In recent weeks, a spate of cyberattacks has disrupted operations at major UK retailers including Marks & Spencer (M&S), Harrods, and the Co-op. A cybercriminal group known as Scattered Spider – linked to the DragonForce ransomware cartel – has claimed responsibility for these breaches.
The incidents have led to suspended operations and, in the case of Co-op, compromised customer data. This wave of attacks is a stark reminder of the increasing threat facing UK retailers and service providers. Proactive defence is now critical. In this article, we outline who Scattered Spider are, their methods, and how Systal can help organisations prepare, defend, and respond.
The Scattered Spider Threat to UK Organisations
Scattered Spider is an English-speaking cybercriminal group known for highly effective social engineering tactics. While their latest campaigns have targeted retailers, their operations extend across multiple sectors including legal, healthcare, and government. The group is financially motivated and often partners with the BlackCat/ALPHV ransomware gang to extort victims by threatening to leak stolen data or deploy ransomware.
Unlike many cybercriminals, Scattered Spider focuses on manipulating people rather than exploiting technology. Their methods echo those used by the LAPSUS$ group in 2022, targeting individuals through impersonation, abusing multi-factor authentication (MFA), and misusing legitimate tools. This “people-centric” approach makes every organisation vulnerable, especially those relying on helpdesks, third-party contractors, or public-facing systems.
The recent attacks prompted a warning from the National Cyber Security Centre (NCSC), urging all UK organisations to review their defences. If established brands like M&S and Harrods can fall victim, no business can afford complacency.
Scattered Spider Tactics and Techniques
- Social Engineering and Impersonation: Attackers often pose as internal IT staff to trick employees into sharing credentials or installing remote access tools. Once access is gained, they blend into internal systems using standard tools like Office 365, Teams, and SharePoint.
- MFA Fatigue (Push Bombing): By bombarding users with repeated MFA requests, attackers rely on human frustration. One mistaken approval is all it takes for them to gain access.
- SIM Swapping: By hijacking a victim’s phone number, attackers intercept SMS-based authentication, bypassing security controls and taking over accounts.
- Exploiting Third-Party Access: Scattered Spider frequently targets less secure third-party vendors with access to the main target’s systems. By compromising a trusted supplier or contractor, they can move laterally into the intended organisation.
- Technical Exploits and Phishing: While social tactics are favoured, the group also uses traditional cyberattacks, including phishing emails, malware, and known software vulnerabilities.
- Living Off the Land and Ransomware: Once inside, attackers use standard IT tools to avoid detection, such as remote desktop utilities and credential dumping software. Ultimately, they aim to steal data and deploy ransomware for maximum disruption and leverage.
7 Practical Measures to Strengthen Defences
UK organisations must act decisively to reduce the risk of attack. Systal recommends a defence-in-depth approach across people, processes, and technology:
- Educate Employees: Train staff on recognising phishing, impersonation, and social engineering. Reinforce that MFA requests must not be approved unless expected.
- Secure Helpdesks: Harden support processes. Require multiple verification steps for password or MFA resets. Implement call-back verification for urgent requests.
- Use Phishing-Resistant MFA: Deploy hardware security keys or app-based number matching that can’t be easily spoofed.
- Monitor Behaviour: Use logging and alerting tools to flag unusual activity, such as large file transfers or out-of-hours access.
- Restrict Third-Party Access: Review supplier access regularly. Enforce security standards on partners, including MFA and least-privilege permissions.
- Prepare and Test Response Plans: Maintain an incident response plan and rehearse it regularly. Ensure you can communicate securely if core systems are compromised.
- Maintain Cyber Hygiene: Patch systems promptly, use endpoint detection tools, and ensure backups are offline and recoverable.
How Systal Supports Cyber Resilience
As a global managed network, cloud and security transformation specialist, Systal helps enterprise organisations design, build, and maintain secure IT environments that are resilient to evolving threats. We offer clients both proactive and responsive cybersecurity services:
- Proactive Services: We conduct vulnerability assessments, threat hunting, and cyber awareness training tailored to your operations. Our experts help implement resilient identity and access management, strengthen helpdesk verification, and reduce third-party risk.
- Incident Response: Our Digital Forensics and Incident Response (DFIR) team is available 24/7 to help contain breaches, eradicate intruders, and support recovery. We provide rapid, expert-led action during high-impact incidents.
Systal operates across 93 countries, managing complex technology estates for global enterprises. Our cyber defence services are embedded within broader transformation programmes, ensuring security is not an afterthought but a strategic priority.
Act Now: Don’t Wait for the Next Attack
The tactics used by Scattered Spider are a clear signal that businesses must be better prepared. Cybercrime is no longer confined to IT – it threatens operational continuity, customer trust, and reputation.
Systal helps organisations move beyond reactive security. With global reach, proven cyber expertise, and a deep understanding of enterprise environments, we enable you to anticipate threats, act swiftly, and build lasting resilience.
To learn how Systal can strengthen your defences or support you in an incident, get in touch with our cybersecurity team today.