Retailers in the United States are now coming under attack from Scattered Spider, the English-speaking hacking collective that is suspected of being behind a series of DragonForce ransomware attacks on high street stores Marks & Spencer (M&S) and Co-op, according to Google’s Threat Intelligence Group (GTIG).
GTIG and its cohorts at Google Cloud’s Mandiant threat intel unit said the cyber attacks are still under investigation, and for reasons of privacy the researchers have not yet named any victims in the US. The team also held back from providing any formal attribution at this time.
“The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944, also known as Scattered Spider,” GTIG chief analyst John Hultquist told Computer Weekly via email this afternoon.
“The actor, which has reportedly targeted retail in the UK following a long hiatus, has a history of focusing their efforts on a single sector at a time, and we anticipate they will continue to target the sector in the near term. US retailers should take note,” said Hultquist.
Hultquist described Scattered Spider as aggressive, creative, and highly adept at circumventing even the most mature security programmes and defences.
“They have had a lot of success with social engineering and leveraging third parties to gain entry to their targets. Mandiant has provided a hardening guide based on our experience with more details on their tactics and steps organisations can take to defend themselves,” said Hultquist.
Identity, authentication the first line of defence
When defending against Scattered Spider, hardening identity verification and authentication practices are of utmost importance, said Mandiant.
The gang has proven highly effective at using social engineering techniques to impersonate users contacting its victims’ IT helpdesks, so as a first step, helpdesk staff will need additional training to positively identify inbound contacts, using methods such as on-camera or in-person verification, government ID verification, or challenge and response questions.
Security teams may also want to look into temporarily disabling, or enhancing validation, for self-service password resets, and routing both these and multifactor authentication resets through manual helpdesk workflows for the time being. Employees should also be made to authenticate prior to changing authentication methods, such as adding a new phone number.
Security teams can also implement additional safeguards such as requiring changes to be made from trusted office locations, or using out-of-band verification, such as a call back to an employee’s registered mobile number, before proceeding with a sensitive request.
It may also be worth considering taking steps such as banning SMS, phone call or email as authentication controls, using phishing-resistant MFA apps, and using FIDO2 security keys for privileged identities. Ultimately, said Mandiant, the goal should be transition to passwordless authentication if possible.
More widely, non-IT staff should be taught to avoid relying on publicly available data for verification, such as dates of birth, or the last four digits of US Social Security Numbers.
With no US retailers yet publicly-named as victims of Scattered Spider’s campaign, Nic Adams, co-founder and CEO at 0rcus, a security automation platform, said the identities of victims were largely irrelevant given the commoditisation of the threat chain.
“Whether DragonForce, Scattered Spider, or a shared affiliate ring executed the intrusion is irrelevant. Who the hell cares. An overlap in TTPs proves the industrialisation of compromise. Threat actors don’t need advanced exploits. Simply put, organisational blindness to behavioral anomalies, lax identity workflows, IT helpdesks that treat social engineering as a customer service moment. I call this the breach-point. Continuing to focus on malware or ransomware only further validates trust flow mismanagement,” said Adams.
“Phishing, cred abuse, Cobalt Strike, LOTL movement, SystemBC tunnels, Mimikatz extractions, data staging to MEGA is now a commodity kill chain. What came after was orchestration: full access, lateral expansion, data exfiltration, selective encryption, ransom leverage. The payload was just a press release because the campaign had already succeeded long before that binary detonated.”
Adams called on organisations to start thinking like threat actors. “The next breach will follow the same path. One-click, credential, absent defence layer. Another billion in market cap evaporated,” he said.
“Oranisations that survive what’s coming will be those that embed threat logic at the protocol level, assign root access to operators who know what adversaries build, and stop misleading everyone by asserting compliance equals control. You can’t outsource this. You can’t automate this. You either build with black hats or remain target practice for those who take the hint.”
M&S insurance claim likely to top £100m
Back in the UK, reports today (14 May) suggested that M&S’ insurers may find themselves on the hook for as much as £100m following the ransomware attack, with Allianz and Beazley particularly exposed.
According to the Financial Times, the claim would likely cover lost online sales and data breach liability losses following the theft of customer data from the retailer’s systems. M&S has already lost tens of millions of pounds as a result of the cyber attack, which has left its food supply chains in disarray.
