UK authorities arrest four people in probe of retail cyberattack spree

Four people were arrested in the U.K. on Thursday as part of a National Crime Agency investigation into April’s high-profile cyberattack spree against retail giants Harrods, Marks & Spencer and Co-op. 

The suspects — two 19-year-old men, a 17-year-old man and a 20-year-old woman — are being held on suspicion of violating the Computer Misuse Act, blackmail, money laundering and participating in organized crime activities, according to the NCA. 

They are believed to be affiliated with the notorious cybercrime gang Scattered Spider, which cybersecurity experts have linked to the hacks of the three retailers and subsequent attacks on U.S. retailers and global insurance and aviation businesses.

Police arrested the suspects at their homes in West Midlands and London, seizing multiple electronic devices that will be analyzed for forensic evidence. 

“Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the agency’s highest priorities,” Deputy Director Paul Foster said in a statement. 

The West Midlands Regional Organised Crime Unit and the East Midlands Special Operations Unit assisted the NCA in the operation. 

Foster said the arrests marked a significant step in the probe, although work continues with partner agencies in the U.K. and elsewhere to identify and arrest more suspected hackers. 

“Their aggressive social engineering tactics and relentless pursuit of access have proven particularly challenging for many defenders, and resulted in considerable damage to organizations in the UK and U.S.,” said Charles Carmakal, CTO at Mandiant Consulting. “This action by law enforcement underscores the critical importance of international collaboration in combating cybercrime.”

Members of the Scattered Spider group have been arrested in the past, including a 23-year-old from Scotland who was extradited to the U.S. in April after being held in Spain since last year. 

“Hacking is not a victimless crime,” a spokesperson for Co-op told Cybersecurity Dive via email. “Throughout this period, we have engaged fully with the NCA, and relevant authorities and are pleased on behalf of our members to see this had led to these arrests today.”

The chairman of M&S, one of the first victims in this year’s hacking spree, told a House of Commons subcommittee this week that the cyberattacks were likely the work of a ransomware group called DragonForce, working in cooperation with Scattered Spider. 

Scattered Spider is believed to be a decentralized collective with English-speaking members across the U.K. and the U.S., making it unclear whether the four people arrested were involved in any additional attacks.