Google says hackers behind UK retail cyber campaign now also targeting US

Google warned on Wednesday that a hacking group suspected of conducting a series of disruptive cyberattacks on retailers in the United Kingdom has now turned its attention to similar companies in the United States.

John Hultquist, chief analyst at Google Threat Intelligence Group, said: “The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944, also known as Scattered Spider.”

Scattered Spider is the name used to track a loosely affiliated cybercriminal group previously described by the FBI as an offshoot of a larger criminal subculture calling itself “the Community,” or “the Com.” While Google suspects links between Scattered Spider and the hackers targeting retail, its statement is not a formal attribution.

“The actor, which has reportedly targeted retail in the UK following a long hiatus, has a history of focusing their efforts on a single sector at a time, and we anticipate they will continue to target the sector in the near term. US retailers should take note,” said Hultquist.

It follows recent incidents affecting Marks & Spencer, the Co-op, and luxury retailer Harrods. The group behind these attacks is reported to have attempted to monetize its access to the victims’ networks using the DragonForce ransomware.

Hultquist said: “These actors are aggressive, creative, and particularly effective at circumventing mature security programs,” adding “they have had a lot of success with social engineering and leveraging third parties to gain entry to their targets.”

The broader Scattered Spider group is believed to be responsible for ransomware attacks two years ago on casino giants MGM Resorts and Caesars Entertainment, prompting a warning from U.S. cybersecurity officials about the criminals’ SIM-swapping and social engineering activities.

Last July, police in the United Kingdom arrested a teenager for his alleged role in the MGM attack. Five other alleged members, all U.S. citizens, were last November charged for their alleged involvement with the group.

While the group appeared to have disbanded following those arrests, it had caught widespread attention with several high-profile attacks, including on the networks of Coinbase, Twilio, Mailchimp, LastPass, Riot Games and Reddit.