Scattered Spider crosses the Atlantic

Newest threats to retail sector

Shane Brown

5/19/20255 min read

a spider on a table
a spider on a table

Scattered Spider Crosses the Atlantic: Why U.S. Retailers Are the Next Target

The cybersecurity world is watching a troubling pattern unfold. After devastating attacks on major UK retailers like Marks & Spencer, Co-op, and Harrods, the notorious hacking group Scattered Spider has set its sights on American retailers. Google's Threat Intelligence Group recently confirmed what many security experts feared: the same cybercriminals wreaking havoc across the pond are now actively targeting U.S. retail companies.

This isn't just another cybersecurity threat—it's a wake-up call for an entire industry.

Who Is Scattered Spider?

Scattered Spider, also known as UNC3944, isn't your typical hacking group. Emerging in 2022, this collective consists largely of young hackers—some reportedly as young as sixteen—operating within a loose network called "the Community." Don't let their age fool you; they've already claimed high-profile victims including MGM Resorts International and Caesars Entertainment.

What makes Scattered Spider particularly dangerous is their strategic approach. Rather than scattering attacks randomly, they focus intensively on one industry at a time. After targeting financial services in late 2023 and food services in May 2024, retail has become their latest obsession.

The UK Retail Massacre: A Preview of What's Coming

The Marks & Spencer Case Study

In April 2025, Marks & Spencer became the poster child for Scattered Spider's capabilities. The attackers infiltrated M&S systems through a third-party vendor—a classic weak link in the security chain. Once inside, they deployed ransomware, encrypted critical infrastructure, and stole customer data.

The damage was immediate and devastating:

  • Online orders suspended for over three weeks

  • Weekly sales losses exceeding £40 million

  • Massive supply chain disruptions

  • Empty shelves and delayed shipments

M&S's decision to shut down IT operations to contain the breach only worsened the situation, highlighting the impossible choice between incident response and business continuity that every victim faces.

The Pattern Emerges

Similar attacks hit Co-op and Harrods, revealing Scattered Spider's sophisticated understanding of retail operations. They don't just encrypt random files—they target systems managing supply chains, customer data, and online sales platforms. The ripple effects extend far beyond the initial victim, impacting suppliers, partners, and customers throughout the ecosystem.

How They Do It: The Scattered Spider Playbook

Social Engineering Mastery

Scattered Spider's secret weapon isn't advanced malware or zero-day exploits—it's good old-fashioned manipulation. They've perfected the art of social engineering, often impersonating IT personnel to trick employees into providing access.

Their favorite tactics include:

  • MFA fatigue attacks: Bombarding users with login requests until someone approves one out of frustration

  • SIM swapping: Taking control of phone numbers to bypass two-factor authentication

  • Help desk exploitation: Posing as IT support to request password resets or device re-enrollment

The Technical Arsenal

Once they gain initial access, Scattered Spider moves quickly:

  1. Bypass Multi-Factor Authentication: Using various techniques including MFA fatigue and SIM swapping

  2. Escalate Privileges: Targeting Active Directory and identity management systems

  3. Move Laterally: Using legitimate system tools like PowerShell to blend in with normal network activity

  4. Exfiltrate Data: Stealing valuable information through encrypted channels

  5. Deploy Ransomware: Encrypting critical systems while demanding cryptocurrency payments

The Third-Party Weakness

Perhaps most concerning is Scattered Spider's exploitation of third-party vendors. In an interconnected business world, these external connections often represent the weakest links in otherwise robust security programs. The M&S attack perfectly illustrates how a single compromised vendor can bring down an entire retail operation.

The U.S. Threat: It's Already Here

Google's Threat Intelligence Group confirmed in May 2025 that Scattered Spider has crossed the Atlantic. Within just ten days, multiple U.S. retailers reported cyberattacks matching the group's signature style. The FBI has stepped up cyber-intelligence briefings for major industry players, but the damage may already be underway.

While specific victim names remain largely confidential, reports indicate that three to five major U.S. retail firms have been compromised, with Ahold Delhaize USA (parent company of Giant and Food Lion) among the confirmed victims.

The Ransomware-as-a-Service Connection

Scattered Spider's effectiveness is amplified by their integration into the ransomware-as-a-service (RaaS) ecosystem. They've been linked to DragonForce and RansomHub platforms, which provide them with advanced encryption tools and dark-web infrastructure.

This collaboration model is reshaping cybercrime. Different groups share tools, techniques, and infrastructure, making attribution challenging and enabling rapid innovation. When one group develops a new attack method, it quickly spreads across the entire ecosystem.

The True Cost of Cyber Warfare

The impact extends far beyond immediate operational disruption:

Financial Losses

  • M&S: Over £40 million in weekly sales losses

  • Insurance claims potentially reaching £100 million

  • Costs of incident response, system restoration, and regulatory fines

Operational Chaos

  • Suspended online orders

  • Supply chain disruptions

  • Empty shelves and delayed shipments

  • Diverted resources to emergency response

Reputational Damage

  • Eroded consumer trust

  • Negative media coverage

  • Long-term impact on brand loyalty and customer confidence

Building Defenses: Lessons from the Front Lines

1. Harden Identity and Access Management

Implement phishing-resistant MFA solutions like hardware security keys. Enforce robust identity verification for high-risk changes, including on-camera ID checks and out-of-band confirmation. Monitor for anomalies like unauthorized MFA device registrations.

2. Strengthen Third-Party Risk Management

Conduct regular security assessments of vendors and enforce least-privilege access controls. Require vendors to meet the same security standards as internal teams. Develop incident response plans that account for third-party compromise.

3. Enhance Employee Training

Regular phishing simulations and clear reporting channels for suspicious activity are essential. Train help desk staff to verify identities before making sensitive changes and empower them to escalate suspicious requests.

4. Invest in Detection and Response

Advanced threat detection tools like EDR and SIEM systems can identify threats before widespread damage occurs. Regular tabletop exercises ensure teams are prepared for real-world incidents.

5. Collaborate Across the Industry

Share threat intelligence and coordinate responses through industry groups and government agencies. Engage with the FBI and CISA for timely alerts and guidance on evolving threats.

What This Means for the Future

Scattered Spider represents more than just another cyber threat—they embody the evolution of modern cybercrime. Young, decentralized, and technically sophisticated, they operate in a world where traditional boundaries between criminal groups are increasingly blurred.

The retail sector, with its complex supply chains and reliance on third-party vendors, presents an attractive target. As these attacks continue, we can expect:

  • Increased regulatory scrutiny and stricter compliance requirements

  • Changes in cyber insurance markets, with higher premiums and new coverage conditions

  • Greater emphasis on sector-specific security strategies

The Bottom Line

Scattered Spider's transatlantic campaign isn't just a threat—it's a reality that's already impacting U.S. retailers. The group's mastery of social engineering, ability to bypass sophisticated security controls, and integration into the ransomware-as-a-service ecosystem make them formidable adversaries.

For U.S. retailers, the message is clear: the time for reactive cybersecurity is over. Organizations must adopt proactive, comprehensive security strategies that address not just technical vulnerabilities but human factors and third-party risks as well.

The attacks on UK retailers serve as both a warning and a roadmap. By learning from these incidents and implementing robust defensive measures, U.S. retailers can build resilience against this persistent and evolving threat.

Scattered Spider may have crossed the Atlantic, but that doesn't mean they have to succeed. The question isn't whether they'll target your organization—it's whether you'll be ready when they do.

Sources

  1. "Threat actors behind UK retail attacks now targeting US retailers." Cybersecurity Dive, May 2025. https://www.cybersecuritydive.com/news/threat-actors-uk-retail-attacks-targeting-us/748198/

  2. "Marks & Spencer cyber attack: Online orders suspended after security breach." BBC News, April 2025. https://www.bbc.com/news/articles/cpqe213vw3po

  3. "Marks & Spencer hit by cyber attack forcing suspension of online orders." Evening Standard, April 2025. https://www.standard.co.uk/news/uk/marks-and-spencer-cyberattack-online-orders-shopping-b1224750.html

  4. "Google says hackers that targeted UK retail sector are now targeting US." Reuters, May 14, 2025. https://www.reuters.com/business/google-says-hackers-that-targeted-uk-retail-sector-are-now-targeting-us-2025-05-14/

  5. "UK Legal Aid Agency confirms data breach." The Record, 2025. https://therecord.media/uk-legal-aid-agency-data-breach

  6. "Scattered Spider suspected in retail hacker attacks, Google alert warns." The Record, 2025. https://therecord.media/scattered-spider-suspected-retail-hackers-google-alert

  7. "Google Reveals Hackers Are Now Targeting US Retailers After UK Attacks." GBHackers, May 2025. https://gbhackers.com/google-reveals-hackers-targeting-us/

  8. "Cybercriminal group that targeted UK retailers now going after US companies." CNN, May 16, 2025. https://www.cnn.com/2025/05/16/politics/cybercriminal-group-targets-us-retailers

  9. "Google: UK Retail Cyberattack Wave Set To Spread To US." Retail Systems, 2025. https://www.retail-systems.com/rs/Google_UK_Retail_Cyberattack_Wave_Set_To_Spread_To_US.php

  10. "Google Warns UK Retailer Hackers Now Targeting US." SecurityWeek, 2025. https://www.securityweek.com/google-warns-uk-retailer-hackers-now-targeting-us/

Innovate

Building websites and securing your digital presence.

Connect

Support

Info@sinistergatedesigns.com

© Sinister Gate Designs, LLC 2025. All rights reserved.