Google is sounding the alarm: Scattered Spider, the cyber extortion group behind recent attacks on major UK retailers, is now setting its sights on U.S. companies. The warning comes as the group—also tracked as UNC3944—continues to escalate its aggressive, fast-moving ransomware and social engineering operations. “Shields up, US retailers. They’re here,” said John Hultquist, chief analyst at Google’s Threat Intelligence Group, in a May 17 post on X (formerly Twitter).
His statement followed a detailed Mandiant threat intelligence report that outlined Scattered Spider’s latest tactics and pointed to an uptick in cyberattacks across multiple industries, with retail now clearly in the crosshairs.
From the UK to the US: A Spreading Threat
Just days ago, the DragonForce ransomware group claimed responsibility for cyberattacks on Co-op, Harrods, and Marks & Spencer (M&S). M&S later confirmed that customer data had been compromised in the breach. While DragonForce publicly took credit, researchers at Mandiant noted that DragonForce recently aligned itself with RansomHub. A ransomware-as-a-service (RaaS) operation that includes Scattered Spider as an affiliate.
Mandiant’s data shows that UNC3944 has launched sector-specific waves of attacks, hitting financial institutions in late 2023 and food service providers in May 2024. Now, retail is the new battleground—and the US market is next.
Although Google has not directly attributed the UK attacks to Scattered Spider or DragonForce. Its intelligence team believes the same threat actors are now actively targeting U.S. retailers.
“These actors are aggressive, creative, and particularly effective at circumventing mature security programs,” Hultquist warned. “Their preferred tools include social engineering, SIM swapping, and help desk exploitation.”
Retailers: High Value, High Risk
According to Mandiant, retailers are prime targets for financially motivated groups like UNC3944 due to the rich stores of personally identifiable information (PII) and financial data they hold.
Worse still, ransomware attacks can directly halt a retailer’s ability to process transactions, making them more likely to pay ransom demands quickly to minimize losses.
“We’ve confirmed this group has already targeted multiple U.S. retail organizations,” said Mandiant CTO Charles Carmakal. “Their method? Calling help desks to reset passwords and gain access. They’re resourceful and fast—making it difficult for defenders to keep up.”
Fewer than ten U.S. retail companies have been affected so far, but Carmakal noted that some victims have been forced to shut down systems proactively to contain the damage—sacrificing operations to stop intrusions from spreading.
Mitigating the Risk: Act Now
Mandiant has released a hardening guide with steps organizations can take to mitigate the tactics, techniques, and procedures (TTPs) commonly used by Scattered Spider.
Key recommendations include:
- Tightening help desk authentication procedures
- Monitoring for signs of SIM swapping
- Limiting third-party access to sensitive systems
- Implementing zero-trust architectures for internal operations
“The opportunity for other retailers to put their shields up is now,” said Hultquist. “The pattern of attacks makes clear that this group is not going away—and retail is firmly in their sights.”
