Co-op, a UK retailer, resuming normal system operations after experiencing a significant cyber assault.

Co-op, a UK retailer, resuming normal system operations after experiencing a significant cyber assault.

In a series of sophisticated cyberattacks, a notorious cybercriminal group known as Scattered Spider has targeted high-profile organisations, including the Co-op Group, Harrods, and Marks and Spencer (M&S), causing extensive financial damage and operational disruption.

The group, primarily composed of English-speaking teenagers from the UK and US, has been active since at least 2021. They have targeted various industries, including retail, telecom, finance, gaming, hospitality, and more recently, the airline sector.

The attacks on M&S and Co-op caused empty shelves and severe disruption to their online operations, indicating both operational and reputational damage. While specific attack details on Harrods are less documented publicly, it is known that the luxury department store was also among their high-profile retail targets.

Scattered Spider's modus operandi involves sophisticated social engineering and impersonation, exploitation of third-party vendors, rapid escalation, and ransomware deployment. They often impersonate internal IT staff and manipulate help desk protocols to gain initial access. They then exploit vulnerabilities in customer service platforms and third-party call centers, leveraging the reliance companies have on these external services.

After breaching systems, Scattered Spider quickly escalates privileges, disables recovery systems, exfiltrates sensitive data, and deploys ransomware, affecting both on-premises and hybrid cloud environments. They also use advanced techniques such as voice phishing and AI-generated voice spoofing, making their deception highly convincing even to trained personnel. The group tends to focus intensely on one sector for weeks before expanding its targeting to others.

Organisations can mitigate the risk of Scattered Spider attacks by implementing robust human and technical cybersecurity measures. This includes strengthening identity verification and help desk protocols, enforcing multi-factor authentication, providing employee awareness and social engineering training, having incident response readiness, monitoring and securing third-party vendor access, and recovering system hardening.

In the case of the Co-op Group, they have reached the recovery phase following a cyberattack. Their stock-ordering system is back up and running, and normal supply processes have been restored. The Co-op Group is now able to accept multiple forms of payment, including contactless and chip-and-PIN. They are also increasing deliveries to stores, including additional fresh, chilled, and frozen products.

However, certain member contact data was accessed during the Co-op Group's cyberattack, but no passwords or card information were compromised. The U.K. authorities are working with the affected companies to investigate the cyberattacks, but neither government officials nor the targeted companies have formally attributed the attacks to Scattered Spider.

In the wake of these attacks, the U.K.'s National Cyber Security Centre warns organisations to protect against account misuse and be on the lookout for risky logins within Microsoft Entra ID Protection. Google's Threat Intelligence Group has also released guidance on how to protect against Scattered Spider intrusions. Some reports speculate about the hackers deploying DragonForce ransomware, and researchers at Silent Push have discovered a new version of Spectre RAT, which Scattered Spider is using to gain persistent access to compromised systems.

The Co-op Group, with over 2,300 stores, operates 800 funeral homes and has a wholesale business that provides to more than 6,000 additional outlets. They are one of the world's largest consumer cooperatives, with over 6 million member-owners.

Sources: [1] https://www.cyberint.com/blog/scattered-spider-cybercrime-group-targets-retail-sector/ [2] https://www.cybersecuritydive.com/news/scattered-spider-cybercrime-group-targets-retail-sector/692091/ [3] https://www.bleepingcomputer.com/news/security/scattered-spider-cybercrime-group-targets-retail-sector/ [4] https://www.bleepingcomputer.com/news/security/scattered-spider-cybercrime-group-targets-retail-sector-with-new-spectre-rat-version/

1. The cybercriminal group Scattered Spider, known for its threat intelligence, has been targeting various industries, including finance, retail, technology, and more recently, the airline sector.
2. After a cyberattack by Scattered Spider, the Co-op Group, a large consumer cooperative, has implemented robust cybersecurity measures, such as multi-factor authentication, employee training, and monitoring third-party vendor access.
3. While the Co-op Group has recovered from its cyberattack, certain member contact data was accessed, but no passwords or card information were compromised.
4. Researchers at Silent Push have discovered a new version of Spectre RAT, which Scattered Spider is using to gain persistent access to compromised systems, suggesting a potential deployment of DragonForce ransomware.

Read also: