The threat actor group known as Scattered Spider (also tracked as UNC3944) has intensified its cyber offensives—this time hitting targets in the United Kingdom with increased sophistication and aggression. In a new blog post by Google’s Threat Intelligence team, security analysts outline a concerning evolution in the group’s tactics and raise red flags for U.S. retailers potentially next in the crosshairs.
Scattered Spider is a financially motivated threat actor group known for its social engineering prowess, SIM-swapping attacks, and living-off-the-land (LOTL) techniques. While its origins are believed to trace back to English-speaking actors, the group operates with near nation-state level precision, using MFA fatigue, help desk impersonation, and stolen session tokens to gain deep access.
Google’s report confirms that UNC3944 continues to “demonstrate persistence and adaptability in targeting organizations, particularly those in the retail, hospitality, and telecommunications sectors.”
“Scattered Spider is a particularly tricky and stealthy distributed group of cybercriminals and is considered part of ‘The Community,’ a broader group of cyber adversaries engaged in everything from SIM swapping to ransomware using widely available RaaS platforms. The group seems to be comprised of British and American teenagers based upon those arrested so far, but they operate with uncanny stealth and accuracy, defeating mafia-level cybersecurity defenses in many cases,” said Richard Staynings, Board Member and International Healthcare Cybersecurity Leader; Teaching Professor, University of Denver.
“They tend to focus on one industry at a time before moving on, so the attacks were have seen since mid-April against major U.K. retailers like Marks and Spencers, Harrods, and others will likely continue and move across the Atlantic, especially as U.S. tariffs drive up retail prices and force U.S. consumers to become more price conscious when shopping, pushing many more online in the search for bargains and pre-tariff prices.”
“The group is well known to employ social engineering tactics to gain access, so hardening your help desk is an immediate first step in defense,” Staynings continued. “Ramping up User Behavior Analysis and Network Anomaly Detection would also be strongly advised. Empowering users through regular and up-to-date Security Education Training and Awareness (SETA) is an absolute necessity when you know you are in the crosshairs, and all retailers should be taking staff off the line each week for increased awareness training. Even though this may have an associated cost, the alternative is a LOT more expensive and reputationally damaging.”
“Scattered Spider is a well-known, sophisticated cybercriminal group mostly known for hacking the casino operators MGM Resorts International and Caesars Entertainment. They usually deploy social engineering techniques to pursue employees into handing over credentials,” said Boris Cipot, Senior Security Engineer at Black Duck. “Amongst their other techniques, SIM swapping and MFA fatigue attacks are common. They are known to use legitimate remote management software, as for example Any Desk or TeamViewer, to avoid detection, but are also known to partner with ransomware groups.”
“Their usual targets are in the hospitality and telecommunication sectors, however, they have shifted towards retail which could have, on one hand, monetary motivation, and on the other hand, a gap in deployment of cybersecurity tools and cybersecurity hygiene, which makes those targets easier to breach,” Cipot added. “The retail sector also has large amounts of highly sensitive personal data to offer, especially payment data, which is of great value for extortion or further sale.”
“Additionally, the retail sector has complex supply chains, making it harder to deploy resilient cybersecurity strategies. This opens another possibility to find exploitable holes in the systems. Furthermore, the retail sector is under high pressure during holiday seasons or events like Black Friday, Back to School, etc. Attacks during these times can be more successful, and with the added pressure on the target, they may be more willing to cooperate with the attacker as any amount of downtime can have devastating effects.”
Recent attacks in the U.K. demonstrate that Scattered Spider is experimenting with proactive persistence mechanisms, using remote monitoring tools like Atera and Syncro, and leveraging legitimate services to evade detection. The group is known to use multiple initial access vectors, often exploiting VPNs, Citrix, and remote desktop gateways.
What makes the U.K. activity particularly alarming is that it may represent a testing ground for upcoming U.S. campaigns, especially as the group looks to maximize profit via extortion and ransomware.
Google Threat Intelligence warns that U.S. retailers need to raise their guard even higher given the news across the pond: “Given UNC3944’s evolving tradecraft and specific targeting of retail and hospitality in the past, U.S.-based organizations—especially large retailers—should harden their environments now.”
Notably, the group has targeted Okta identity infrastructure in past campaigns and often works in partnership with ransomware affiliates, including BlackCat/ALPHV.
“Scattered Spider has proven to be a highly adaptive and efficient adversary, leveraging sophisticated social engineering, particularly against IT help desks, and exploiting identity and access management weaknesses to breach organizations,” said VJ Viswanathan, Founding Partner, CYFORIX (Former CISO & Sr. Executive at Keurig Dr Pepper, Comcast, HD Supply, and GE). “Their proficiency in bypassing traditional multi-factor authentication through methods like MFA fatigue and SIM swapping, coupled with their increasing focus on cloud environments and collaboration with ransomware affiliates, necessitates a pressure tested defense-in-depth approach.”
Viswanathan added, “Looking through some of our recent engagements, it’s evident the threat actor tools, techniques and procedures often overlap establishing a clear industrialization of compromise life cycle. The opportunity conversion cost for attackers are often low thanks in part to gaps in identity workflows, anomaly detection and siloed technology and functional operations across multi-cloud and hybrid infrastructure.”
“In fact, I had to turn off password self-service and specific MFA options as part of a recent incident response engagement to force manual validation steps until an optimized operational process was re-established,” Viswanathan said. “As part of post-incident initiatives, the entire identity and access management program was redeveloped. Phishing and tamper-resistant MFA are a mandatory defense layer, and I would encourage organizations to specifically perform threat assessment drills against their identity and access management layer.”
Here’s how defenders can get ahead of UNC3944.
Strengthen identity and access controls
-
Enforce phishing-resistant MFA.
-
Monitor for anomalous login behavior across identity providers.
-
Rotate and invalidate all session tokens when a compromise is suspected.
Harden remote access paths
-
Monitor for unauthorized remote monitoring tools.
-
Restrict access to administrative consoles from unmanaged devices or geographies.
-
Use device-based trust policies.
Educate and empower your help desk
Increase visibility and detection
-
Watch for new installations of remote access software (e.g., Atera, AnyDesk).
-
Set alerts for unusual PowerShell, script usage, or shadow account creation.
-
Leverage EDR to track persistence mechanisms across endpoint fleets.
“Scattered Spider uses sophisticated social engineering to infiltrate and deploy ransomware. To defend against this group, secure privileged accounts, implement phishing-resistant MFA, and verify every help desk identity request,” said Chad Cragle, CISO at Deepwatch. “Retailers are particularly vulnerable, as they handle large amounts of payment data, manage intricate supply chains, and operate under significant uptime pressure that often encourages ransom payments. However, organizations with valuable data and critical availability needs are equally at risk.”
Scattered Spider may not be a nation-state group, but its playbook has matured in ways that challenge enterprise defenders at every level. With active campaigns across the U.K., U.S. retailers—and all organizations operating critical digital infrastructure—must move quickly to harden identity and endpoint surfaces.
Google provided one simple piece of advice: “Security teams should assume they are being targeted and take proactive steps to detect and disrupt this adversary’s techniques.”