Cyber Security News

Scattered Spider Hits UK Retail

Securonix
Scattered Spider Hits UK Retail
Scattered Spider is a financially motivated threat actor specializing in cloud-focused social engineering and access brokering, likely enabling DragonForce ransomware attacks against UK retail organizations. Their evolving collaboration model with ransomware groups illustrates increasing compartmentalization within cybercrime ecosystems, impacting #UKRetail #DragonForce #ScatteredSpider.

Keypoints

  • Scattered Spider (also known as Roasting 0ktapus and Scatter Swine) has operated since May 2022, shifting focus from telecom and BPO to high-leverage industries such as UK retail and critical infrastructure.
  • Evidence suggests Scattered Spider provided initial access via cloud exploitation and social engineering, enabling DragonForce ransomware attacks on UK retail chains in 2025.
  • The ransomware ecosystem is evolving into a collaborative model where access brokers, malware developers, and extortion actors operate separately without co-branding.
  • Scattered Spider uses sophisticated social engineering tactics including Telegram and SMS phishing, SIM swapping, MFA fatigue exploitation, and impersonation of IT staff for credential theft and remote access.
  • The group targets seasonal vulnerabilities in UK retail, such as high helpdesk turnover and susceptibility to vishing, exploiting password resets and MFA weaknesses.
  • In 2023, Scattered Spider engaged with the BlackCat ransomware group, deploying payloads on Windows, Linux, and VMWare ESXi servers as Russian-speaking affiliates.
  • BlackCat reportedly restricts targeting within CIS countries, highlighting strategic affiliate recruitment to maximize profits and avoid certain geopolitical risks.

MITRE Techniques

  • [T1566] Phishing – Used Telegram and SMS phishing campaigns to deceive targets into credential disclosure. (“…social engineering tactics include Telegram and SMS phishing…”)
  • [T1110] Brute Force – Exploited MFA fatigue and password reset mechanisms to gain persistence and lateral movement. (“…MFA fatigue and password resets during peak sales periods…”)
  • [T1078] Valid Accounts – Posed as IT personnel to obtain legitimate credentials and remote access. (“…the group has frequently posed as IT personnel to deceive individuals into divulging credentials…”)
  • [T1548] Abuse Elevation Control Mechanism – Utilized signed but malicious kernel drivers to persist and evade detection. (“…deployment of malicious kernel drivers, including signed but malicious Intel Ethernet diagnostics driver…”)
  • [T1499] Resource Hijacking – Deployed ransomware payloads on Windows, Linux, and VMware ESXi servers as part of BlackCat operations. (“…initiating the deployment of ransomware payloads on both Windows and Linux systems, targeting VMware ESXi servers.”)

Read more: https://cyberint.com/blog/dark-web/meet-scattered-spider-the-group-currently-scattering-uk-retail-organizations/

Views: 18

Tags: CRITICAL INFRASTRUCTURE, SOCIAL ENGINEERING, PHISHING, PASSWORD, INITIAL ACCESS, WINDOWS, LATERAL MOVEMENT, FINANCIAL