Shields up US retailers. Scattered Spider threat actors can target them

Article thumbnail image

This post was originally published on Security Affairs. It can be found here.

Google warns that the cybercrime group Scattered Spider behind UK retailer attacks is now targeting U.S. companies, shifting their focus across the Atlantic.

The financially motivated group UNC3944 (also known as Scattered Spider, 0ktapus) is known for social engineering and extortion. The cybercrime group is suspected of hacking into hundreds of organizations over the past two years, including Twilio, LastPass, DoorDash, and Mailchimp.

Initially targeting telecoms for SIM swaps, they expanded to ransomware and broader sectors by 2023. After 2024 arrests [1, 2, 3], their activity dropped, but ties to other threat actors may aid a comeback. They’ve targeted high-profile brands, possibly to boost notoriety, and often shift focus by sector, such as financial services and food industries.

Google researchers warn that the group Scattered Spider behind UK retailer attacks is now targeting U.S. companies, shifting their focus across the Atlantic.

Threat actors linked to Scattered Spider allegedly used DragonForce ransomware to target UK retailers. DragonForce also claimed ties to RansomHub, a RaaS platform once affiliated with UNC3944. While GTIG hasn’t confirmed UNC3944’s involvement, retail ransomware attacks are rising, 11% of 2025 DLS victims are retailers. Threat actors target retailers because they manage the huge trove of PII and financial data.

“It is plausible that threat actors including UNC3944 view retail organizations as attractive targets, given that they typically possess large quantities of personally identifiable information (PII) and financial data.” reads the report published by Google. “Further, these companies may be more likely to pay a ransom demand if a ransomware attack impacts their ability to process financial transactions.”

Mandiant shared details about Scattered Spider’s tactics after DragonForce claimed attacks on UK retailers Co-op, Harrods, and M&S.

Google experts state that UNC3944 targets sectors like Tech, Telecom, Finance, BPO, Gaming, Retail, and Media, focusing on large enterprises in English-speaking countries, plus India and Singapore. They exploit help desks and outsourced IT via social engineering for high-impact attacks.

Google also provided proactive hardening recommendations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Scattered Spider)

This post was originally published on this site

Forum Search

Partners & Sponsors
  • University of Baltimore
  • Towson University
  • Bureau of Justice Assistance
  • National Science Foundation
LATEST FORUM POSTS
Test post2

Test Post2

By Demo User12, 1 year ago

Finding internships

Hello, Has anyone here secured any forensic related internships for 2024? I'm collecting some data and wanted to know what...

By AP Malla, 1 year ago

Beginner network forensic investigation

How should I approach network forensic? Would you recommend learning tools like WireShark?

By AP Malla, 1 year ago

Cyber Forensic Employment: High level guidelines

Understand the Basics: Know the Field: Cyber forensics involves investigating digital crimes, analyzing electronic data, and recovering hidden, deleted, or...

By AP Malla, 1 year ago

LATEST POSTS
Article thumbnail image
FBI warns ex-officials are targeted with deepfake texts and AI voice messages i
Article thumbnail image
Google warns that the cybercrime group Scattered Spider behind UK retailer atta
Article thumbnail image
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromi
Article thumbnail image
On day two of Pwn2Own Berlin 2025, participants earned $435,000 for demonstrati