Overview

Protos Networks’ Security Operations Centre (SOC) is aware that the news of major retailers, including Marks & Spencer, Co-op and Harrods, being the victims of cyber-attacks is causing great concern across businesses in all sectors. These attacks have led to substantial operational disruptions, including halted online services, supply chain issues and compromised IT systems. Protos Networks is publishing this bulletin for our customers and partners to help them understand the nature of these attacks, the adversaries potentially behind them, and recommendations on how organisations ensure they can best protect themselves.

Coupled with these recent events, our Security Operations Centre (SOC) has noted an increase in external incident response (IR) engagement requests involving identity-based attacks and Microsoft cloud environments. The SOC has also seen an increase in confirmed True Positive security incidents across our client base in the past fortnight.

Threat Actor: Scattered Spider

The hacking group known as Scattered Spider—also referred to as UNC3944, Octo Tempest, and Muddled Libra—is believed to be behind the attack on M&S and potentially other retailers. Comprising primarily young, English-speaking individuals from the UK and US, the group is notorious for sophisticated social engineering tactics, including phishing, SIM swapping and multi-factor authentication (MFA) fatigue attacks. They have previously targeted major corporations such as MGM Resorts and Snowflake.

Tactics, Techniques and Procedures (TTPs)

Scattered Spider is known to use social engineering and identity-based attacks to access customer systems, such as cloud infrastructure, and potentially deploy ransomware.

Below is a summary of the group’s key tactics:

1. Social Engineering and Initial Access

• Impersonation of IT Staff: The group frequently poses as internal helpdesk or IT personnel to manipulate users into disclosing credentials or approving login attempts.
• Phishing Campaigns: They craft highly convincing emails and SMS messages targeting employees to harvest login credentials for cloud accounts and identity providers (e.g., Entra ID and Okta).
• SIM Swapping: Used to hijack mobile numbers and intercept multi-factor authentication (MFA) tokens or reset account credentials.

2. Cloud and Identity Exploitation

• Identity Abuse, Session Hijacking, and Token Theft: Scattered Spider targets legitimate identities in cloud authentication systems such as Entra ID. It uses social engineering to gain a successful login and extract authentication tokens, bypassing MFA to maintain persistence.
• MFA Fatigue Attacks: A common tactic employed is to repeatedly send MFA push notifications to legitimate users until they approve the request out of frustration or confusion.
• Cloud Resource Enumeration: They use built-in tools and scripts to discover sensitive services and misconfigurations within AWS, Azure and Google Cloud environments.

3. Persistence and Privilege Escalation

• Creation of New Accounts and Roles: To maintain long-term access, they create new user accounts, backdoor identity configurations or assign themselves privileged roles.
• Abuse of Admin Tools: Leveraging admin interfaces and scripting capabilities in cloud platforms to manipulate policies, exfiltrate data, or move laterally within the organisation.

4. Data Theft and Ransomware Deployment

• Exfiltration of Sensitive Data: Before deploying ransomware, the group often exfiltrates customer data, financial records or intellectual property to use as double extortion leverage.
• Deployment of Ransomware Payloads: Leveraging remote access tools and domain- wide access, they deploy ransomware (e.g. BlackCat/ALPHV) across multiple systems, often after weeks of covert activity.

5. Operational Security and Evasion

• Use of Legitimate Remote Tools: They commonly use tools like AnyDesk, Splashtop or RDP to minimise detection by appearing as legitimate user activity.
• Disabling Security Monitoring: Tactics include disabling endpoint detection, tampering with logging configurations or targeting SIEM systems.

Recommendations

To mitigate these threats, we advise the following actions:

1. Cyber Security Awareness Training:

• Conduct ongoing security awareness training sessions on recognising and reporting phishing attempts and social engineering tactics.

2. Implement Phishing-Resistant MFA and Conditional Access Policies:

• Utilise multi- factor authentication which requires number matching across all critical systems, ensuring they resist standard bypass techniques. Review Conditional Access policies to further restrict access into cloud systems for only trusted users and devices.

3. Software Updates:

• Keep all software and operating systems up to date with the latest  security patches. The Cyber Essentials standard requires all critical and high-severity updates are installed within 14 days of release

4. Monitor for Unusual Activity:

• Ensure that critical systems, including endpoints, cloud systems and network devices are monitored around the clock for threats and unusual activity.

5. Endpoint, Network, Cloud and Identity Security:

• Ensure that your organisation has defences such as Endpoint Detection & Response (EDR), intrusion prevention, identity protection and cloud security controls in place to provide defence-in-depth.

6. Incident Response Planning:

• Establish a cyber security incident response plan, identity an incident response team and carry out regular exercises to test the effectiveness of the plans.

If your organisation requires further assistance, guidance or support, please contact [email protected].

References:

Scattered Spider MITRE ATT&CK information: https://attack.mitre.org/groups/G1015/

BBC News: https://www.bbc.co.uk/news/articles/c62x4zxe418o