In a bold and coordinated cyber offensive, the elusive hacking group Scattered Spider has claimed responsibility for recent cyber attacks on U.K. retail giants Marks & Spencer and Co-op, with experts confirming it as a “single combined cyber event.”
According to a new assessment by the Cyber Monitoring Centre (CMC), the attacks—which occurred in April 2025—shared nearly identical tactics, techniques, and procedures (TTPs) and appear to stem from a single, focused campaign carried out by the threat group. The event has officially been tagged as a “Category 2 systemic event,” and the damages? A staggering £270 million to £440 million ($363M–$592M) in financial impact. Ouch.
🎭 Social Engineering: The Spider’s Web
So how did Scattered Spider spin this web of chaos?
It all began with an IT help desk. Yep, the group is infamous for its sophisticated social engineering schemes, often impersonating tech support staff with uncanny accuracy. Fluent in English and fluent in manipulation, they use real employee lingo to slip past defenses and grab credentials faster than you can say, “Did you try turning it off and on again?”
The attackers likely spoofed internal identities, tricked help desk agents into resetting credentials, and from there? It was open season inside the networks of M&S and Co-op.
🕵️♂️ Who Is Scattered Spider?
Also known in security circles as UNC3944, Scattered Spider is a younger, more agile offshoot of the larger threat actor community known as “The Com.” Their resume includes high-profile breaches, and their recent playbook indicates a shift toward sector-focused campaigns—and right now, retail is under siege.
But wait, there’s more.
According to Google’s Threat Intelligence Group (GTIG), the Spider isn’t stopping at the checkout lane. They’ve already slithered across the Atlantic and are now actively targeting major U.S. insurance companies. The message from GTIG is loud and clear: Help desks, call centers, and IT support teams—tighten up and stay alert.
“The insurance industry should be on high alert, especially for social engineering schemes,” warned John Hultquist, Chief Analyst at GTIG.
🧠 Not Just Hackers—They Have a PR Team?
In what feels like a plot twist straight out of Mr. Robot, another ransomware crew—Qilin—is reportedly offering “legal assistance” and “journalist support” to victims as a pressure tactic during ransom negotiations. Yes, these cybercriminals now roll with in-house legal teams and content writers to escalate their intimidation game.
You can’t make this up.
👀 And What About Harrods?
Curiously, the Harrods incident—which occurred around the same time—has not been officially linked to the M&S and Co-op events. Investigators are holding off, citing a lack of evidence to confirm connection. But eyes are watching closely.
Meanwhile, Tata Consultancy Services (TCS)—a key tech vendor for M&S—has stated that their systems weren’t breached, although internal investigations continue to rule out whether their infrastructure was used as a launchpad for the attack.
🔒 What This Means for You
This is not just another headline. It’s a real-time warning to businesses across sectors:
-
Social engineering is evolving. The weakest link is still human.
-
Your help desk might be your biggest vulnerability.
-
Hackers don’t just want your data. They want your brand, your trust, and your business.
The Scattered Spider campaign is yet another reminder that cyber defense isn’t optional—it’s mission-critical. As they shift from retail to insurance and beyond, the question is no longer if they’ll strike again, but where.
🛡️ Stay vigilant. Educate your teams. And if someone calls pretending to be “IT,” maybe… hang up and double-check.
0 comments