The Growing Threat of Scattered Spider: What Businesses Need to Know

If you’ve been following the news lately, you’ve likely heard about Scattered Spider—the cyber-criminal group suspected to be behind several high-profile attacks on major UK retailers. 

We know many businesses are wondering if they might be next in line. After seeing the ongoing trouble caused, it’s understandable if you’re a bit concerned. 

Our Cyber Security Analyst, Alex Wells-Linden, has made a video guide to Scattered Spider, and we’ve distilled the essential bits into this blog post to help you understand what’s going on and how to keep your business safe. 

Yes, these hackers are clever, but don’t fret—there are plenty of practical ways to shore up your defences, and we’ll walk you through them below. 

If you’d like the details on what exactly your business can do to stay protected, check out the video below. Or you can read on for the essential information you need. 

Scattered Spider is a decentralised cybercriminal collective that has been highly active since 2022. Also known under several pseudonyms including UNC3944, Roasted 0ktapus, and Scatter Swine, they’ve become notorious for their effective social engineering attacks. 

What makes this group particularly dangerous is that they’re primarily English native speakers, giving them an advantage when conducting social engineering attacks on UK and US businesses. This has resulted in successful breaches of major companies including DoorDash, Twilio, and LastPass. 

The group is composed mainly of young individuals based in the UK, US, and Europe, with some members reportedly as young as 16. Since 2022, they’ve been responsible for over 100 targeted attacks across various industries including telecommunications, finance, retail, and gaming. 

Scattered Spider has recently made headlines by targeting major UK retailers. The group is suspected of being behind a wave of cyberattacks affecting Marks & Spencer, Harrods, and Co-op. These attacks have severely disrupted online sales, affected payment systems, and potentially exposed them to data theft. 

The suspected attack on M&S was particularly damaging, with the retailer forced to temporarily suspend online operations and experiencing disruptions to contactless payments. The group reportedly used the DragonForce ransomware to breach M&S’s systems, causing the retailer’s market value to drop by over £700 million, with a 6.5% decline in stock price. 

Both Harrods and Co-op have also confirmed cyber incidents, with Co-op acknowledging the theft of customer data including names and contact information. While stores remained open, online operations and certain payment options were affected. 

Scattered Spider’s success is built on a socially-savvy approach to cybercrime: 

Social engineering expertise 

They excel at manipulating help desk staff, often posing as end users to trigger unauthorised authentication resets or impersonating IT personnel to gain remote access to devices. The UK’s National Cyber Security Centre (NCSC) has issued warnings for firms to review their password reset processes and IT help desk protocols. 

Varied attack techniques 

Their toolkit includes: 

• SMS phishing (smishing) 
• SIM swapping 
• Impersonation 
• MFA fatigue attacks where they overwhelm users with authentication requests 

Thorough reconnaissance 

The group invests significant effort in preparation, creating convincing domain and brand impersonations with fake login pages and appropriate company branding. This attention to detail makes their social engineering attempts much more convincing. 

SIM swapping focus 

This technique allows them to bypass many MFA controls by gaining control of a user’s phone number, enabling them to intercept SMS authentication codes. They’ll use these stolen codes to authenticate during password resets or during primary authentication flows. 

‘Living off the land’ 

They frequently use legitimate applications already present in the victim’s network to avoid detection by security tools. They also favour legitimate remote access solutions like TeamViewer, Pulseway, and Splashtop as points of initial access. 

Ransomware and extortion 

Once inside a network, they typically exfiltrate victim data for extortion purposes and have recently begun deploying ransomware (notably DragonForce), demanding multimillion-pound ransoms for decryption keys. 

To defend against Scattered Spider and similar threat actors, we recommend a multi-layered approach. This isn’t just for your IT team—it’ll take collaboration across your organisation. While your IT department can lead on technical implementations, management needs to approve policies, HR can help incorporate security into training, and frontline staff (especially help desk teams) must follow new procedures. Here’s how everyone can contribute: 

Strengthen authentication 

• Disable vulnerable MFA methods: Remove SMS and phone-based MFA methods to eliminate the threat of SIM swapping.
• Implement phishing-resistant MFA: Windows Hello for Business and FIDO2 passkeys are excellent options:
  • Windows Hello for Business is often already available on Intune-enrolled devices 
  • Passkeys can be hardware or software-based (Microsoft Authenticator, password managers, or Yubikeys) 
  • Both options bind authentication to specific devices, making phishing nearly impossible
• Consider certificate-based authentication: While it’s more complex to set up, this provides strong security for sensitive environments.
• Use conditional access policies: Limit token lifetimes, block logins from known bad locations (VPN/Tor exit nodes), and detect risky sign-ins or anomalous behaviours. 

Improve help desk security 

• Create strong verification processes: Implement out-of-band authorisation processes that don’t rely on potentially compromised communication channels.
• Establish clear escalation procedures: Make sure help desk staff know what to do when they suspect a social engineering attempt.
• Training is essential: Regularly train your help desk and IT staff to recognise and respond to social engineering attempts.
• Two-way authentication: Not only should users prove who they are to the help desk, but the help desk should also have ways to prove their identity to users.
   

Technical controls 

• Allow-list remote access tools: Block unauthorised remote access applications while permitting only your approved tools.
• Deploy strong detection solutions: Make sure you have robust EDR/XDR solutions to detect suspicious activities.
• Monitor for anomalies: Use network monitoring to identify unusual behaviour patterns.
• Backup and recovery: Maintain and regularly test immutable backups to recover quickly in case of ransomware attacks. As mentioned in our video, “What really hurts businesses is ransomware shutting your business down. The lost opportunity cost is sometimes huge, let alone the cost of getting your entire environment back up and running. Disaster recovery is so important—it’s your last line of defence.” 

Proactive measures 

• Brand protection services: You can use services that monitor for domain spoofing and website cloning. These services continuously scan for newly registered domains that resemble your brand and can detect when your website has been copied, giving you early warning of potential phishing campaigns targeting your customers or employees.
• Dark web monitoring: Use a service to monitor for compromised credentials and mentions of your organisation on the dark web. This type of intelligence gathering can provide early warning that your company is being targeted, or that employee credentials have been leaked, allowing you to force password resets before attackers can use the information.
• Implement honey tokens: Place unique identifiers in your website code that will alert you if the site is cloned. These could be invisible elements or specific code comments that, when copied by attackers creating fake login pages, trigger alerts to your security team, allowing you to respond before users are compromised. 

Scattered Spider and the like are a pretty fearsome threat to modern businesses. Their attacks have substantial financial and operational impacts that are hard to ignore.  

Despite multiple law enforcement interventions, the group’s decentralised structure means it’s unlikely to disappear soon.  

But if you focus on strengthening authentication, improving help desk security protocols, and taking proactive measures, your organisation can massively reduce the risk of becoming their next victim. 

For help on making your organisation’s security posture even better, take a look at some of our other articles: 

• Cyber Security Tips for Businesses – Essential practices every company should know 
• Disaster Recovery Testing: Planning, Execution, and Best Practices – Learn how to make sure your recovery plans will work when you need them most 
• Building a Resilient Azure Environment – How to use Azure’s security features to create a robust, resilient infrastructure 

Our team is also happy to advise. At Synextra, we have plenty of experience in securing Azure environments against external threats. Our boutique approach means we can provide personalised security solutions that the corporate giants simply can’t match. If you’d like to discuss how we can help protect your business, do get in touch today.