Scattered Spider: who are the hackers linked to M&S and Co-op cyberattacks?

As Marks & Spencer continues to deal with the fallout of a massive cyberattack, shoppers have been warned it could take months before normal services resume.

Following a spate of dramatic hacks on retailers – in which the Co-op and Harrods were also targeted – Scattered Spider, the group believed to be responsible, is "the name on every security practitioner's mind right now", said ITPro.

Who are they?

"Scattered Spider is one of the most dangerous and active hacking groups we are monitoring," Graeme Stewart, from security company Check Point, told Sky News.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

Believed to be made up mainly of English-speaking teenagers and young adults based in the UK and US, the group has been linked to more than 100 cyberattacks across telecoms, finance, retail and gaming since first appearing in 2022.

The most high-profile of these to date came in 2023, when members brought two casino operators to their knees. Caesars Entertainment reportedly paid hackers around $15 million to restore its network, while MGM Resorts had to pay out an estimated $100 million in damages to customers who had had their personal information stolen.

The fact Scattered Spider's members are based around the world and are apparently unaffiliated to any state actors makes them tricky to pin down, Stefan Hostetler, from cybersecurity company Arctic Wolf, told ITPro. But this is not a "loose group of opportunistic hackers", said Stewart. "They operate more like an organised criminal network, decentralised and adaptive. Even with several arrests made in the US and Europe, their structure allows them to regroup quickly."

How do they operate?

Often by exploiting human vulnerabilities rather than technical system flaws. As in the case of the M&S and Co-op hacks, a so-called "social engineering attack" allowed the hackers to reset an employee's password, which was then used to breach the network. As well as imitating official company emails to obtain employee data, the hackers use "sim swapping" – where they clone an employee's phone number and then ask the company IT desk to reset their password – and create bogus login pages that closely mimic corporate sign-in portals.

This is akin to "breaking down the front door" of networks, Paul Cashmore, chief executive of cybersecurity consultancy Solace Cyber, told The Times. Once in, the hackers then hand over to a more specialised "ransomware" gang, who cripple the network and extort its owner.

In this case, Scattered Spider appears to be working with the DragonForce ransomware "cartel". Originating in Malaysia in 2023 as a pro-Palestinian "hacktivist" operation, DragonForce is a "ransomware-as-a-service operation where other cyber criminals can join as affiliates to use their ransomware encryptors and negotiation sites", said Bleeping Computer. In exchange, they receive "20-30% of any ransoms paid by extorted victims".

What do they want?

In a word, money. DragonForce contacted the BBC to claim the hack on the Co-op was far more serious than it had previously admitted, "apparently trying to extort the company for money". Membership organisations like the Co-op, which has a database of personal information for up to 20 million people, are particularly valuable targets.

Having encrypted a company's data, hackers will demand a ransom payment – in some cases millions of pounds – to retrieve a decryptor and promise that stolen data will be deleted. "If a ransom is not paid, the ransomware operation typically publishes the stolen data on their dark web data leak site," said Bleeping Computer.

Paying a ransom after a cyberattack presents a "complex moral and business dilemma for companies", said The Times. On one hand, "paying may provide a quick way to restore operations, protect customer data and limit immediate financial and reputational damage". But it also "carries significant long-term risks", encouraging criminal activity and potentially making the company a repeat target.