US Retailers on High Alert: Scattered Spider Cyber Threat Looms
TL;DR
The cybercrime group Scattered Spider, known for high-profile attacks, is now targeting US retailers. This shift highlights the growing threat to retail organizations, which manage large amounts of personal and financial data.
Main Content
Scattered Spider Shifts Focus to US Retailers
Google has issued a warning that the notorious cybercrime group Scattered Spider, which was behind recent UK retailer attacks, is now targeting US companies. This shift in focus across the Atlantic underscores the evolving threat landscape for retail organizations.
Background on Scattered Spider
The financially motivated group UNC3944, also known as Scattered Spider and 0ktapus, is renowned for its social engineering and extortion tactics. Over the past two years, the group has allegedly hacked into hundreds of organizations, including high-profile targets such as Twilio, LastPass, DoorDash, and Mailchimp.
Initially focusing on telecoms for SIM swaps, Scattered Spider expanded its operations to include ransomware and broader sectors by 2023. Despite a brief lull in activity following several arrests in 2024, the group’s ties to other threat actors suggest a potential comeback. Their targets have included high-profile brands, likely to boost notoriety, and they frequently shift focus across various sectors, such as financial services and the food industry.
Recent Developments and Threats
Google researchers have warned that Scattered Spider, the group behind the UK retailer attacks, is now setting its sights on US companies. This shift highlights the growing threat to retail organizations, which manage large amounts of personal and financial data.
Shields up US retailers. They’re here. https://t.co/wslafVuEes
— John Hultquist (@JohnHultquist) May 15, 2025
Threat actors linked to Scattered Spider are suspected of using DragonForce ransomware to target UK retailers. DragonForce has also claimed ties to RansomHub, a RaaS platform once affiliated with UNC3944. While GTIG has not confirmed UNC3944’s involvement, retail ransomware attacks are on the rise, with 11% of 2025 DLS victims being retailers. Threat actors target retailers due to the vast amounts of PII and financial data they manage.
“It is plausible that threat actors, including UNC3944, view retail organizations as attractive targets, given that they typically possess large quantities of personally identifiable information (PII) and financial data.”
Mandiant has shared details about Scattered Spider’s tactics following DragonForce’s claimed attacks on UK retailers such as Co-op, Harrods, and M&S.
Google experts have identified that UNC3944 targets various sectors, including Tech, Telecom, Finance, BPO, Gaming, Retail, and Media, with a focus on large enterprises in English-speaking countries, as well as India and Singapore. Their tactics involve exploiting help desks and outsourced IT through social engineering for high-impact attacks.
Proactive Hardening Recommendations
Google has provided proactive hardening recommendations to help organizations bolster their defenses against such threats:
- Implement Multi-Factor Authentication (MFA): Enhance security by requiring multiple forms of verification.
- Regular Security Audits: Conduct frequent security assessments to identify and mitigate vulnerabilities.
- Employee Training: Educate employees on recognizing and responding to social engineering attempts.
- Incident Response Planning: Develop and regularly update incident response plans to ensure quick and effective action in case of an attack.
Conclusion
The evolving threat landscape, with Scattered Spider now targeting US retailers, underscores the urgent need for enhanced cybersecurity measures. Retail organizations must remain vigilant and proactive in their defense strategies to protect their valuable data and maintain customer trust.
Additional Resources
For further insights, check: