Scattered Spider Suspected in U.K. Retail Cyberattacks

Remember those cyberattacks back in April that hit U.K. retailers like Marks & Spencer and Co-op? Well, investigators are now calling them a "single combined cyber event."

This assessment comes from the Cyber Monitoring Centre (CMC), a U.K.-based group created by the insurance industry to make sense of big cyber incidents. They're like the detectives of the digital world.

Basically, the CMC said that because one group claimed responsibility, the attacks happened around the same time, and the methods used were similar, it all points to one big operation.

The CMC has classified this whole mess as a "Category 2 systemic event," estimating the financial damage to be somewhere between £270 million ($363 million) and £440 million ($592 million). Ouch.

Interestingly, the cyber attack on Harrods that happened around the same time *isn't* included in this assessment. Apparently, there isn't enough information yet to link it to the other attacks.

So, how did these attackers get in? Seems they used good old-fashioned social engineering, targeting IT help desks to trick people into giving up access.

While the CMC is still investigating exactly who's behind it, all fingers are pointing to Scattered Spider (also known as UNC3944). This group has a reputation for using its English-speaking members to pose as IT personnel and gain unauthorized access.

According to the CMC, "The impact from this event is 'narrow and deep,' having significant implications for two companies, and knock-on effects for suppliers, partners, and service providers." It's a ripple effect.

Earlier this week, Google's Threat Intelligence Group (GTIG) warned that Scattered Spider has started targeting major insurance companies in the U.S.

"Given this actor's history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers," said John Hultquist, Chief Analyst at GTIG. So, insurance companies, take note!

Hultquist added, "The anticipated threat of Iranian cyber capability to U.S. organizations has been the focus of many discussions lately, but these actors are already targeting critical infrastructure. We expect more high-profile incidents in the near term as they move from sector to sector."

Meanwhile, Indian consulting giant Tata Consultancy Services (TCS) says that *their* systems weren't compromised in the attack against Marks & Spencer. But, the Financial Times reported that TCS is investigating internally whether their systems were used as a starting point for the attack.

And in other news, the Qilin ransomware operation is trying a new tactic: offering legal assistance to victims to pressure them during ransom negotiations! They even claim to have in-house journalists to help with blog posts and victim negotiations. Talk about upping the ante.