Scattered Spider Launches Supply Chain Attacks on UK Retail Organizations

Scattered Spider, also known as Roasting 0ktapus and Scatter Swine, has emerged as a formidable threat actor targeting UK retail organizations.

Active since May 2022, this financially motivated group has historically focused on telecommunications and business process outsourcing (BPO) sectors but has now shifted its attention to high-leverage industries, including critical infrastructure and retail, particularly during peak seasonal periods.

Evolving Threat Tactics

Their recent attacks on UK retail supply chains demonstrate a sophisticated blend of social engineering and technical exploitation, leveraging third-party vendor dependencies and seasonal vulnerabilities to infiltrate networks.

This evolution reflects a broader trend in the ransomware ecosystem, where access brokers, malware developers, and extortionists collaborate using white-labeled infrastructure, as seen in their potential partnership with DragonForce or its affiliates for ransomware deployment.

Scattered Spider’s modus operandi includes a range of advanced tactics, techniques, and procedures (TTPs) that exploit both human and technological weaknesses.

Their attacks often begin with social engineering methods such as SMS phishing (smishing), voice phishing (vishing), and Multi-Factor Authentication (MFA) fatigue exploitation, frequently impersonating IT personnel to harvest credentials.

Once initial access is gained, the group employs cloud exploitation tactics, demonstrating deep familiarity with environments like Azure, AWS, and Microsoft 365.

Advanced Exploitation Techniques

According to Cyberint Report, they utilize legitimate remote management tools like AnyDesk and ConnectWise Control for persistence, alongside malicious drivers like POORTRY and STONESTOP to disable Endpoint Detection and Response (EDR) systems.

Their exploitation of vulnerabilities such as CVE-2015-2291 in Intel Ethernet drivers and CVE-2021-35464 in ForgeRock AM servers enables privilege escalation and remote code execution.

Additionally, Scattered Spider has progressed to deploying BlackCat ransomware on Windows, Linux, and VMware ESXi systems since mid-2023, often targeting valuable data like loyalty programs and payment tokens in retail sectors, even without encryption.

Their use of anonymizing proxies, SIM swapping, and data exfiltration tools like Rclone and MEGAsync further complicates detection, while aggressive victim communication tactics aim to pressure organizations into compliance.

This shift towards UK retail highlights the group’s strategic focus on high-impact targets during critical sales periods, exploiting high helpdesk turnover and seasonal staff vulnerabilities.

Their ability to conduct lateral movement within networks, perform reconnaissance across diverse environments, and disable security tools poses a significant risk.

As Scattered Spider continues to refine its approach, potentially operating from Eastern Europe and collaborating with Russian-speaking affiliates like BlackCat, organizations must prioritize robust MFA implementations, employee training against phishing, and continuous monitoring of supply chain partners to mitigate these persistent and stealthy threats.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!