Criminal gang suspected to be behind M&S breach exposed as crippling tech chaos continues

BRITISH retail giant M&S continues to be plagued by a cyberattack that has halted all online orders.

The criminals suspected to be behind the attack are known collectively as “Scattered Spider” – one of the most prolific cybergangs of the past 18 months.

While M&S has not commented on the incident, multiple sources told BleepingComputer that Scattered Spider are responsible for the attack.

It comes as the retailer struggles to fill shelves in select stores.

The gang specialises in ransomware – a type of attack designed to steal information or access in exchange for a sum of money.

They have been gaining a reputation for targeting large, customer-facing organisations through social engineering and identity-focused tactics.

“While they are not as well-resourced as some nation-state actors or long-established ransomware syndicates, Scattered Spider is far from “small fry,”” Jamie Akhtar, CEO and Co-founder at CyberSmart, told The Sun.

“Scattered Spider, also tracked as UNC3944, has become one of the most active and disruptive threat actors in the last 18 months.

“This is a group known not for sheer technical sophistication, but for their ability to manipulate access, often by impersonating employees or exploiting multi-factor authentication systems.”

Their most high-profile hack was the attack on Caesars Entertainment and MGM Resorts in 2023, two of the largest casino and gambling companies in the US.

The attack led to large-scale outages and cost the companies tens of millions in damages.

3

“That incident highlighted their preference for fast, bold attacks that blend extortion with disruption characteristics that may well be mirrored in the M&S case,” explained Akhtar.

By impersonating an employee when calling the MGM Resorts IT help desk, cyber crooks were able to deploy ransomware onto the company’s servers.

These servers hosted thousands of virtual machines that supported gaming booths, online reservation systems, digital room keys and websites.

Both companies experienced days of disruption.

Scattered Spider, whilst not the worst group, definitely have the skill set to cause fall out if required.

James Dyer, threat intelligence lead at KnowBe4

While customer information was also stolen, including names, contact information, date of birth, driver’s license number and for some, their social security and passport details.

If they are the group behind the M&S breach, then “it is likely that it followed a similar pattern to [the Caesars Entertainment and MGM Resorts] ransomware attack, allowing the gang to hide in their network, exfiltrate data, and steal crucial customer information,” said James Dyer, threat intelligence lead at KnowBe4.

The British-American cybergang is believed to have been founded in 2022.

Although Scattered Spider is their most popular title, the group goes by many other names, such as Star Fraud, Muddled Libra and more.

“Scattered Spider, whilst not the worst group, definitely have the skill set to cause fall out if required,” added Dyer.

“They have shown when they focus and deploy their assets effectively they can cause businesses to halt production.

“However, they are yet to hit the heights of LockBit or BlackCat due to their sophistication and unprecedented scale of the attacks.”

3

The group has also been known to collaborate with other malicious actors, like DragonForce, RansomHub and Qilin.

The FBI, alongside the federal Cybersecurity and Infrastructure Security Agency (CISA), is closely watching the gang, alongside commercial security experts.

The attack on Marks & Spencer is primarily focused on making as much money as possible whilst gaining notoriety as the shop is so entrenched in British culture and history.

Jake Moore, global cybersecurity advisor at ESET

“We’d be silly as defenders to not consider them as a threat,” Dyer continued.

“However, they’re well versed in this field, so being proactive and tracking this group will prove a challenge.

“They are not performing low level mistakes like using the exact same malware, and therefore their attacks will co-evolve to ensure a higher level of success when they strike again.”

The goal of a ransomware attack is not just riches – but fame too.

Jake Moore, global cybersecurity advisor at ESET, told the Sun that the hacking of a household name could aid both the group’s reputation, and increase the chances of it being handed a ransom.

“The attack on Marks & Spencer is primarily focused on making as much money as possible whilst gaining notoriety as the shop is so entrenched in British culture and history,” he said.

“Its popularity has made it become a headline story placing even more pressure on M&S to pay the demands.”

M&S declined to comment when approached by The Sun.

Timeline of cyber attack

• Saturday, April 19: Initial reports emerge on social media of problems with contactless payments and click-and-collect services at M&S stores across the UK. Customers experience difficulties collecting online purchases and returning items due to system issues.
• Monday, April 21: Problems with contactless payments and click-and-collect persist. M&S officially acknowledges the “cyber incident” in a statement to the London Stock Exchange. CEO Stuart Machin apologises for the disruption and confirms “minor, temporary changes” to store operations. M&S notifies the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) and engages external cybersecurity experts.
• Tuesday, April 22: Disruptions continue. M&S takes further systems offline as part of “proactive management”.
• Wednesday, April 23: Despite earlier claims of customer-facing systems returning to normal, M&S continues to adjust operations to maintain security. Contactless payments are initially restored, but other services, including click-and-collect, remain affected.
• Thursday, April 24: Contactless payments and click-and-collect services are still unavailable. Reports surface suggesting the attackers possibly gained access to data in February.
• Friday, April 25: M&S suspends all online and app orders in the UK and Ireland for clothing and food, although customers can still browse products. This decision leads to a 5% drop in M&S’s share price.
• Monday, April 28: M&S is still unable to process online orders. Around 200 agency workers at the main distribution centre are told to stay home.
• Tuesday, April 29: Information suggests that the hacker group Scattered Spider is likely behind the attack. Shoppers spot empty shelves in selected stores.

Image credit: Getty