Scattered Spider appears to be the name on every security practitioner’s mind right now after reports linked the cyber criminal group to the M&S cyber attack.
The high street retailer has been battling a ‘cyber incident’ for well over a week, with an attack severely disrupting systems and forcing it to suspend online sales. Exact details on the attack remain scarce, but reports from BleepingComputer suggest Scattered Spider is enemy number one.
Adding more fuel to the fire, we now have similar incidents – albeit on what appear to be a less extreme scale – at two more high street retailers, the Cooperative Group and luxury department store Harrods.
There’s currently no evidence linking the group to these particular attacks, but speculation is still rife online regardless.
But what makes Scattered Spider such a formidable adversary for security teams?
Scattered Spider on the rise
Scattered Spider has rapidly emerged as a highly aggressive cyber criminal group, and has claimed responsibility for attacks on a flurry of organizations globally.
In late 2023, the group brought MGM Resorts to its knees in a ransomware attack, stealing customer’s personal information and costing the hotel and casino group an estimated $100 million in damages.
Naturally, this incident prompted a global manhunt for those involved in the group, which appeared to culminate in November 2024 when US prosecutors charged five people accused of involvement in its activities.
This included five Americans and one Scot, which didn’t exactly paint a familiar picture considering headline-grabbing arrests in recent years have frequently involved Russian nationals, for example.
But it’s this that makes the group somewhat tricky to pin down, according to Stefan Hostetler, Lead Threat Intelligence Researcher at Arctic Wolf.
Hostetler described Scattered Spider as a ‘geographically diverse and loosely knit group of threat actors” involved in ransomware and other financially-motivated cyber crime activities.
“Some people affiliated with the group refer to themselves as ‘the Comm’, and researchers have labeled them with names such as UNC3944, Scatter Swine, and Muddled Libra,” he said.
“They are known to participate in ransomware attacks using a handful of well-documented tactics and have demonstrated proficiency with cloud-hosted infrastructure.”
Adding to the potency of the group is the fact that ‘the Comm’ is believed to include affiliates of other ransomware gangs, according to Hostetler, such as BlackCat/ALPHV and the LAPSUS$ group.
How Scattered Spider operates
The group is known to primarily target organizations with social engineering techniques, according to Jake Moore, Global Cybersecurity Advisor at ESET.
“Scattered Spider has been linked to dozens of attacks over the last few years targeting all sectors,” he explained. “Their tactics often target the human element of an attack including social engineering and SIM swapping attacks before deploying ransomware on a target device.”
Hostetler noted their “favored technique” is phishing. This often involves creating bogus login pages that closely mimic corporate sign-in portals, for example.
Additionally, the group has been known to create fake domains on targeted brands – again this is used as a means to dupe unsuspecting users and give them an opportunity to break through an organization’s defenses.
“They’ve also been known to steal credentials via SMS phishing operations and pose as fake IT staff, in a bid to gain access to – and wreak havoc in – victim organizations,” Hostetler added.
MORE FROM ITPRO
Source link
-
-
-
-
-
-
-
-
