonForce Ransomware behind Mark and Spencer digital outage
- www.cybersecurity-insiders.com: Almost a week ago, renowned UK-based retailer Marks & Spencer (M&S) became the victim of a devastating cyber attack that left the company in full-blown disruption mode.
- Metacurity: Scattered Spider might be behind M&S attack
- cyberinsider.com: Marks & Spencer has disclosed a cyberattack targeting its internal systems, leading to disruptions in back-office and customer support operations. While the incident prompted precautionary security measures, all retail stores, funeral homes, and quick commerce services remain open and fully operational.
- Risky Business Media: British retail stalwart Marks & Spencer gets cybered
- www.standard.co.uk: Cybersecurity researchers reported a ransomware attack on Marks & Spencer, impacting online ordering and financial systems, which was attributed to the Scattered Spider group.
- ComputerWeekly.com: The cyberattack on Marks & Spencer (M&S) is linked to the notorious Scattered Spider group.
- Searchlight Cyber: Scattered Spider Linked to Marks & Spencer Cyberattack
- thecyberexpress.com: Marks & Spencer Confirms Cybersecurity Incident After Days of Service Disruptions
@Talkback Resources
//
Despite recent arrests in 2024, the Scattered Spider cybercrime collective remains active in 2025, continuing to target high-profile organizations with sophisticated social engineering attacks. The group, known for its audacious breaches including attacks against MGM Resorts and Caesars Entertainment in 2023, employs tactics such as impersonating IT staff to steal login credentials and using remote access tools. Security firm Silent Push has uncovered the group's persistence in 2025 and has outlined the group's latest tactics, techniques and procedures.
Scattered Spider is utilizing updated phishing kits and a new version of the Spectre RAT malware to compromise systems and exfiltrate sensitive data. Their phishing campaigns involve impersonating well-known brands and software vendors, including the use of dynamic DNS services to evade detection. Targets in 2025 include organizations such as Klaviyo, HubSpot, Pure Storage, Audemars Piguet, Chick-fil-A, Credit Karma, Forbes, Instacart, Louis Vuitton, Morningstar, New York Digital Investment Group, News Corporation, Nike, Paxos, Twitter/X, Tinder, T-Mobile, and Vodafone.
Law enforcement has made some progress in disrupting Scattered Spider's operations. Noah Michael Urban, also known as "King Bob," a 20-year-old member of the group, pleaded guilty to charges related to SIM swap fraud, aggravated identity theft, and cryptocurrency thefts. He faces potential decades in prison and is required to pay over $13.2 million in restitution to 59 victims. Silent Push made available code for a Spectre RAT string decoder and command and control (C2) emulator that defenders can use in their efforts to squash the eight-legged menace.
Recommended read:
References :
- Talkback Resources: Scattered Spider adds new phishing kit, malware to its web
- www.scworld.com: Scattered Spider persists with use of Spectre RAT, new phishing kit
- cyberpress.org: Article on conducting advances campaigns to steal login credentials and MFA tokens
- gbhackers.com: The cyber threat landscape has witnessed remarkable adaptation from the notorious hacker collective known as Scattered Spider. Active since at least 2022, this group has been consistently refining its strategies for system compromise, data exfiltration, and identity theft. Silent Push analysts have tracked the evolution of Scattered Spider’s tactics, techniques, and procedures (TTPs) through early
- cybersecuritynews.com: Scattered Spider Employs Sophisticated Attacks to Steal Login Credentials & MFA Tokens
- gbhackers.com: Scattered Spider Launches Sophisticated Attacks to Steal Login Credentials and MFA Tokens
Graham Cluley@Graham Cluley
//
Noah Urban, a 20-year-old from Palm Coast, Florida, has pleaded guilty to charges related to cryptocurrency thefts, conspiracy, wire fraud, and identity theft. Urban, known online as "King Bob," was a key member of the notorious Scattered Spider hacking gang. The charges stem from two federal cases, one in Florida and another in California. Urban's activities involved orchestrating sophisticated attacks, including SIM swapping, to steal hundreds of thousands of dollars in cryptocurrency from investors. He was arrested in January 2024, and during the raid, he reportedly attempted to wipe his computer and social media history in an effort to destroy evidence.
The cybercriminal's operations involved stealing victims' personal information and using it to hijack their phone numbers through SIM swap fraud. This allowed Urban and his accomplices to bypass two-factor authentication and gain unauthorized access to cryptocurrency wallets. They then transferred the cryptocurrency to their own accounts, netting significant profits. Urban's activities also extended to leaking songs from famous music artists after breaking into the accounts of music industry executives, disrupting planned album releases and causing financial and emotional strain on the artists involved.
As part of his plea agreement, Urban has agreed to forfeit his jewelry, currency, and cryptocurrency assets. He will also pay US $13 million in restitution to 59 victims. Urban is expected to be sentenced within the next 75 days. He faces a potentially long prison term, which will include an additional two-year sentence for aggravated identity theft, as it cannot be served concurrently with other charges. Other suspected members of the Scattered Spider gang remain under investigation, highlighting the ongoing efforts to combat this cybercriminal syndicate.
Recommended read:
References :
- bsky.app: Wild details here from a Scattered Spider hacker who pleaded guilty last week. Noah Urban from Florida was known online as 'King Bob' (yes from the Minions movie) and was making insane money from his hacking gang from the age of just 17...
- DataBreaches.Net: A 20-year-old Palm Coast man linked to a massive cybercriminal gang pleaded guilty in a Jacksonville federal courtroom Friday morning to charges including conspiracy and wire fraud.
- Cyber Security News: Noah Michael Urban, a 20-year-old Palm Coast resident known online as “King Bob,†pleaded guilty on April 7, 2025, to charges related to an extensive cryptocurrency theft operation.
- securityaffairs.com: Noah Urban, a 20-year-old from Palm Coast, pleaded guilty to conspiracy, wire fraud, and identity theft in two federal cases, one in Florida and another in California.
- www.bitdefender.com: Noah Urban, a 20-year-old man linked to the Scattered Spider hacking gang, pleaded guilty to charges related to cryptocurrency thefts.
- cyberpress.org: A 20-year-old Palm Coast resident known online as “King Bob,” pleaded guilty on April 7, 2025, to charges related to an extensive cryptocurrency theft operation.
- Cyber Security News: A 20-year-old Florida man identified as a key member of the notorious "Scattered Spider" cybercriminal collective has pleaded guilty to orchestrating sophisticated ransomware attacks and cryptocurrency theft schemes targeting major corporations.
- The Register - Security: Alleged Scattered Spider SIM-swapper must pay back $13.2M to 59 victims
- gbhackers.com: A 20-year-old Noah Urban, a resident of Palm Coast, Florida, pleaded guilty to a series of federal charges in a Jacksonville courtroom.
- www.404media.co: Wild details here from a Scattered Spider hacker who pleaded guilty last week.
- www.scworld.com: Scattered Spider persists with use of Spectre RAT, new phishing kit
|
|
FlagThis - #scatteredspider