The hacking group Scattered Spider is back. Google warns U.S. retailers are the latest target in a fast-moving wave of ransomware and extortion attacks.
Google has confirmed a surge of ransomware and extortion attacks targeting U.S. retailers, believed to be linked to the hacking group UNC3944, also known as Scattered Spider. While not officially attributing recent UK breaches to the group, the cyberattacks on Co-Op, Harrods, and Marks & Spencer bear similarities. Google told SecurityWeek that the same actors appear to be expanding operations within the U.S. retail sector, and the wave of attacks is expected to continue.
The group, known for its bold and fast-moving tactics, has previously demonstrated the ability to bypass advanced security programs. According to Mandiant’s Charles Carmakal, fewer than 10 U.S. retail organizations have been affected so far. In some cases, victims shut down their own systems to contain the intrusion, resulting in operational disruptions.
The attacks typically begin with social engineering tactics. Scattered Spider often calls help desks, impersonates employees, and requests password resets to gain initial access. Once inside, they move quickly, making it difficult for security teams to respond in time. Google’s threat intelligence lead, John Hultquist, called attention to the group's creativity and effectiveness in using third-party access and social manipulation to breach systems.
“The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944,” Hultquist said. He described the hackers as “aggressive, creative, and particularly effective at circumventing mature security programs.”
Carmakal added, “We can confirm this group has targeted multiple retail organizations in the US, mostly by calling help desks to reset passwords. This group is resourceful and fast, making it challenging for defenders to keep up.”
Mandiant has published a hardening guide for organizations to strengthen their defenses based on the group’s known tactics.
Recent activity attributed to Scattered Spider points to continued risk for the retail sector, particularly through the exploitation of help desks and third-party vendors. These tactics often bypass traditional cybersecurity measures, making them difficult to detect and prevent.
As the group expands its operations, retailers are being advised to review their access controls and vendor security practices. Strengthening identity verification and limiting privileged access may help reduce the likelihood of disruption.
UNC3944 is a financially motivated hacking group known for social engineering attacks, particularly targeting help desks to bypass security controls.
Retailers often rely on multiple third-party vendors and customer-facing systems, creating more entry points for attackers to exploit.
Immediately isolate affected systems, notify internal security teams, and consult with incident response experts such as Mandiant.
All retailers are potential targets, smaller companies may be even more vulnerable due to limited security resources.
Implement strict identity verification for IT requests, limit admin access, and train help desk staff to recognize social engineering tactics.