Scattered Spider is the hacking group thought to be responsible for recent cyber-attacks against UK retailers. Analysts predict US companies could be their next target, emphasising the need for robust cyber protections.
Shutterstock.com/Tero Vesalainen
The UK National Crime Agency (NCA) says hacking group Scattered Spider is at the centre of its investigation into the string of cyber-attacks against UK high street retailers.
"We are looking at the group that is publicly known as Scattered Spider, but we've got a range of different hypotheses and we'll follow the evidence to get to the offenders," Paul Foster, head of the NCA's national cyber-crime unit told the media.
Scattered Spider is a group of cyber criminals composed primarily of young, native English-speaking individuals that typically target high-profile organisations using a combination of social engineering and technical hacking techniques.
The recent spate of attacks in the UK has wreaked havoc for businesses and consumers. Marks and Spencer’s (M&S) predicts it will lose up to £300 million (US$403 million) in trading profits and that disruption to its services will last until July.
Both M&S and the Co-op have confirmed that the hackers gained access to customers’ personal data, including names, contact details and potentially partial payment details.
Analysts think Scattered Spider may now be targeting similar companies in the US . The group is known to typically target organisations in English-speaking regions.
Lexology PRO explores the group behind the recent cyber-attacks and the steps businesses can take to safeguard themselves against similar threats.
Who are Scattered Spider?
Scattered Spider is primarily comprised of native English-speaking young men based in the US and UK. The cyber threat group carries out financially motivated ransomware and data theft extortion attacks.
They are notorious for their persistent use of social engineering to gain access to their targets’ IT systems. The fact that their members speak English may make it easier for them to impersonate employees and gain their victims’ trust. The group is also known to use phishing, SIM-swapping and MFA fatigue tactics to hack companies.
What companies might they attack next?
Scattered Spider “tends to focus on a particular industry and geography for a few weeks and then move on to something else,” stated Charles Carmakal, chief technology officer at Google’s Mandiant cybersecurity unit. The group is currently focused on retail organisations and is shifting its focus from the UK to the US, he said.
In the past, the group has targeted businesses in the US, UK, Canada, Australia, Singapore and India. Organisations with large help desks and/or outsourced IT functions are the group’s most common targets, likely because they may be more susceptible to social engineering tactics.
How can companies protect themselves?
Given the far-reaching and costly consequences for businesses impacted by cyber-attacks, it’s vital to have effective measures in place to prevent such incidents and respond quickly when they arise.
Here are some steps companies can take to help avoid falling victim to cyber criminals.
Engage in proactive threat monitoring
Companies should engage in continuous monitoring and advanced threat detection to help identify any cyber incidents as soon as possible. It is also vital to ensure that third-party suppliers have robust security measures and response plans in place.
Threat detection should include carrying out an urgent forensic review of Microsoft 365 and Teams logs to identify any abnormal access patterns or misuse that could indicate a malicious actor.
Implement strong authentication and access restrictions
Having robust identity verification and access restrictions in place is particularly important for preventing social engineering attacks, whereby hackers seek to gain employees’ trust and persuade them to hand over or change login details.
The UK National Cyber Security Centre (NCSC) recommends the use of 2-step verification, which helps prevent criminals from accessing accounts, even if they already know the password.
Utilising access restrictions means that employees only have access to the data and functionality that is necessary to fulfil their role. Ensuring that the smallest number of individuals possible control admin accounts and management interfaces reduces the likelihood of them falling into the hands of hackers.
Implement staff training
Companies should introduce cyber threat training to ensure all employees are aware of the risks and can identify suspicious emails, links or attachments. This should be in addition to training about basic “security hygiene,” encouraging employees to utilise strong passwords, multi-factor authentication etc.
Employees within the IT function and/ or helpdesk should receive specific training about how to identify and prevent social engineering attacks.
Prepare an incident response plan
It’s vital for companies to establish a thorough cyber incident response plan that will enable them to regain control as soon as possible and minimise disruption if an attack does occur. The plan should set out:
- who will oversee the response to a cyber incident;
- the escalation criteria;
- when it’s necessary to report a cyber incident to authorities;
- the strategy for informing customers, the media and other stakeholders about the incident;
- the post-incident analysis to identify the root cause and prevent future occurrences.
Participate in information sharing and collaboration
To keep abreast of the latest threat intelligence and security best practices, companies should engage in industry-wide information sharing initiatives. This should help enable rapid, coordinated responses to future attacks, spread awareness about emerging cyber threats and potentially reduce the overall cost of defending against attacks by collating resources.