Scattered Spider is focus of police investigation

The disruption being caused by the wave of cyber attacks on UK retailers has been apparent for weeks. Empty shelves, cancelled online orders, the data of millions of customers stolen.

What has been much less clear is who is responsible, with the companies and authorities only giving limited details.

But, now – in their first interview – the National Crime Agency (NCA) has indicated where their suspicions lie, and named the notorious cyber-criminal collective Scattered Spider as a key part of their investigation.

The group is eye-catching for a number of reasons. Firstly, they are young, some of them teenagers. And second they are known to be native English speakers – the most high profile cyber criminals tend to come from other countries, such as Russia and North Korea.

There has speculation they have been involved in the UK retail hacks – but this is the first time the police have confirmed that possibility is being actively investigated.

“We are looking at the group that is publicly known as Scattered Spider, but we’ve got a range of different hypotheses and we’ll follow the evidence to get to the offenders,” Paul Foster, head of the NCA’s national cyber-crime unit, said in a new BBC documentary.

“In light of all the damage that we’re seeing, catching whoever is behind these attacks is our top priority,” he added.

The hacks have been carried out using DragonForce, a platform that gives criminals the tools to carry out ransomware attacks. However, the hackers pulling the strings have still not been identified and no arrests have been made.

Some cyber-experts say the hackers display the traits of Scattered Spider, a loose community of often young individuals who organise across sites like Discord, Telegram and in forums, most likely located in the UK and US.

Although the NCA says it is exploring all parts of the cyber-crime ecosystem, it too is looking in the same direction.

“We know that Scattered Spider are largely English-speaking but that doesn’t necessarily mean that they’re in the UK – we know that they communicate online amongst themselves in a range of different platforms and channels, which is, I guess, key to their ability to then be able to operate as a collective,” Mr Foster said.

M&S has been hit with ransomware, which has scrambled the company’s servers rendering computer systems useless. The high street giant is still struggling to keep shelves stocked and has halted online shopping for weeks. Hackers have also stolen customer and employee data from the company.

At Co-op, staff took systems offline to prevent a ransomware infection but a huge amount of customer and staff data was stolen and is being held to ransom. Operations at the firm’s supermarkets and funeral services have been badly affected.

It is not known what is happening at Harrods but the company admitted it had to pull computer systems offline because of an attempted cyber-attack.

When the hackers behind the M&S and Co-op attacks anonymously contacted the BBC last week, they declined to say whether or not they were Scattered Spider.

Cyber-security researchers at CrowdStrike formed the name “Scattered Spider” because of the group’s sporadic nature, but other cyber-companies have given the cluster nicknames including Octo Tempest and Muddled Libra.

The group was also linked to high-profile attacks including on two US casinos in 2023 and Transport for London last year.

And in November, the US charged five British and American men and boys in their twenties and teens for alleged Scattered Spider activity. One is 23-year-old Scottish man Tyler Buchanan, who has not made a plea, and the rest are US based.

NCA investigators will not say how the retail hackers have managed to breach victim organisations but earlier this month, the National Cyber Security Centre issued guidance to organisations urging them to review their IT help desk password reset processes.

“Calling up IT help desks is a tactic that Scattered Spider seems to favour and they use social engineering techniques to manipulate someone into doing something like clicking on a link or resetting someone’s account to a password they can use,” Lisa Forte, from cyber-security firm Red Goat, explained.

In the BBC documentary, a former teen hacker who was arrested nine years ago and now works in cyber-security, said he was not surprised that teenagers could be behind the hacks.

“It wouldn’t surprise me – quite [the] opposite. The tools are readily available and it’s very easy to jump online and search straight away. You can feel a bit untouchable but for what end? You’re gonna be arrested 99% of the time,” he said.