The hacking group that pierced the online defences of UK retailer Marks and Spencer has spent months this year laying digital traps designed to trick employees at the world’s biggest brands into giving up their passwords.
Scattered Spider — which cyber security experts describe as a criminal gang of male trash-talking, English-speaking fraudsters — was observed registering websites with nearly identical company names and sharpening their malware tool kits.
But their signature move is to exhaustively research company employees, successfully impersonating them on a phone call, and trick other colleagues into handing over the information needed to trigger a cyber attack.
The mix of online traps and real world subterfuge has resulted in some of the most famous hacks of recent years, including the 2023 attack on MGM Casinos and Resorts in Las Vegas that shut down hotels along the City’s famous strip.
They broke through at M&S last month, plunging the UK retailer into crisis with an up to £300mn hit to operating profits and wiping more than £600mn off its market capitalisation.
It’s not just money. Those who have studied Scattered Spider said its members were also interested in a another benefit: bragging rights.
“They’re not exclusively financially motivated — they like the clout, they like the mainstream media attention,” said Charles Carmakal, chief technology officer at Mandiant Consulting.
The hackers are leaders in the booming criminal “ransomware” industry. In 2023 alone, victims paid out at least $1bn to gangs who held their data ransom, according to Chainalysis, a firm that studies blockchains.
Tactics have matured in recent years so that hackers have specialities. Scattered Spider is among those to focus on the initial breach. Some sell software kits that encrypt crucial data. Others focus on ransom demands that drag on for months, facing off against seasoned negotiators, often from insurance providers. Even if payouts can be large, each group only gets a slice.
Scattered Spider has left the job of negotiating their payday to a different ransomware gang that calls itself Dragon Force. If M&S pays, Dragon Force will unlock or delete the company’s proprietary data, a person representing the hackers told the Financial Times. So far, there’s no indication that M&S has caved to the blackmail.
M&S, which has been working with law enforcement and government agencies, said: “We cannot go into any details or speculation about the incident and have been advised not to.”
Scattered Spider moved on quickly. Zach Edwards, a threat researcher from Virginia-based cyber intelligence group Silent Push, who watched the hacker’s online preparations, said he had tried to warn as many other potential targets over recent months.
They include watchmaker Audemars Piguet, matchmaker Tinder, fashion house Louis Vuitton, publishers Forbes and News Corp and even sandwich maker Chick-fil-A. There is no evidence that the hackers have successfully broken through the cyber defences of those companies. None responded to requests for comment.
But just after Easter, phones started ringing at help desks of US retailers. The calls were probably from Scattered Spider hackers pretending to be employees, according to several cyber security professionals who have been called in to help close down leaks.
“They tend to hit a bunch of companies in the same sector for a few weeks before they move on,” said Carmakal from Google-owned Mandiant, which began getting SOS calls from companies “telling us that they’re dealing with an active attack”.
While M&S has yet to reveal exactly how their systems were breached, London-based Dynarisk, which tracks threats online, said compromised credentials from major UK retailers were being traded for cash in online forums.
Scattered Spider is best known for having mastered a trick called “social engineering”, where they study online traces left behind by mid-level employees at major firms to get past a help desk clerk.
“They’re picking a target — maybe a senior developer — to be the person impersonating, so they may know their maiden name, their home address, they may have already bought a data broker profile on somebody,” said Silent Push’s Edwards.
In prior attacks, hackers impersonated IT workers, since their accounts have privileges that allow them to move swiftly through a firm’s tech infrastructure. When Scattered Spider breached MGM, one IT employee’s old password was a variation on his cat’s name, according to a data set sold online and seen by the FT.
“Hi, looks like I am locked out of my email — can you help now, or should I call during work hours?” a man with an American accent is heard in a recording sent to the FT on Telegram by a person claiming to have been hired to do voice work for Scattered Spider.
This person said he was paid in fractions of the cryptocurrency Ethereum but the last tranche never arrived. Complaining about the lack of full payment in a racist-meme filled Telegram channel, the person said they were provided the login to a Google Voice number, which he then used to call a help desk at a major US telecom provider.
The person deleted his Telegram account when asked by the FT for more proof of involvement with Scattered Spider. But it makes sense that the hackers would hire someone to follow a script, because having their own voices on tape makes their prosecution easier.
The hackers supposedly keep their own identities shielded from each other, calling each other Spider1, Spider2 and so forth in their internal communications, according to a member involved in the MGM hack who spoke to the FT in 2023.
That hasn’t stopped law enforcement from tracking at least a few down. Unlike hacking gangs operating in Belarus or Russia — outside the reach of the FBI or Europol — English-speaking “Spiders” tend to live in the west.
A series of arrests last year in Spain, the US and UK disrupted the group temporarily. After a hiatus, Scattered Spider appears to be back and enjoying the spotlight. One cyber security firm that specialises in studying them, CrowdStrike, has been selling action figures of the hacking group.
Before deleting his account, the person purporting to work with the hackers said all he wanted was “a gr8 ride with a Sp1DeR”, adding a common phrase among those in the Telegram channel: “Mischief before money.”
Additional reporting by Laura Onita and Kieran Smith
