Scattered Spider on the hook for M&S cyber assault
Scattered Spider – the teenage hacking collective that breached a number of organisations in 2023 in a collection of social engineering assaults – has been linked to the continuing cyber incident unfolding at Marks and Spencer (M&S) based on stories.
In line with Bleeping Pc, which was first to report the brand new growth citing unnamed sources near the investigation, Scattered Spider is known to have breached the retailer again in February 2025.
Supposedly, the Scattered Spider hackers had been capable of get their arms on an NTDS.dit file – an Energetic Listing Providers database file containing password hashes for M&S Home windows accounts. The gang was then ready these passwords and use them to infiltrate M&S’ Home windows area.
The attackers then allegedly deployed a white-label ransomware known as DragonForce on VMware ESXi hosts belonging to M&S on Thursday 24 April, three days after M&S first disclosed an incident.
M&S has declined to touch upon the accuracy of those stories, so their veracity can’t be confirmed at this stage.
The incident first got here to gentle after M&S skilled disruption to its contactless fee and click-and-collect service. It was later pressured to droop on-line purchasing totally and over per week later, its core e-commerce infrastructure stays offline, though its web site continues to be accessible and may be browsed as regular. Its bricks-and-mortar shops are additionally open. It has additionally instructed company warehouse employees to remain dwelling slightly than journey to its clothes and homeware depot.
M&S, which was based in Leeds as a market stall 141 years in the past by a Polish immigrant, the eponymous Michael Marks, has misplaced lots of of thousands and thousands of kilos of worth on account of the cyber assault, with misplaced gross sales mounting up throughout the nation.
On the time of writing, M&S maintained that there was no want for its clients to take any motion – for the way for much longer this would be the case stays to be seen.
Not your common gang
A stand-out amongst risk actors, Scattered Spider is uncommon in that largely includes English-speakers – though it has labored with Russian ransomware gangs earlier than – and capabilities extra as a loosely related community, slightly than an organised crew.
Which means that regardless of a few of its members being arrested and charged, together with a British nationwide named as Tyler Buchanan, who was indicted by the US Division of Justice (DoJ in November 2024, Scattered Spider has been capable of maintain working.
Robert McArdle, director of ahead risk analysis at Development Micro, mentioned: “[They] assemble collectively for particular person assaults and resemble the construction of Hacktivist teams like previous exercise of Nameless. Scattered Spider has routinely focused retail suppliers … so focusing on M&S can be ‘on-brand’.
“Scattered Spider has been energetic in varied incarnations since 2022 till at present however may be very onerous to classify as their organisation is so free. Many assaults coming from English-speaking actors may be tied again to the broader group of which Scattered Spider is only a small, ill-defined subset.”
A bigger problem, mentioned McArdle, is the rising risk emanating from Anglophone cyber criminals who, though they lack the businesslike organised crime constructions favoured by old-fashioned Russian ransomware gangs, they make up for in aggression and brazenness.
In a single assault documented by Microsoft, a Scattered Spider hacker threatened one sufferer’s household. ““If we don’t get your [redacted] login within the subsequent 20 minutes had been [sic] sending a shooter to your own home,” they mentioned. “Ur spouse is gonna get shot if u don’t [sic] fold it [redacted].”
