Scattered Spider and DragonForce:
A Case Study in Human-Centric Cyber Threats

CategoryBehind the Exploit

ByOliver Simonnet

Date6 May 2025

Read time8 minutes

Back to Blog

Preamble

In April 2025, large retailers were all targeted by cyber attacks that caused disruption across their services. Although attribution is still being confirmed, indicators strongly link these attacks to Scattered Spider, a group known for aggressive, human-centric tactics and high-profile breaches.

This post is not an incident breakdown for each retailer. Instead, it uses these events as a real-world case study to examine Scattered Spider - a modern cyber threat actor that doesn’t rely on technical exploits, but on manipulating people – as their operations highlight the urgent need for security strategies that go beyond traditional defences and training.

The April 2025 attacks on UK Retailers

At the end of April 2025, three major UK retailers were hit by various cyber attacks. Although not officially attributed, these attacks have been linked to a hacking collective known as “Scattered Spider” and use of the “DragonForce” ransomware.

The M&S Ransomware Attack

The attack on M&S (a retailer known for selling food, clothing, and home goods in the UK) started covertly, with initial access gained in February 2025 being used to exfiltrate their NTDS.dit Active Directory Database file (a file containing employee password hashes). In late April the attackers then deployed the DragonForce ransomware on M&S servers, encrypting critical systems and resulting in the M&S website being unable to take online orders. This attack cost the company an estimated £3.8M in sales per day, removing an estimated £500–700M off its market value and preventing the company from continuing with recruitment while it dealt with the fallout.

The Co-op Data Breach

The Co-op Group, which operates thousands of grocery stores and other businesses in the UK, also discovered a similar attack in late April. A social engineering attack reportedly allowed the threat actors to reset an employee’s password before breaching the network. This resulted in attackers gaining access to the Co-Op membership database which includes information such as membership names and contact details. In response, the Co-op pre-emptively shut down part of its IT infrastructure to contain the threat. This included partially disabling internet access, urging employees to keep their cameras on during meetings, not recording or transcribing calls, and asking staff to verify that all meeting participants were authorised Co-op staff.

The Harrods Attack

Around the same time at the M&S and Co-Op attacks, Harrods (a UK department store) revealed that it detected an attempted intrusion into their network. In response Harrods temporarily restricted internet access and reportedly prevented any major disruption suggesting that the attacker was blocked before they could do serious damage.

Who is Scattered Spider

“Scattered Spider” is a name given to a loose collection of English-speaking hackers with members affiliated with the cybercriminal collective “The Com”. This group – also tracked as “UNC3944” (Google) and “Octo Tempest” (Microsoft) – is known for its focus on exploiting people rather than technologies using aggressive social engineering tactics and has been linked to other high-profile breaches such as the 2024 attacks on MGM Resorts and Caesars Entertainment.

In November 2024, the US Department of Justice gave an insight into Scattered Spider’s personnel when it charged five individuals over the targeting of various unnamed American companies with “phishing” text messages. This revealed that the group appeared to consist of predominantly young native-English speakers, operating out of the UK and US – in contrast to many other ransomware groups that predominantly operate out of Eastern Europe, Asia, and Russia.

“DragonForce” is the name given to a pro-Palestine hacktivist group allegedly based in Malaysia operating out of the Asia-Pacific region and the US. In recent times, it is believed that the group has expanded into ransomware operations - claiming takeover of a ransomware-as-a-service (RaaS) set of tools that is known to be used by Scattered Spider.

Tactics, Techniques, and Procedures (TTPs)

Although direct attribution has not been confirmed, what ties Scattered Spider operations together are the tactics used. One of their attributes is that they specialise in targeting the human element of organisations, manipulating and deceiving people rather than exploiting technology. This often results in attacks heavily involving a mix of phishing, phone-based deception, and abuse of multi-factor authentication to infiltrate organisations.

A few key TTPs observed include:

Attack Waves – Scattered Spider operations typically occur in waves of attacks against prominent brands in specific industries in order to generate media attention before shifting to other targets.

Phishing and Credential Theft – The attackers often start with targeted phishing emails, text messages (Smishing), and phone calls (Vishing) aimed at employees. These messages impersonate trusted services (Virtual Private Networks (VPN) login, MS 365 portals, etc) to steal usernames, passwords, and one-time passcodes (OTPs).
MFA Fatiguing – This attack involves the abuse of mobile push-based multi-factor authentication (MFA) to bombard targets with repeated login approval requests. The goal here is to “fatigue” the user into Approving the request out of confusion or frustration, granting the attackers access to their account.
SIM Swapping – SIM swapping involves deceiving or bribing mobile carrier support staff into transferring a victim’s phone number to an attacker-controlled SIM card. The attackers leverage this to hijack a target’s phone number and intercept SMS-based MFA and password reset codes for corporate accounts.
Social Engineering – With Scattered Spider operatives being native-English speakers, this gives them an edge when impersonating IT staff or employees. Fluency in English allows the group to more-reliably contact a company’s help desk and claim to be an employee in need of assistance, or vice versa. As seen with the MGM Resorts breach, this allows for the exploitation of employee trust and internal language to deceive staff into revealing credentials, granting remote access, or downloading malicious payloads.
Living off the Land – Once persistence is established on a target network, Scattered Spider will often search for SharePoint sites, credential storage documentation, virtual infrastructure, backups, and user guidance for setting up and accessing VPNs. At the same time the group has been found monitoring Slack, MS Teams, and Exchange for conversations about whether they have been discovered.
Ransomware Deployment – In many cases, including M&S, the main objective of the group is to deploy ransomware on critical systems in order to financially profit from the breach. Historically the group has partnered with multiple Ransomware-as-a-Service (RaaS) groups such as ALPHV/BlackCat and DragonForce.

Explore and understand these threats more using the Human Threat Map.

It’s All About the Human Factor

These incidents all have one thing in common: the exploitation of humans over tech. Whether it’s an employee interacting with a fake login page or a member of the help-desk team being manipulated over a phone call or text, the attackers succeeded by manipulating people. No 0-day exploit or overly technical hack, just the abuse of human behaviour to get in.

These types of threat actors are both concerning and fascinating. Concerning, because every organisation relies on humans who can make mistakes. Fascinating, because it means improving security isn’t just about buying the latest tech or training. It’s about protecting your people.

Conclusion

These attacks re-emphasise the importance of human risk management in modern cybersecurity. Groups like Scattered Spider show that even the most robust technical defences can be bypassed through social engineering and the exploitation of human behaviour, resulting in financial losses, operational disruption, and reputational damage.

However, by developing or onboarding proactive, human-centric security strategies, organisations can reduce their likelihood of falling victim to these attacks in the future. This means going beyond awareness training and providing our users with tools that help them recognise, prevent, and respond to threats in real time.

Perhaps one day we can stop viewing employees as the “weakest link” in cybersecurity. With the right support and risk management technologies, people might just become one of our strongest lines of defence.