Interview The same miscreants behind recent cyberattacks on British retailers are now trying to dig their claws into major American retailers’ IT environments – and in some cases possibly even deploying ransomware, according to Google.
The cloud giant’s threat-intel nerve-center Mandiant suspects the Scattered Spider (aka UNC3944) gang is behind these recent digital intrusions following a long hiatus and multiple arrests.
Scattered Spider had been relatively quiet until mid-April when it launched a series of attacks that claimed victims including retailers Marks & Spencer, Co-op, and Harrods.
“About a week ago, we saw the expansion of the targeting to US-based retailers,” Charles Carmakal, chief technology officer of Mandiant Consulting, told The Register.
A lot of the disruption is caused by the company making changes to prevent Scattered Spider from being able to move across the network
“Now a number of organizations are actively defending against Scattered Spider intrusions, or they’re trying to recover environments because they had some level of impact,” Carmakal continued, putting the number of US retailers that have been targeted by the group at “under 10.”
Carmakal won’t say which companies have been affected, but noted that they are “bigger-name retail organizations,” not mom-and-pop stores.
“That impact could have been directly caused by the threat actor deploying across the environment, or it could just be self-inflicted because the company is taking actions to prevent the actors from stealing data or deploying encryptors, so they had to break things themselves,” he added.
That might mean companies have frozen authentication servers or taken down virtual private networks to keep intruders out — in the process preventing employees from authenticating or remotely accessing IT systems.
“Not all the downtime that’s caused by these incidents is directly related to Scattered Spider,” Carmakal said. “A lot of the disruption is caused by the company making changes to prevent Scattered Spider from being able to move across the network.”
Ransomware du jour: DragonForce
Carmakal confirmed the criminals deployed DragonForce ransomware in some of the UK and US attacks.
“I’ve never seen them develop their own encryptor and deploy it across enterprises,” he noted.
Previously, Scattered Spider members used ALPHV/BlackCat extortionware, until that group disbanded. Then they moved on to RansomHub, “and now we see them using DragonForce,” Carmakal said.
The loosely knit gang of cybercriminals, whose members are thought to include males in their teens and early 20s located primarily in the US and UK, scattered into the shadows following at least seven arrests last year.
“That spooked some core members of Scattered Spider, and they went on a hiatus for many months,” Carmakal said. “And then all of a sudden, about a month ago we started seeing this uptick in attacks against UK retailers. The trade craft looked very similar to what we’d seen in the past by previous Scattered Spider intrusion activity.”
The gang tends to focus their intrusions on a single sector at a time — remember the casino and resort capers in 2023? — and now retailers are taking the brunt. But, according to Carmakal, “the important thing to note about these folks is they’ve got shiny object syndrome. My guess is this adversary will pivot to the next sector in a few weeks, once they feel like they’ve gotten all they needed out of retail.”
In the meantime, the criminals have put another big target on their backs.
“Anytime you have high profile cyber security events that are attributed to known groups, you could expect that there will be law enforcement action,” Carmakal said. “I can’t comment on the timing, but threat actors really do need to take note that there’s a good chance that more actions will be taken.” ®
