Hackers from the Scattered Spider group, recognized for UK retail assaults, are actually focusing on US retailers, Google cybersecurity specialists have warned.
The infamous cybercriminal group Scattered Spider is now actively focusing on retail firms in the USA, following a string of disruptive assaults towards comparable companies in the UK.
This warning comes instantly from cybersecurity specialists at Google Menace Intelligence Group (GTIG) and Google subsidiary Mandiant, who spotlight the group’s effectiveness at bypassing even robust safety measures.
“The US retail sector is at present being focused in ransomware and extortion operations that we suspect are linked to UNC3944, often known as Scattered Spider,” John Hultquist, Google’s cybersecurity analyst, said.
It’s value noting that Scattered Spider (aka UNC3944) is the main suspect within the latest assaults on UK retain giants Harrods, Co-op, and M&S, however UK’s Nationwide Cyber Safety Centre (NCSC), Mandiant and Google haven’t formally attributed them to any particular actor as but. Nonetheless, GTIG researchers recommend that the hackers focusing on US retailers share comparable methods and procedures because the culprits behind the British incidents.
Researchers famous a doable linok between DragonForce ransomware operators and Scattered Spider. The previous took accountability for tried latest assaults on a number of UK retailers, utilizing techniques just like Scattered Spider. Furthermore, each have been related to the now-defunct RaaS platform RansomHub.
Nonetheless, GTIG couldn’t verify the hyperlink between UNC3944/DragonForce and rising retail knowledge leaks. Nonetheless, the growing presence of retail victims on knowledge leak websites (11% in 2025, up from earlier years) means that risk actors discover this sector enticing on account of giant PII/monetary knowledge holdings and their willingness to pay ransom to keep up transaction processing.
As per Hackread.com’s previous reporting, Scattered Spider is a financially motivated risk actor recognized for utilizing social engineering methods. They gained notoriety for hacking on line casino giants MGM Resorts Worldwide and Caesars Leisure in 2023. They initially focused telecommunications firms for SIM swapping and later began deploying ransomware to extort victims.
They’re additionally recognized for phishing makes an attempt and MFA bombing, the place they bombard targets with multi-factor authentication requests. Usually, UNC3944 goes after established enterprises, particularly organizations with giant assist desks and outsourced IT departments, as these are extra weak to their refined social engineering methods.
GTIG’s evaluation reveals that since early 2023 UNC3944 has focused a various vary of sectors, together with Expertise, Telecommunications, Monetary Providers, Enterprise Course of Outsourcing (BPO), Gaming, Hospitality, Retail, and Media & Leisure organizations. Geographically, their main targets have been much more numerous, together with the US, Canada, the UK, Australia, Singapore and India.
The Retail & Hospitality ISAC, an information-sharing group that features main gamers like Albertsons, Costco, McDonald’s, and Lowe’s, has acknowledged the risk and is working with Google to supply its members with detailed briefings and steerage on find out how to strengthen their defences towards this evolving risk. The warning from Google serves as a transparent sign for US retailers to be on excessive alert and to evaluate their safety protocols.
Chad Cragle, CISO at Deepwatch, a San Francisco, Calif.-based AI+Human Cyber Resilience Platform:
“Scattered Spider (UNC3944) makes use of refined social engineering to infiltrate and deploy ransomware. To defend towards this group, safe privileged accounts, implement phishing-resistant MFA, and confirm each help-desk id request.“
“Retailers are significantly weak, as they deal with giant quantities of cost knowledge, handle intricate provide chains, and function beneath vital uptime stress that always encourages ransom funds,“ Chad warned. “Nonetheless, organizations with worthwhile knowledge and important availability wants are equally in danger.“
