Keeping your shops secure

Scattered Spider: Who they are and how they operate

Scattered Spider is a decentralised global cybercriminal group, primarily composed of young, native English speakers. Motivated by financial gain, the group typically conducts ransomware attacks and data extortion against large organisations across various industries and countries. Their attacks often involve double extortion – first encrypting a victim’s data, then threatening to publish it on the dark web unless the ransom is paid on time.

Unlike many cybercriminals who rely on technical exploits to gain access to systems and networks, Scattered Spider expose the ‘human’ element of cyber security, in the form of social engineering. Social engineering involves the criminal manipulating an end user (often via impersonation or creating a false sense of urgency) into revealing confidential information or performing actions that compromise their security. This approach is particularly effective because it allows them to bypass technical controls by exploiting human behaviour.

Scattered Spider’s tactics pose a difficult question: how can staff be sure the person on the other end of the call is who they claim to be? With the prevalence of remote work and AI-generated deepfakes set against a backdrop of urgency, identity checks - like seeing the caller in-person, voice familiarity, or personal details - are no longer reliable.

What are the lessons learned from recent incidents?

The recent attack on the retail sector present both a warning and opportunity for improving businesses’ cybersecurity. Below are the key lessons from the attacks. Applying the learnings from this should help to mitigate similar attacks in the future.

Fortify service desk and third-party access

• Enforce strict identity verification processes for password reset requests, such as callback on known numbers or verifying multiple security tokens, to ensure the request is legitimate.
• Limit the privileges and restrict access for third-party IT support, and monitor any unusual password reset activity or requests being made to them.

Network segmentation

• Implement zero trust architecture that ensures every access request is authenticated and authorised.
• Segment critical systems into smaller, isolated subnetworks so credential compromise doesn’t allow lateral movement across the whole network.

Enhance monitoring and detection

• Monitor systems for abnormal exfiltration or unusual admin login attempts and multi-factor authentication (MFA) resets.
• Monitor systems for signs of phishing associated with Scattered Spider’s known tactics. For example, forgotten password and cannot access MFA.

Regular social engineering training and encourage reporting

• Train staff to recognise social engineering techniques, such as phishing, impersonation, spoofing, and MFA fatigue.
• Regularly simulate real-world phishing attacks on your organisation to increase your employees’ awareness.
• Empower staff to report mistakes as soon as they happen. No one is immune to phishing and mistakes, such as clicking an unknown link, can happen. However, the sooner it is reported, the sooner the potential attack can be mitigated.

Ransomware preparedness and response

• Review your organisation’s backup procedures. For example, what data can your business restore and how quickly? How often is data backed up?
• Perform tabletop incident response scenarios with key stakeholders to test incident response strategies and highlight any potential governance or communication challenges.

While the modus operandi employed by Scattered Spider is nothing new, it does provide us with a reminder that staff can unwittingly provide access to your organisation if there are controls missing. Defending against social engineering requires more than strong technical measures; it demands effective governance, regular staff training, and third-party oversight. As recent incidents have shown, a single breach can trigger widespread operational, financial, and reputational damage.

How Crowe can help

At Crowe we offer a range of services from cyber governance and employee training to supply chain resilience and vulnerability testing. If you would like further advice or support, our Forensic Services team is always available for a no obligation conversation to help ensure your organisation is effectively managing cyber risks and is prepared to respond in the event of an incident.