HIGH: Scattered Spider Returns: UK Retail Giants Fall to Social Engineering Blitz

The hackers who brought MGM Resorts and Caesars Entertainment to their knees in 2023 are back, and they have spent the past two weeks carving a path through British retail. Marks & Spencer, Co-op, and Harrods have all confirmed cyber incidents in what security researchers are calling a coordinated campaign by Scattered Spider, now deploying ransomware from the DragonForce operation.

Marks & Spencer took the first public hit on April 3rd when the company acknowledged a cyber incident affecting store operations. What initially looked like contained disruption has since expanded significantly. The retailer suspended all online orders for nearly a week, pulled 200 job listings offline, and warned customers of continued "pockets of limited availability" across stores. Payment systems went down intermittently, click-and-collect services were suspended, and contactless payments failed at multiple locations. The company's latest update confirmed the attack involved unauthorized access to customer data, though they have not specified what information was compromised.

Co-op followed days later, initially downplaying the incident as a minor IT issue before the situation escalated dramatically. The company shut down parts of its IT infrastructure as a precaution, which had the side effect of disabling stock monitoring systems and back-office functions across its 2,300 UK stores. Internal memos leaked to the press revealed that staff were told to keep cameras on during Teams calls and verify all meeting attendees as the company scrambled to identify how attackers had penetrated their systems. By April 10th, Co-op acknowledged that customer names and contact details had been exfiltrated, though they maintained that passwords and financial data remained secure.

Harrods confirmed on April 12th that it too had experienced attempted unauthorized access, though the luxury retailer claims to have contained the incident before significant damage occurred. The company restricted internet access across its stores as a precaution and brought in external security consultants to assess the situation.

The common thread running through all three incidents is the involvement of Scattered Spider, a loosely organized collective of predominantly young, English-speaking hackers who have built a reputation for devastating social engineering attacks. Unlike traditional ransomware gangs that rely on phishing emails or exploit kits, Scattered Spider specializes in convincing help desk employees to reset passwords or disable multi-factor authentication through phone calls and chat sessions. Their operatives are reportedly native English speakers, which gives them a significant advantage when impersonating IT staff or executives to internal support teams.

The DragonForce connection represents a new chapter for Scattered Spider. DragonForce emerged in late 2023 as a ransomware-as-a-service operation, but recent intelligence suggests the group has restructured into what they call a "cartel" model. Rather than simply licensing their ransomware to affiliates, DragonForce now offers a complete white-label service where affiliates can operate under their own branding while DragonForce handles infrastructure, negotiation, and payment processing. This model allows groups like Scattered Spider to deploy ransomware without building or maintaining their own technical capabilities.

The UK's National Cyber Security Centre has issued guidance urging organizations to review help desk authentication procedures in response to the campaign. Specifically, they recommend implementing callback verification for password resets, requiring video confirmation for sensitive account changes, and training support staff to recognize social engineering tactics that create artificial urgency. Google's Mandiant division, which has tracked Scattered Spider extensively, notes that the group's tactics specifically target the human elements that technical controls cannot fully protect.

What makes Scattered Spider particularly dangerous is their persistence and adaptability. When one social engineering approach fails, they pivot to another. They have been observed researching targets extensively before attacks, learning organizational structures, identifying key personnel, and even monitoring social media to craft convincing pretexts. In previous campaigns, they have successfully convinced employees to install remote access software by posing as IT support responding to fabricated helpdesk tickets.

The retail sector presents an attractive target for several reasons. These organizations typically operate large, distributed workforces with high employee turnover, making it difficult to maintain consistent security awareness. Help desks handle high volumes of routine requests, creating pressure to resolve issues quickly rather than verify identities thoroughly. The combination of valuable customer data, payment card information, and operational disruption potential makes retailers ideal ransomware targets.

For the three affected companies, the recovery process will likely take weeks or months. Marks & Spencer has already warned that online ordering disruption may continue into May. Co-op faces the challenge of rebuilding customer trust after acknowledging data theft. Harrods escaped the worst of it, but even their precautionary measures disrupted normal operations during one of the busiest shopping periods of the year.

The broader message for organizations watching from the sidelines is clear. Technical security controls are necessary but not sufficient against adversaries who specialize in exploiting human trust. Help desk procedures need to assume that callers may not be who they claim to be, even when they sound legitimate and reference accurate internal information. The social engineering playbook that Scattered Spider has refined over years of practice works precisely because it targets the helpful instincts that make customer service employees good at their jobs.