Picture this: you’re running one of Britain’s most beloved retailers, everything’s ticking along nicely, and then bamβyour contactless payments die, your click-and-collect goes belly-up, and your eCommerce operation looks like a ghost town. Sounds like a nightmare, right? Well, for Marks & Spencer, Co-op, and Harrods, that nightmare became very real in April 2025. And the group behind it? A gang of cyber criminals called Scattered Spider who’ve turned the retail sector into their personal playground.
Let me walk you through what happened, why it matters, and what this tells us about the state of cyber security in retail. Trust me, this isn’t just another “cyber attack story”βit’s a wake-up call.
Who Exactly Is Scattered Spider?
Right, let’s start with the basics. Scattered Spider isn’t your typical Russian ransomware gang operating from a dark corner of Moscow. No, these folks are different. They’re an English-speaking hacking collective, which already makes them stand out from the usual suspects in the cyber crime world.
Google’s Threat Intelligence Group (GTIG) tracks them as UNC3944, and CrowdStrike calls them “Muddled Libra”βlovely names for a lovely bunch of criminals. What makes them particularly tricky is their approach. They don’t just throw technical exploits at your firewall and hope something sticks. Instead, they’ve mastered the art of social engineering. And honestly? That’s what makes them so dangerous.
John Hultquist from GTIG described them as “aggressive, creative, and highly adept at circumventing even the most mature security programmes and defences”. When someone from Google’s threat intelligence team says a group is good at what they do, you’d better believe it.
The Social Engineering Specialists
Here’s the thing about Scattered Spiderβthey don’t need zero-day exploits or fancy technical vulnerabilities. They just need your help desk to pick up the phone. Their primary attack vector? Vishing (voice phishing) and smishing (SMS phishing). They call up your IT support pretending to be an employee, spin a convincing story about needing a password reset, and boomβthey’re in.
They’ve been known to conduct extensive OSINT (Open Source Intelligence) research on their targets. We’re talking about scouring LinkedIn, company websites, and social media to understand your organisation’s structure, your IT processes, and who holds the keys to the kingdom. Then they craft their approach so convincingly that even well-trained staff get caught out.
Ever wondered why social engineering works so well? Because it exploits the one thing you can’t patchβhuman nature.
The UK Retail Attack Timeline: What Actually Happened
Let me break down how this all unfolded, because the timeline tells an important story.
April 2025: The Beginning of the Nightmare
On 22 April 2025, M&S first reported a cyber attack causing significant disruption. Customers couldn’t make contactless payments or use click-and-collect services. By 24 April, the retailer still couldn’t provide these services and had moved a number of processes offline to safeguard customers, staff, and business operations.
The situation escalated quickly. On 25 April, M&S shut down online sales entirely as it worked to contain and mitigate what they described as a “severe cyber attack.” By 29 April, security researchers were already pointing fingers at Scattered Spider as the likely culprit behind the ongoing attack that had left the retailer’s eCommerce operation in disarray.
But M&S wasn’t alone. On 30 April, Co-op revealed it was dealing with its own “developing cyber incident” and had pulled the plug on some IT systems. Staff were told to stop using VPNs and warned that communications channels might be monitored. Then on 1 May, Harrods confirmed it was the latest UK retailer to experience a cyber attack, shutting off systems to minimise impact.
The National Cyber Security Centre (NCSC) stepped in on 2 May, confirming it was providing assistance to all three retailers as concerns grew across the UK retail sector.
May 2025: The Fallout Continues
By 13 May, M&S was instructing all customers to change their account passwords after confirming a “significant amount of data” had been stolen in what was identified as a DragonForce ransomware attack. That’s a nasty piece of workβDragonForce is a ransomware-as-a-service platform that Scattered Spider has been leveraging.
Then things got worse for the supply chain. On 20 May, Peter Green Chilledβa cold chain services provider supplying Aldi, Sainsbury’s, and Tescoβhalted operations after falling victim to a ransomware attack. This is the ripple effect I mentioned earlier. Attack one company in the supply chain, and you disrupt everyone downstream.
June 2025 brought another twist: Scattered Spider appears to be expanding its targeting to the insurance sector. Because apparently retail wasn’t enough to keep them busy.
Why Retail? Understanding the Target Selection
So why are these criminals going after retail? It’s not random, I can tell you that much.
Follow the Money and the Disruption
Retailers process massive volumes of transactions daily. They hold customer payment data, loyalty programme information, and supply chain details. That’s a treasure trove for extortion. But here’s the kickerβretailers also can’t afford downtime. Every hour their systems are offline costs them money and customer trust.
Think about it. If you’re running a criminal enterprise (not that I’m giving ideas), you want targets that will pay quickly to make the problem go away. Retailers, especially during peak shopping periods, have strong incentives to resolve these incidents fast.
Hultquist noted that Scattered Spider “has a history of focusing their efforts on a single sector at a time”. They’re not scattering their efforts everywhereβthey’re concentrating fire. And right now, that fire is aimed squarely at retail.
The BPO Connection: Your Partners Are Your Weakness
One attack vector that doesn’t get enough attention is Business Process Outsourcers (BPOs). Scattered Spider has figured out that if you want to attack a big retailer, you don’t always go after them directly. You go after their partnersβthe companies that handle their customer service, their IT support, their payment processing.
BPOs often have access to multiple client environments. Compromise one BPO, and you’ve potentially got a foothold in dozens of organisations. It’s like finding the master key instead of picking every individual lock.
The Tools and Techniques in Their Arsenal
Let me get technical for a moment, because understanding their toolkit helps you defend against it.
Ransomware Platforms
Scattered Spider doesn’t always develop their own ransomware. They use Ransomware-as-a-Service (RaaS) platforms like DragonForce and RansomHub. These platforms provide the encryption tools, the extortion infrastructure, and even “customer support” for victims trying to pay ransoms. Yes, you read that rightβcriminal enterprises have customer support now. The irony isn’t lost on me either.
Identity Platform Exploitation
They’re particularly good at exploiting identity platforms like Okta and Azure AD (Entra ID). These platforms are meant to make authentication more secure, but Scattered Spider has figured out how to turn them against organisations.
Their MFA bypass techniques are worth understanding. They use MFA fatigue attacksβbombarding users with authentication push notifications until someone gets annoyed enough to just approve it. “Just approve it so my phone stops buzzing” has led to more breaches than anyone wants to admit.
Credential Harvesting Tools
They use information stealers like StealC, Lumma, and RedLine to harvest credentials. These tools can exfiltrate browser-stored passwords, cookies, and session tokens. Combine that with Evilginx2βan adversary-in-the-middle phishing proxyβand you’ve got a recipe for bypassing even well-implemented security controls.
Legitimate Tools Weaponised
Here’s something that frustrates me: they abuse legitimate remote monitoring tools like ScreenConnect (ConnectWise) and AnyDesk. These are tools that legitimate IT departments use every day. Scattered Spider compromises them or tricks staff into installing them, and suddenly they’ve got remote access to your environment. It’s like using a fire extinguisher as a weaponβsomething meant for protection turned into a threat.
The Human Element: Your Weakest Link
I’ve said it before, and I’ll say it againβyou can have the best firewalls money can buy, but if someone in your organisation hands over their credentials to a convincing caller, none of it matters.
Who Gets Targeted?
Scattered Spider doesn’t go after your CEO or your CFO. They go after:
- Help Desk and IT Support staffβpeople with the ability to reset passwords and grant access
- New employeesβstill learning the ropes, eager to help, not yet suspicious of unusual requests
- BPO and partner staffβpeople with access to your environment but who may not follow your security procedures
- Executive assistantsβpeople with broad access and trust relationships
The vishing calls are scripted, researched, and delivered by English speakers who understand corporate culture. They know the terminology. They know the pressures your staff are under. They know that someone working the help desk at 4:45 PM on a Friday just wants to help the “employee” on the other end of the line so they can go home.
The Insider Threat Dimension
Here’s an uncomfortable truth: Scattered Spider has successfully recruited insiders at target organisations. They find peopleβoften young, often in gaming communities or on underground forumsβwho have access and are willing to sell it. Sometimes it’s for money. Sometimes it’s for clout. Sometimes it’s just because they can.
The Supply Chain Ripple Effect
The Peter Green Chilled attack illustrates something important: your security is only as strong as your weakest link. This cold chain services provider supplies Aldi, Sainsbury’s, and Tesco. When they went down, the disruption rippled through the entire supply chain.
IMO, this is where UK retail is most vulnerable. You might have excellent security yourself, but your suppliers? Your logistics partners? The companies that stock your shelves and manage your deliveries? Their security posture directly affects your business continuity.
Why Attack the Supply Chain?
Supply chain companies often have:
- Smaller security budgets than major retailers
- Direct connections to multiple retail networks
- Legacy systems that haven’t been updated
- Less security awareness training for staff
It’s like attacking a fortress by targeting the supply tunnel instead of the main gate.
What’s Being Done About It?
Law Enforcement and NCSC Involvement
The NCSC confirmed it’s providing assistance to affected retailers. That’s significant. The UK’s national cyber security authority doesn’t get involved in every breachβthey reserve their resources for incidents of national importance.
But here’s the reality: attribution takes time. GTIG and Mandiant held back from providing formal attribution when the attacks were still under investigation. That’s responsible threat intelligence. They’re not going to point fingers without solid evidence.
The Challenge of Attribution
Scattered Spider is a decentralised collective. Members come and go. They collaborate with different ransomware groups. This makes legal action difficult. You can arrest one member, but the group continues. You can take down one infrastructure node, but they’ll set up another.
Defensive Recommendations: What Should You Actually Do?
Alright, enough doom and gloom. Let’s talk about what you can actually do to protect yourself.
Strengthen Help Desk Verification
Your help desk is on the front line. Give them:
- Clear verification procedures for password resets
- Callbacks to registered numbers before granting access
- Manager approval workflows for sensitive requests
- Training to recognise social engineering attempts
Implement MFA Fatigue Protections
If you’re using push-based MFA, you’re vulnerable to fatigue attacks. Consider:
- Number matchingβrequiring users to enter a number displayed on their login screen
- Geo-blockingβpreventing logins from unusual locations
- Rate limitingβstopping notification bombardment
- Alternative authentication methods for high-risk operations
Monitor Identity Platforms
If you use Okta, Azure AD, or similar platforms:
- Monitor for impossible travelβlogins from London and Sydney within an hour shouldn’t be possible
- Alert on MFA fatigue patternsβmultiple push notifications in quick succession
- Review admin account creationβnew privileged accounts should trigger alerts
- Audit partner and BPO access regularly
Supply Chain Security Assessment
Review your suppliers’ security:
- Include security requirements in contracts
- Conduct security assessments of critical suppliers
- Limit supplier access to what’s strictly necessary
- Monitor for supplier compromise through threat intelligence
Employee AwarenessβBut Make It Real
Phishing simulations are fine, but when did you last run a vishing simulation? Have someone call your help desk pretending to need a password reset. See what happens. The results might surprise youβand not in a good way.
The Bigger Picture: Why This Matters
Scattered Spider isn’t going away. Hultquist warned that “US retailers should take note” and that they anticipate the group “will continue to target the sector in the near term”. If you’re in retailβwhether UK, US, or elsewhereβthis is your problem too.
The insurance sector is next on their targeting list . After that? Who knows. The point is, these attackers are methodical, patient, and creative. They’re not just throwing exploits at walls. They’re researching, planning, and executing carefully crafted campaigns.
The Cost of Complacency
Every breach costs moneyβsometimes millions in ransom, sometimes more in recovery, lost business, and reputational damage. But the real cost is trust. Once customers don’t trust you with their data, they shop elsewhere. And in retail, customer trust is everything.
Conclusion
Scattered Spider has pulled back the curtain on how vulnerable the retail sector really is. They’ve shown that social engineering, when done well, bypasses technical controls every time. They’ve demonstrated that your supply chain is your Achilles’ heel. And they’ve proven that even major retailers with substantial security budgets can be brought to their knees.
The attacks on M&S, Co-op, Harrods, and Peter Green Chilled weren’t sophisticated technical exploits. They were carefully crafted social engineering campaigns that exploited human trust and organisational processes. That’s what makes them so effectiveβand so hard to defend against.
But here’s the thing: understanding how they operate is the first step to defending against them. Verify caller identity. Train your help desk to recognise vishing attempts. Monitor your identity platforms for anomalies. Assess your supply chain’s security posture. And for heaven’s sake, stop treating security awareness as a checkbox exercise.
Because while you’re reading this, Scattered Spider is probably already researching their next target. The question is: will it be you?
Stay vigilant. And maybe double-check who’s on the other end of that help desk call.