Blog

Cyberattacks in UK are a wake-up call for retail industry

In recent weeks, major UK retailers, Marks & Spencer (M&S), Co-op, and Harrods - have fallen victim to sophisticated cyberattacks, highlighting the escalating threat landscape facing the retail sector.

Shopper walking out of a Marks & Spencer store.

The attacks: What happened?

  • Marks & Spencer (M&S): On April 21, M&S experienced a significant cyberattack attributed to the hacking group Scattered Spider. The attackers reportedly gained initial access as early as February by stealing the Active Directory database (NTDS.dit), allowing them to extract password hashes and escalate privileges. The attack led to the deployment of the DragonForce ransomware, disrupting online orders, contactless payments, and in-store operations. The incident resulted in daily revenue losses of approximately £3.8 million and a market value drop exceeding £500 million. 

  • Co-op: Shortly after the M&S incident, Co-op detected an attempted cyberattack, prompting the shutdown of parts of its IT systems, including virtual desktops and stock monitoring tools. While stores remained operational, the attack affected contactless payments in up to 200 stores and led to product shortages. Co-op confirmed that hackers accessed personal data, including names and contact details, of a significant number of its 6.2 million members. 

  • Harrods: The luxury department store also reported a cyberattack, though details remain limited. The incident underscores the broader targeting of UK retailers by cybercriminal groups.

Stream a webinar about the cyberattacks.

Attack vectors and tactics

The attackers employed advanced social engineering techniques:

  • Impersonation of employees: Hackers posed as employees to deceive IT help desks into resetting passwords, granting unauthorized access to internal systems.

  • Credential theft: In M&S's case, the theft of the Active Directory database allowed attackers to extract and crack password hashes, facilitating lateral movement within the network.

  • Ransomware deployment: The DragonForce ransomware was used to encrypt critical systems, disrupting operations and demanding ransom payments. 

Who is Scattered Spider? 

Scattered Spider, also tracked as part of the UNC3944 and sometimes linked with Octo Tempest, has quickly earned a reputation as one of the most aggressive and capable cybercriminal groups operating today. They’re a rare breed in the ransomware ecosystem: an English-speaking, highly organized crew that specializes in social engineering, SIM swapping, and abusing IT help desks to gain access to enterprise networks. Unlike traditional ransomware groups that develop their own malware, Scattered Spider operates like a freelance intrusion unit, frequently partnering with different ransomware-as-a-service (RaaS) operators to deliver the final blow.

Sophistication beyond typical ransomware crews

Unlike traditional ransomware affiliates that rely on malware alone, Scattered Spider specializes in highly targeted social engineering attacks, often impersonating employees in IT help desk calls to bypass MFA and gain initial access. They’re fluent in English, understand enterprise environments, and have been linked to SIM swapping, MFA fatigue attacks, and data exfiltration ahead of encryption.

Notable techniques

  • Phishing and vishing: Posing as internal staff to manipulate help desks into issuing password resets.

  • Active Directory dumping: As seen in the M&S breach, they extract and crack NTDS.dit files to escalate privileges.

  • Living-off-the-land: Using legitimate admin tools like PsExec, AnyDesk, and PowerShell to stay under the radar.

  • Ransomware deployment: Frequently associated with the BlackCat/ALPHV and DragonForce strains.

Ransomware groups associated with Scattered Spider

Ransomware group Alias / notes Context
ALPHV BlackCat Confirmed partner in MGM and Caesars attacks (2023)
RansomHub Successor in some post-ALPHV operations Used in late 2024/early 2025 by ex-ALPHV affiliates, likely including Scattered Spider
Royal Seen in some campaigns tied to UNC3944 infrastructure Possibly short-term or opportunistic use
LockBit Some overlaps in TTPs, though not directly confirmed Attribution is unclear, but indicators suggest potential collaboration or tooling exchange
DragonForce Possibly a rebrand or splinter group Used in recent high-profile attacks (e.g., M&S) – still under investigation but suspected link to ex-Scattered Spider/ALPHV operators
Black Basta Not directly confirmed but tactics overlap Shared tradecraft raises suspicion of affiliation or joint operators


Big-game hunting

They don’t just go after small targets, Scattered Spider has been linked to breaches at Caesars Entertainment, MGM Resorts, and Clorox, where operational disruption had wide-scale impacts. Their playbook includes extortion, data leaks, and reputational damage.

Why it matters for retail

Their methods are a perfect fit for targeting retail environments, where IT support desks, distributed store systems, and legacy infrastructure provide ample surface for exploitation. Their attack on M&S, and potentially Co-op, shows they’re capable of hitting high-profile brands with real-world impact on operations and consumers alike.

Best security practices

These incidents highlight the need for robust cybersecurity measures:

  1. Strengthen help desk protocols: Implement strict verification processes to prevent unauthorized password resets.

  2. Enhance monitoring and detection: Utilize advanced threat detection tools to identify unusual activities, such as multiple failed login attempts or access from unfamiliar locations.

  3. Regularly update and patch systems: Ensure all systems and applications are up-to-date to mitigate known vulnerabilities.

  4. Employee training: Conduct regular cybersecurity awareness training to help employees recognize and report phishing attempts and other social engineering tactics.

  5. Implement multi-factor authentication (MFA): Add an extra layer of security to user accounts to prevent unauthorized access, even if credentials are compromised.

  6. Regular backups: Maintain up-to-date backups of critical data to facilitate recovery in the event of a ransomware attack.

These retail breaches are just the latest in a wave of increasingly targeted, socially engineered attacks. Our 2025 Threat Report breaks down the most dangerous actors of the year, including Scattered Spider, and the tactics, tools, and trends every business needs to watch. You can also stream our on-demand webinar on the report.