M&S cyberattack linked to Scattered Spider

Sources say the group first breached M&S in February

Image:

Clothing sales are expected to be hit especially hard by M&S’ payment troubles, coming just as sunny weather hits the UK

Last week’s cyberattack on Marks & Spencer has been linked to the same hacking group that hit MGM Resorts in 2023.

Sources have linked last week’s attack on Marks & Spencer, which shut down contactless payments and click-and-collect orders, as well as delaying online deliveries, to the Scattered Spider hacking collective.

Although still not officially confirmed, the disruption to payments and online services suggested a ransomware attack, which was backed up by sources speaking to BleepingComputer.

Although the attack hit over the Easter weekend, the sources told BleepingComputer the hackers first breached M&S in February.

That was when they apparently stole the Windows domain's NTDS.dit file, the main database for Active Directory Services running on a Windows domain controller.

Cracking this file would have given the attackers a list of plain-text passwords they could use to spread laterally through the network.

The sources also shared more information on the encryption the attackers used against M&S’s virtual machines. The threat actors are said to have used the DragonForce encryptor to VMware ESXi hosts, launching the attack on 24th April.

Finally, they said the investigation so far implicates Scattered Spider in the attack.

Who is Scattered Spider?

Unlike other hacking groups, Scattered Spider is not a cohesive whole, but a collection of individuals. Different members take part in each attack, making it difficult to track their movements.

The collective claimed responsibility for the 2023 attack on MGM Resorts, and is also thought to be behind an earlier attack on Caesars Entertainment.

Both of those attacks showed the group's hallmarks, including advanced social engineering and use of the BlackCat ransomware.

One possible reason Scattered Spider leans on social engineering is because its members are thought to be native English speakers, based out of Western Europe and the USA.

This was confirmed late last year, when five individuals from the USA and UK were charged for their work with the group.

However, Scattered Spider remains active today.

Want to know more? Computing 's Cybersecurity Festival returns to London this Thursday, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.