CyberSecurity news

FlagThis - #scatteredspider

@blog.checkpoint.com //
Scattered Spider, a financially motivated cyber threat group, has significantly expanded its targeting, with recent intelligence highlighting a new focus on the aviation sector. Known for its aggressive social engineering tactics and identity-focused intrusions, the group has previously targeted telecommunications, SaaS, cloud, and financial services by hijacking user identities and exploiting authentication flows. The FBI has issued a warning, indicating that airlines are now directly in the crosshairs of Scattered Spider. Their methods often involve sophisticated techniques such as SIM swapping, impersonating helpdesk personnel, and employing adversary-in-the-middle (AiTM) phishing to obtain valid credentials and tokens, frequently bypassing multi-factor authentication (MFA). This broader targeting strategy underscores the evolving and increasingly pervasive threat posed by this group.

In a significant development that underscores the reach of Scattered Spider, UK authorities have arrested four individuals linked to a spree of cyberattacks that crippled major British retailers, including Marks & Spencer, Harrods, and the Co-op earlier this year. The arrests, which involved individuals aged 17 to 20, are a major step in a high-priority investigation. The National Crime Agency (NCA) confirmed the arrests, suspecting the individuals of Computer Misuse Act offenses, blackmail, money laundering, and participation in organized crime. These retail attacks caused substantial disruption, with Marks & Spencer estimating losses of around £300 million due to the incident. The methods employed in these attacks, which reportedly included gaining access through social engineering to deploy ransomware, align with Scattered Spider's known modus operandi.

The growing threat posed by Scattered Spider has prompted cybersecurity experts to issue alerts, particularly concerning their expansion into the aviation sector. The group's ability to effectively compromise user identities and bypass security measures like MFA makes them a formidable adversary. Their recent targeting of airlines, following major disruptions in the retail sector, signifies a dangerous escalation. Companies within the aviation industry, and indeed across all sectors, must remain vigilant and bolster their identity-centric defenses to counter the sophisticated tactics employed by Scattered Spider, which include advanced phishing kits, dynamic command and control infrastructure, and custom malware for persistent access.

Recommended read:
References :
  • blog.checkpoint.com: Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation
  • Resources-2: Tracking Scattered Spider Through Identity Attacks and Token Theft
  • Cloud Security Alliance: Scattered Spider: The Group Behind Major ESXi Ransomware Attacks
  • BrianKrebs: You've probably read by now that British authorities this week arrested 4 people aged 17-20 in re an investigation into data ransom attacks from the cybercrime group Scattered Spider, which has been blamed in breaches at Marks & Spencer, Harrods, MGM Casinos and a bunch of airlines recently.
  • infosec.exchange: 3 teenagers aged 17-19 and a 20-year-old woman arrested in the UK this morning in connection with cyber attacks on Marks & Spencer (M&S) and Co-op retail chains in April-May this year
  • Zack Whittaker: New, by me: U.K. authorities have confirmed the arrest of four alleged hackers behind the recent U.K. retail hacking spree targeting Marks & Spencer, Harrods, and the Co-op earlier this year. The hackers are allegedly linked to Scattered Spider; one of the suspects is aged 17.
  • techcrunch.com: The U.K. National Crime Agency said the suspects are in custody in relation to the hacks targeting Marks & Spencer, Harrods, and the Co-op.
  • SecureWorld News: 4 Arrested in U.K. for Cyberattacks on Retail Tied to Scattered Spider
  • techcrunch.com: The U.K. National Crime Agency said the suspects are in custody in relation to the hacks targeting Marks & Spencer, Harrods, and the Co-op.
  • www.nationalcrimeagency.gov.uk: Report on the arrests of four individuals linked to the Scattered Spider hacking group for the cyberattacks on UK retailers.
  • The Register - Security: NCA arrests four in connection with UK retail ransomware attacks
  • krebsonsecurity.com: You've probably read by now that British authorities this week arrested 4 people aged 17-20 in re an investigation into data ransom attacks from the cybercrime group Scattered Spider, which has been blamed in breaches at Marks & Spencer, Harrods, MGM Casinos and a bunch of airlines recently.
  • thecyberexpress.com: UK NCA Arrests Four in Cyberattacks on M&S, Co-op, and Harrods
  • HYPR Blog: Deconstructing the Gen-Z Hackers behind the £440M Cyber Attack on Marks & Spencer, Co-op, and Harrods
  • cyberscoop.com: UK arrests four for cyberattacks on major British retailers
  • Threats | CyberScoop: UK arrests four for cyberattacks on major British retailers
  • WIRED: 4 Arrested Over Scattered Spider Hacking Spree
  • blog.knowbe4.com: Alert from KnowBe4 about Scattered Spider targeting the aviation sector.
  • Metacurity: UK's NCA arrested four people for M&S, Co-Op cyberattacks
  • Risky.Biz: Four Key Players Drive Scattered Spider
  • Talkback Resources: UK charges four in Scattered Spider ransom group
  • TechInformed: Four people have been arrested as part of a National Crime Agency (NCA) investigation into cyberattacks targeting major UK retailers M&S, Harrods and Co-op.
  • Help Net Security: The UK's National Crime Agency (NCA) arrested four individuals suspected of being involved in cyberattacks on major retailers in the country, including Marks & Spencer, Co-op, and Harrods.
  • hackread.com: UK Arrests Woman and Three Men for Cyberattacks on M&S Co-op and Harrods
  • securityaffairs.com: UK NCA arrested four people over M&S, Co-op cyberattacks
  • BleepingComputer: The UK's National Crime Agency (NCA) arrested four people suspected of being involved in cyberattacks on major retailers in the country, including Marks & Spencer, Co-op, and Harrods.

Zack Whittaker@techcrunch.com //
The FBI and cybersecurity firms are issuing warnings about the cybercrime group Scattered Spider, which has recently shifted its focus to targeting airlines and the transportation sector. According to a statement released by the FBI and reported by TechCrunch, recent cyberattacks resembling those of Scattered Spider have been observed within the airline sector. Cybersecurity experts from Google's Mandiant and Palo Alto Networks' Unit 42 have also confirmed witnessing Scattered Spider attacks targeting the aviation industry. This shift in focus comes after the group recently targeted the U.K. retail and insurance industries, and previously, tech companies.

Scattered Spider is known to employ social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access. These techniques frequently involve bypassing multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts. The FBI warns that Scattered Spider targets large corporations and their third-party IT providers, meaning any organization within the airline ecosystem, including trusted vendors and contractors, could be at risk. Unit 42 has also warned that organizations should be on high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests.

Once inside a system, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware. The FBI is actively working with aviation and industry partners to address this activity and assist victims. The agency emphasizes the importance of early reporting, as it allows the FBI to engage promptly, share intelligence across the industry, and prevent further compromise. The recent attacks on the airline sector follow reported intrusions at Hawaiian Airlines and WestJet, with media reports linking the WestJet incident to Scattered Spider. The FBI recommends quickly reporting incidents to allow them to act fast, share intelligence, and limit damage.

Recommended read:
References :
  • Zack Whittaker: Mandiant and Unit 42 say Scattered Spider attacks now targeting airlines and the transportation industry, the latest sector after recently hitting U.K. retail, insurance, and before that, tech companies.
  • securityaffairs.com: The FBI warns that Scattered Spider is now targeting the airline sector.
  • techcrunch.com: FBI, cybersecurity firms say a prolific hacking crew is now targeting airlines and the transportation sector
  • Zack Whittaker: New: Mandiant and Unit 42 say Scattered Spider attacks now targeting airlines and the transportation industry, the latest sector after recently hitting U.K. retail, insurance, and before that, tech companies.
  • techcrunch.com: Prolific cybercrime gang now targeting airlines and the transportation sector
  • cyberscoop.com: Hawaiian Airlines announced a cybersecurity incident Friday as security experts warned of a sector-wide threat.
  • The Hacker News: The U.S. Federal Bureau of Investigation (FBI) has revealed that it has observed the notorious cybercrime group Scattered Spider broadening its targeting footprint to strike the airline sector.
  • Threats | CyberScoop: Scattered Spider strikes again? Aviation industry appears to be next target for criminal group
  • Risky.Biz: Risky Bulletin: Scattered Spider goes after aviation sector
  • Risky Business Media: Risky Bulletin: Scattered Spider targets the aviation sector
  • Metacurity: Airlines, transportation sector are Scattered Spider's latest targets
  • www.itpro.com: The Scattered Spider hacker group has a new industry in its crosshairs

info@thehackernews.com (The@The Hacker News //
Scattered Spider, a cybercrime collective known for targeting U.K. and U.S. retailers, has shifted its focus to the U.S. insurance industry, according to warnings issued by Google Threat Intelligence Group (GTIG). The group, tracked as UNC3944, is known for utilizing sophisticated social engineering tactics to breach organizations, often impersonating employees, deceiving IT support teams, and bypassing multi-factor authentication (MFA). Google is urging insurance companies to be on high alert for social engineering schemes targeting help desks and call centers, emphasizing that multiple intrusions bearing the hallmarks of Scattered Spider activity have already been detected in the U.S.

GTIG's warning comes amidst a recent surge in Scattered Spider activity, with multiple U.S.-based insurance companies reportedly impacted over the past week and a half. The threat group has a history of targeting specific industries in clusters, with previous attacks impacting MGM Resorts and other casino companies. Security specialists emphasize that Scattered Spider often targets large enterprises with extensive help desks and outsourced IT functions, making them particularly susceptible to social engineering attacks. The group is also suspected of having ties to Western countries.

The shift in focus towards the insurance sector follows Scattered Spider's previous campaigns targeting retailers, including a wave of ransomware and extortion attacks on retailers and grocery stores in the U.K. in April. To mitigate against Scattered Spider's tactics, security experts recommend enhancing authentication, enforcing rigorous identity controls, implementing access restrictions, and providing comprehensive training to help desk personnel to effectively identify employees before resetting accounts. One insurance company, Erie Insurance, has already reported a cyberattack earlier this month, although the perpetrators have not yet been identified.

Recommended read:
References :
  • Threats | CyberScoop: Scattered Spider, fresh off retail sector attack spree, pivots to insurance industry
  • The Hacker News: Google Warns of Scattered Spider Attacks Targeting IT Support Teams at U.S. Insurance Firms
  • www.cybersecuritydive.com: Threat group linked to UK, US retail attacks now targeting insurance industry
  • hackread.com: Scattered Spider Aims at US Insurers After UK Retail Hit, Google Warns
  • The Record: Security analysts at Google’s Threat Intelligence Group published a warning this week to insurance companies, writing that it is “now aware of multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity.â€
  • www.scworld.com: Scattered Spider group attacking US insurance industry, Google says
  • SecureWorld News: Scattered Spider Swarms Insurance Sector with Targeted Cyber Attacks, Google Warns
  • Zack Whittaker: Google's John Hultquist says in an emailed statement that the company is seeing "multiple intrusions in the US" that bear the hallmarks of Scattered Spider activity and "now seeing incidents in the insurance industry." Google spokesperson confirmed there's more than one U.S.-based insurance victim.
  • cyberscoop.com: Scattered Spider, fresh off retail sector attack spree, pivots to insurance industry
  • www.cybersecuritydive.com: Aflac duped by social-engineering attack, marking another hit on insurance industry
  • www.cyjax.com: Weaving Chaos – Scattered Spider’s Cyberattacks Spin a Dangerous Web Across the Insurance Industry
  • eSecurity Planet: Aflac confirms a cyberattack exposed sensitive customer data, citing social engineering tactics amid a wave of breaches targeting US insurers.
  • CYJAX: Weaving Chaos – Scattered Spider’s Cyberattacks Spin a Dangerous Web Across the Insurance Industry
  • cyberscoop.com: Aflac duped by social-engineering attack, marking another hit on insurance industry
  • DataBreaches.Net: Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Threats | CyberScoop: Aflac duped by social-engineering attack, marking another hit on insurance industry
  • www.prnewswire.com: Aflac incorporated discloses cybersecurity incident.
  • cyberpress.org: Aflac Incorporated, a major U.S.-based insurance company, reported a significant cybersecurity breach involving unauthorized access to its corporate network.
  • www.techradar.com: Reports details on a cyberattack targeting Aflac
  • techcrunch.com: US insurance giant Aflac says customers’ personal data stolen during cyberattack

Dhara Shrivastava@cysecurity.news //
Marks & Spencer (M&S) and Co-op, major UK retailers, have been hit by a Scattered Spider cyberattack involving DragonForce ransomware. The attack has caused weeks-long disruptions, impacting online transactions and the availability of food, fashion, and home goods. M&S warns that the disruption to online transactions could last until July. The cybercrime gang Scattered Spider is also believed to be behind attacks on other UK retailers, including Harrods.

The financial impact on M&S is expected to be significant. The company anticipates the cyberattack will cut $400 million from its profits and reported losing over £40 million in weekly sales since the attack began over the Easter bank holiday weekend. As a precaution, M&S took down some of its systems, resulting in short-term disruptions. This decision was made to protect its systems, customers, and partners from further compromise.

In response to the attack, M&S plans to accelerate its technology improvement plan, shortening the timeframe from two years to six months. This reflects the urgent need to bolster its cybersecurity defenses and prevent future disruptions. The company previously outlined plans in 2023 to improve its technology stack, including investments in infrastructure, network connectivity, store technology, and supply-chain systems. M&S acknowledged that personal data of customers had been stolen, including names, dates of birth, telephone numbers, home and email addresses, and online order histories. However, the retailer insisted that the data theft did not include usable card, payment, or login information.

Recommended read:
References :
  • www.cysecurity.news: Scattered Spider Cyberattack Cripples M&S, Co-op: DragonForce Ransomware Causes Weeks-Long Disruption
  • www.cybersecuritydive.com: M&S warns April cyberattack will cut $400 million from profits
  • Tech Monitor: Marks & Spencer faces £300m impact on profit from cyberattack
  • techxplore.com: Marks & Spencer cyberattack: How can retailers regain customers' trust after a hack?

Sergiu Gatlan@BleepingComputer //
Google's Threat Intelligence Group has issued a warning that the cyber collective known as Scattered Spider is now actively targeting US retailers after causing significant disruption to UK retailers like Marks & Spencer, Co-op, and Harrods. This group, also known as UNC3944, employs advanced cyber tactics including social engineering attacks like phishing, SIM swapping, and multi-factor authentication (MFA) bombing to infiltrate organizations. These methods allow the attackers to gain unauthorized access to sensitive systems and data. Experts are urging US retailers to take immediate note of Scattered Spider's tactics.

The shift in focus from UK to US retailers signals a strategic move by Scattered Spider, driven by the potential for higher financial gains and the opportunity to exploit vulnerabilities in the US retail sector’s cybersecurity infrastructure. The group's evolving tactics include new phishing kits and malware, such as the Spectre RAT, used to gain persistent access to compromised systems and exfiltrate sensitive data. Scattered Spider is believed to be composed mainly of young, English-speaking individuals based in the UK and US, and has reportedly executed over 100 cyberattacks.

Marks & Spencer has already experienced prolonged disruption following a large-scale cyberattack, highlighting the potential impact on US retailers. Customer data was stolen in the M&S cyberattack, forcing password resets and hampering online services. The stolen data included names, dates of birth, home addresses, and telephone numbers. While usable payment or card details were not compromised, the incident underscores the significant risk Scattered Spider poses to the digital infrastructures of US retailers, and experts warn that restoring normal operations could take months.

Recommended read:
References :
  • boB Rudis ?? ?? ??: I despise threat actor names, and am loathe to repeat "Scattered Spider" — now, but they did alot of damage to U.K. retailers and have set their sights on 'Murican retailers. They. Are. Not. Ready. (tho walmart may be…their cyber teams are ace) Buy what you need *now*.
  • The DefendOps Diaries: Explore how Scattered Spider targets US retailers with advanced cyber tactics, posing significant threats to digital infrastructures.
  • BleepingComputer: Google warned today that hackers using Scattered Spider tactics against retail chains in the United Kingdom have also started targeting retailers in the United States.
  • www.cysecurity.news: Marks & Spencer is facing prolonged disruption after falling victim to a large-scale cyberattack. Experts warn that restoring normal operations could take months, highlighting a growing trend of sophisticated breaches targeting major retailers.
  • ComputerWeekly.com: Details that scattered Spider retail attacks are spreading to US, says Google
  • therecord.media: "US retailers should take note" of recent cyberattacks on British companies, according to Google's Threat Intelligence Group, as the financially motivated collective known as Scattered Spider appears to be connected.
  • techinformed.com: Retail hackers speak to BBC, as Google warns US stores are next
  • The Record: "US retailers should take note" of recent cyberattacks on British companies, according to Google's Threat Intelligence Group, as the financially motivated collective known as Scattered Spider appears to be connected.
  • TechInformed: Retail hackers speak to BBC, as Google warns US stores are next
  • www.csoonline.com: ‘Aggressive, creative’ hackers behind UK breaches now eyeing US retailers
  • www.cybersecurity-insiders.com: Google warns of US retail cyber attacks and M & S insurance payout to cost £100m
  • www.cybersecurity-insiders.com: Google warns of US retail cyber attacks and M & S insurance payout to cost £100m
  • www.cybersecuritydive.com: Researchers warn threat actors in UK retail attacks are targeting US sector.
  • www.itnews.com.au: Google says hackers that hit UK retailers now targeting American stores
  • Tech Monitor: Google warns US retailers of Scattered Spider cyber threats
  • techhq.com: Hackers behind M&S breach may target US next
  • Cybersecurity Blog: UK Retailers Cyber Attack Saga; Is USA next for Scattered Spider?
  • The Register - Security: Cyber fiends battering UK retailers now turn to US stores
  • hackread.com: Hackers Now Targeting US Retailers After UK Attacks, Google
  • SecureWorld News: Scattered Spider Strikes Again: U.K. Attacks Spark U.S. Retailer Alarm
  • securityaffairs.com: Google warns that the cybercrime group Scattered Spider behind UK retailer attacks is now targeting U.S. companies, shifting their focus across the Atlantic.
  • www.techradar.com: Google is warning that the UK is no longer the only target as multiple retailers report suffering an attack.
  • Blog: Scattered Spider shifts focus to US targets
  • DataBreaches.Net: Ex-NSA bad-guy hunter listened to Scattered Spider’s fake help-desk calls: ‘Those guys are good’
  • bsky.app: -Chrome will de-elevate when run with admin privileges -US' largest steel producer halts production after cyberattack -Scattered Spider shifts to US retailers
  • securityaffairs.com: Google warns that the cybercrime group Scattered Spider behind UK retailer attacks is now targeting U.S. companies, shifting their focus across the Atlantic.

Mayura Kathir@gbhackers.com //
Scattered Spider, a sophisticated hacking collective known for its social engineering tactics, has allegedly breached Marks & Spencer by targeting the company's IT help desk. The cybercriminals reportedly duped an IT help desk employee into resetting a password, which then granted them access to internal networks. This breach is said to have disrupted M&S's online operations, leading to the temporary suspension of online orders, as reported between April and May 2025. Scattered Spider, also known as UNC3944, Octo Tempest, and Muddled Libra, has become prominent for using social engineering to exploit corporate service desks.

This attack on Marks & Spencer is part of a broader trend impacting UK retailers. The National Cyber Security Centre (NCSC) has issued warnings to organizations, urging them to be wary of phony IT helpdesk calls. Other retailers such as Co-op and Harrods have also been linked to attacks resulting in stolen member data and crippled payment systems. Any organization with a service desk is theoretically vulnerable to these low-tech, high-impact tactics employed by Scattered Spider and similar groups.

Scattered Spider is believed to be composed of young US and UK citizens who are part of a collective known as "The Comm," an underground community of English-speaking criminals that communicates and coordinates using social media platforms like Discord or Telegram. While five users associated with Scattered Spider, including the alleged leader, were detained in the first half of 2024, the complete composition of the group remains undetermined. After a period of relative silence following these arrests, Scattered Spider has resurfaced with this latest string of attacks on UK retail brands, prompting renewed cybersecurity concerns.

Recommended read:
References :
  • cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
  • specopssoft.com: Scattered Spider service desk attacks: How to defend your organization
  • Cybersecurity Blog: The Marks and Spencer Cyber Attack: Everything You Need to Know
  • www.exponential-e.com: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked
  • www.cysecurity.news: M&S Hackers Conned IT Help Desk Workers Into Accessing Firm Systems
  • bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked. https://www.exponential-e.com/blog/ncsc-warns-of-it-helpdesk-impersonation-trick-being-used-by-ransomware-gangs-after-uk-retailers-attacked
  • gbhackers.com: Cyberattackers Targeting IT Help Desks for Initial Breach
  • Delinea Blog: M&S and Co-op Breaches: Lessons in Identity Security
  • Malware ? Graham Cluley: Smashing Security podcast #416: High street hacks, and Disney’s Wingdings woe
  • BleepingComputer: M&S says customer data stolen in cyberattack, forces password resets
  • ComputerWeekly.com: M&S forces customer password resets after data breach
  • www.itpro.com: M&S confirms customer personal data was stolen in recent attack
  • BleepingComputer: Hackers behind UK retail attacks now targeting US companies
  • ComputerWeekly.com: Scattered Spider retail attacks spreading to US, says Google
  • www.cysecurity.news: Marks & Spencer Cyberattack Fallout May Last Months Amid Growing Threat from Scattered Spider

@cyble.com //
Following a series of cyberattacks targeting major UK retailers including Marks & Spencer, Co-op, and Harrods, the National Cyber Security Centre (NCSC) has issued an urgent alert, urging organizations to bolster their defenses. The attacks, which involved ransomware and data theft, have caused significant operational disruptions and data breaches, highlighting the increasing risk faced by the retail sector. The NCSC anticipates that similar attacks are likely to escalate and emphasizes that preparation is key to ensuring business continuity and minimizing financial losses.

The NCSC advises businesses to take immediate and proactive measures to mitigate risks. A key recommendation is to isolate and contain threats quickly by severing internet connectivity immediately to prevent malware from spreading further across networks. It's equally important to ensure that backup servers remain isolated and unaffected by the attack, so they can be used for disaster recovery. The security agency is also calling on firms to review their password reset policies, and in particular how IT help desks authenticate workers when they make a reset request, especially in the case of senior employees with escalated privileges.

To enhance cyber resilience, the NCSC stresses the importance of implementing multi-factor authentication (MFA) across the board. The agency also warns organizations to be constantly on the lookout for ‘risky logins’ within Microsoft Entra ID Protection, where sign-in attempts are flagged as potentially compromised due to suspicious activity or unusual behaviour. The Information Commissioner's Office (ICO) has similar advice warning organizations to make sure that accounts are protected by a strong password, and that passwords aren't being reused across multiple accounts. While attacks against UK retailers have rocked the industry in recent weeks, the NCSC's guidance aims to help businesses avoid falling victim to similar incidents.

Recommended read:
References :
  • DataBreaches.Net: Marks & Spencer breach linked to Scattered Spider ransomware attack
  • Davey Winder: Harrods is the latest major U.K. retailer to confirm a cyberattack as M&S continues to struggle with ransomware strike fallout.
  • securityaffairs.com: Luxury department store Harrods suffered a cyberattack
  • The Register - Security: British govt agents step in as Harrods becomes third mega retailer under cyberattack
  • www.itpro.com: Harrods hit by cyber attack as UK retailers battle threats
  • Graham Cluley: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a attack. No organisation is 100% safe.
  • techcrunch.com: UK retail giant Co-op warns of disruption as it battles cyberattack
  • www.bloomberg.com: DragonForce hacking gang takes credit for UK retail attacks
  • NCSC News Feed: NCSC statement: Incident impacting retailers
  • Resources-2: Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
  • Zack Whittaker: Bloomberg reporting that DragonForce ransomware gang "and its partners" were behind cyberattacks targeting U.K. retail giants Marks & Spencer, Co-op and Harrods. The gang also claimed to have stolen customer data.
  • doublepulsar.com: DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door
  • Metacurity: Harrods becomes the third top UK retailer to fend off a cyberattack
  • hackread.com: UK Retailer Harrods Hit by Cyber Attack After M&S, Co-op
  • NPR Topics: Technology: Harrods, the iconic luxury department store, has become the latest British retailer to fall victim to a cyberattack.
  • bsky.app: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a #ransomware attack.
  • www.bbc.co.uk: The BBC reports on DragonForce's attacks on Co-op, details data theft.
  • www.thetimes.com: The Sunday Times article details the DragonForce attack on Marks & Spencer.
  • www.bleepingcomputer.com: Cybersecurity firm BleepingComputer reported the Co-op's confirmation of significant data theft, contrasting with previous downplayed assessments of the incident.
  • Help Net Security: The Co-op hack is detailed with an update of stolen data and the impact on the company's systems.
  • DataBreaches.Net: BleepingComputer reports on the escalation of the Co-op cyberattack, with hackers boasting about stealing data from millions of customers.
  • arcticwolf.com: Threat Event Timeline 22 April 2025 – Marks & Spencer released a cyber incident update on the London stock exchange website.
  • Rescana: Detailed Report on the DragonForce Cyber Attack on Co-op Introduction: The DragonForce cyber attack on Co-op has emerged as a significant...
  • Tech Monitor: The Co-op Group has acknowledged a substantial data breach in a cyberattack that was reportedly perpetrated by the DragonForce group.
  • arcticwolf.com: Threat Event Timeline 04/22/2025 – Marks & Spencer released a cyber incident update on the London stock exchange website. The incident resulted in the organization having to pause online clothing orders for six days.
  • www.techradar.com: Hackers claim to have stolen private information on 20 million Co-op shoppers
  • cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
  • cyble.com: Multiple cyberattacks have recently struck some of the UK’s most iconic retailers, prompting concern from industry leaders and cybersecurity authorities.
  • www.cybersecurity-insiders.com: NCSC issues alert against more ransomware attacks on retailers
  • www.itpro.com: In an official statement, addressed the situation, saying: “The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers, and the public.
  • cyberinsider.com: Cyber Insider reports on Co-op Confirms Member Data Breach Following Cyberattack Incident
  • Check Point Research: Three major UK retailers – Co-op, Harrods and Marks & Spencer (M&S) – were hit by cyberattacks that disrupted operations and compromised sensitive data.
  • www.bleepingcomputer.com: Marks and Spencer breach linked to Scattered Spider ransomware attack
  • cyberinsider.com: NCSC Issues Urgent Guidance After Major UK Retailers Breached by Hackers
  • www.cybersecurity-insiders.com: New Cyber threats emerge from Cyber Attacks on UK Companies.
  • TechInformed: Recent retail cyber attacks have highlighted growing vulnerabilities in the UK sector.
  • techinformed.com: A recent spate of retail cyber attacks has highlighted growing vulnerabilities in the UK sector, with high street names including M&S, the Co-op and Harrods…
  • Cybersecurity Blog: The Marks and Spencer Cyber Attack: Everything You Need to Know
  • www.exponential-e.com: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked
  • : Co-op has revealed that its recent breach was far more serious than initially reported, with a significant amount of data from current and former customers stolen.
  • bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked.
  • www.cysecurity.news: The United Kingdom’s National Cyber Security Centre (NCSC) has issued a stark warning following a wave of cyberattacks targeting some of the country’s most prominent retail chains.

Shivani Tiwari@cysecurity.news //
References: bsky.app , slcyber.io , cyble.com ...
The UK's National Cyber Security Centre (NCSC) has issued an advisory following a series of cyberattacks targeting major UK retailers, including Marks & Spencer (M&S), Co-op, and Harrods. These incidents, which began in April 2025, have prompted warnings for organizations to remain vigilant and implement robust cybersecurity measures. The NCSC is working closely with affected organizations to understand the nature of the intrusions and provide targeted advice to the broader retail sector.

The NCSC's advice strongly suggests the involvement of Scattered Spider, a group of English-speaking cyber criminals previously linked to breaches at MGM Resorts and Caesars Entertainment in the U.S. Scattered Spider is believed to have deployed ransomware to encrypt key systems at M&S, causing significant disruption, including the suspension of online sales. Authorities are urging security teams to implement multi-factor authentication, monitor for risky logins, and review help desk login procedures to mitigate potential ransomware attacks.

While investigations are ongoing to determine if the attacks are linked or the work of a single actor, reports suggest that a group called DragonForce may also be involved. DragonForce operates as a ransomware-as-a-service, providing tools and infrastructure for contracted hackers. The NCSC emphasizes that all organizations should follow the advice on its website to ensure they have appropriate measures in place to prevent attacks and effectively respond to and recover from them.

Recommended read:
References :
  • bsky.app: Beware phony IT calls after Co-op and M&S hacks, says UK cyber centre. The NCSC advice is the strongest hint yet the hackers are using tactics most commonly associated with a collective of English-speaking cyber criminals nicknamed Scattered Spider.
  • slcyber.io: Scattered Spider Linked to Marks & Spencer Cyberattack
  • www.cybersecuritydive.com: UK authorities warn of retail-sector risks following cyberattack spree
  • cyble.com: Multiple cyberattacks have recently struck some of the UK’s most iconic retailers, prompting concern from industry leaders and cybersecurity authorities. Among the affected organizations are Harrods, Marks & Spencer, and the Co-op, all of which have confirmed incidents targeting their digital infrastructure in late April and early May 2025.
  • research.checkpoint.com: For the latest discoveries in cyber research for the week of 5th May, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Three major UK retailers – Co-op, Harrods and Marks & Spencer (M&S) – were hit by cyberattacks that disrupted operations and compromised sensitive data. The attacks are believed linked to the Scattered
  • www.itpro.com: Following recent attacks on retailers, the NCSC urges other firms to make sure they don't fall victim too
  • NCSC Feed: A joint blog post by the NCSC’s National Resilience Director, Jonathon Ellison, and Chief Technology Officer, Ollie Whitehouse.
  • BleepingComputer: UK shares security tips after major retail cyberattacks
  • cyble.com: Multiple cyberattacks have recently struck some of the UK’s most iconic retailers, prompting concern from industry leaders and cybersecurity authorities. Among the affected organizations are Harrods, Marks & Spencer, and the Co-op, all of which have confirmed incidents targeting their digital infrastructure in late April and early May 2025. The UK’s National Cyber Security Centre (NCSC) is currently working alongside these retailers to investigate the attacks and mitigate potential damage.
  • phishingtackle.com: Co-op has revealed that its recent breach was far more serious than initially reported, with a significant amount of data from current and former customers stolen. The National Cyber Security Centre (NCSC) has since warned that cybercriminals are impersonating IT … The post appeared first on .
  • bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked. https://www.exponential-e.com/blog/ncsc-warns-of-it-helpdesk-impersonation-trick-being-used-by-ransomware-gangs-after-uk-retailers-attacked
  • www.cysecurity.news: The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers and the public,†said NCSC CEO Dr Richard Horne.
  • www.exponential-e.com: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked.