The comments come after Marks & Spencer informed employees that their personal data may have been compromised during a cyber-attack last month
UK-based members of the Scattered Spider hacking group are “facilitating and contributing” to cyber-attacks on major retailers, according to Google’s cybersecurity arm, as the group expands its focus from Britain to the United States.
The group, associated with recent attacks on British retail giants such as Marks & Spencer, the Co-op, and Harrods, is now believed to be targeting unnamed US retailers. Charles Carmakal, Chief Technology Officer at Mandiant, Google’s cybersecurity subsidiary, said the threat actors follow a pattern of targeting specific industries in phases.
“They tend to focus on a particular industry sector and geography for a few weeks and then they move on to something else,” said Carmakal. “And right now they’re focused on retail organisations. They start in the UK, and now they’ve shifted to US organisations.”
While Carmakal did not confirm the involvement of Scattered Spider members in the Marks & Spencer breach directly, he noted: “Without specifically naming who the victims are I will say broadly Scattered Spider members in the UK are facilitating and contributing to intrusions.”
The comments come after Marks & Spencer informed employees that their personal data may have been compromised during a cyber-attack last month. Sources told the Daily Telegraph that full names and email addresses of staff were likely accessed. Earlier this week, the retailer also confirmed that some customer data had been stolen.
The wave of attacks prompted the UK’s National Cyber Security Centre (NCSC) to issue an advisory to businesses, warning them to examine how IT help desks handle password reset requests. Scattered Spider is known for social engineering tactics, such as impersonating staff on phone calls to gain system access.
“What we’re seeing is they’re making telephone calls, calling up help desks, pretending to be employees and convincing helpdesks to reset passwords,” Carmakal said.
He added that the hackers often outsource these tasks to younger members of the broader online community, usually active on platforms like Telegram and Discord. “It’s not always the [threat] actors themselves … that are actually making the phone calls,” he said. “They outsource some of that work to other members of the broader community, generally younger individuals … who want to make a few hundred bucks.”
Scattered Spider stands out from other ransomware groups for its composition—primarily native English speakers from the UK, US, and Canada. Carmakal said he had listened to “countless calls” made by the group to employees during extortion attempts, or when seeking credentials.
Unlike many ransomware gangs that are typically based in Russia or former Soviet states, Scattered Spider operates in Western countries and uses direct, persuasive engagement to gain system access before deploying ransomware or launching extortion attempts.
Meanwhile, French luxury brand Dior revealed this week that an “unauthorised external party” had accessed customer data, though the company said no payment information was compromised. It remains unclear who was behind the attack or how extensive the breach was.
Google’s threat analysts believe the Scattered Spider group has resumed operations after a period of inactivity, with its attention now firmly on the US retail sector.
“The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to … Scattered Spider,” said John Hultquist, Chief Analyst at Google’s Threat Intelligence Group. “The actor, which has reportedly targeted retail in the UK following a long hiatus, has a history of focusing their efforts on a single sector at a time, and we anticipate they will continue to target the sector in the near term. US retailers should take note.”
