Inside M & S Hats’ Search for New Goals

The piracy group that penetrated the online defenses spent the UK retailer, and Spencer has spent this year this year in a digital traps designed to deceive employees in the world’s largest brands to abandon their passwords.

The scattered spider-which is noticed by cybersecurity experts as a criminal gang of changing male trash, English-speaking fraudsters-register web sites with almost identical companies and sharpen their malware tools.

But their distinguished movement is to search comprehensively from the company’s employees, their successful impersonation in a phone call, and the deception of other colleagues to deliver the information necessary to ignite the cybersecurity.

The combination of online and tricks in the real world has led to some of the most famous hackers in recent years, including the 2023 attack on MGM casinos and resorts in Las Vegas that close hotels along the famous strip in the city.

They penetrated in M&S last month, where they sank the UK retailer into a crisis with up to up to up to up It hit 300 million pounds sterling To operate profits and wipe more than 600 million pounds from the market value.

It is not just money. Those who studied the scattered spider said that its members were also interested in other advantages: the rights of bragging.

“They are not financially driven exclusively – they love influence, and love the attention of the main media,” said Charles Karmal, the head of technology in Mandriant Consulting.

Cross are leaders in the prosperous criminal “Ransomwari” industry. In 2023 alone, the victims paid at least one billion dollars to the gangs who kept their ransom data, according to the analysis series, a company that studies episodes.

The tactics have matured in recent years so that infiltrators have specializations. The scattered spider is among those who focus on the initial breach. It sells some software sets that codes decisive data. Others focus on Ransom demands that last for several months, and face experienced negotiators, often from insurance service providers. Even if the payments can be large, each group only gets a slice.

The scattered spider has left the task of negotiating the day of pushing a different ransom gang that calls itself the strength of the dragon. If you pay M & S, Dragon Force will open or delete the company’s royal data, as a person representing the infiltrators told the Financial Times. To date, there is no indication that the M&S has been attracted to blackmail.

“We cannot enter into any details or speculation about the accident and advise us not,” said M&S, who works with law enforcement and government agencies.

The scattered spider quickly moved. Zach Edwards, a threat researcher from the Silent Pace Group in Virginia, who has seen preparations for infiltrators online, said he tried to warn many other potential goals in recent months.

It includes Watchmaker Audemars Piguet, Matchmaker Tinder, Fashion House Louis Vuitton, Publishes forbes, news corp and even Sanwich Chick-Fil-A. There is no evidence that infiltrators have succeeded in breaking the electronic defenses of these companies. Nothing responded to the requests for comment.

But immediately after Easter, the phones began to run in American retailers. Calls are likely to be scattered spider infiltrators who are pretending to be employees, according to many Spring security professionals who have been summoned to help closing the leaks.

“We are telling us that they are dealing with an active attack,” said Carmakal from the Google owned by Mandyant, who started obtaining SOS calls from companies.

Although the M&S has not yet revealed how its systems are violated, the London -based Dynarisk, which tracks online threats, said that the risk credentials from the main retail dealers in the UK are circulated for cash in the online forums.

The scattered spider is famous for the presence of a trick called “social engineering”, where they are studying online effects left by the average levels in the major companies to bypass the auxiliary office writer.

“They choose a goal – perhaps a great developer – to be the person who impersonates a personality, so they may know their name before marriage, the address of their home, and they may have already bought a file of data media on someone,” said Edwards of Silent Push.

In previous attacks, infiltrators impersonated information technology, because their accounts have privileges that allow them to move quickly through the company’s technology infrastructure. When the MGM scattered spider violated, the employee’s old password was a variation in the name of his cat, according to a data collection sold online and saw FT.

“Hello, it seems that I am closed from my e -mail – can you help now, or should I call during working hours?” A man with an American tone is heard in a recording sent to FT on Telegram by a person claiming to be appointed to do an audio action for the scattered spider.

This person said that he was salary in fractures of Ethereum Cryptocurrency, but the last segment has never arrived. A person complains about the lack of full payment of a racist racist channel, the person said that the login has been provided to Google, which he then used to summon the assistance office in a major American telecom provider.

The person deleted his Telegram account when he asked FT to further prove the participation with the scattered spider. But it makes sense for infiltrators to employ someone to follow a text, because having their own voices on the tape makes their courts easier.

The infiltrators are supposed to maintain their own identities from each other, and they contacted each other from Spider1, Spider2, etc. in their internal connections, according to a member involved in the MGM penetration that spoke to FT in 2023.

This did not prevent law enforcement from tracking at least a few. Unlike gang piracy in Belarus or Russia-outside the FBI or Europol-Tissal English-speaking “spiders” to live in the West.

A series of arrests last year in Spain, the United States and the United Kingdom temporarily suspended the group. After stopping, the scattered spider appears to return and enjoy the lights. A cyber security company specialized in their studies, Crowdstrike, was selling Work numbers From the piracy group.

Before deleting his account, the person who claims to work with infiltrators said that everything he wants is “GR8 trip with SP1DER”, adding a common phrase between the channel in TeleGram: “Harming before the money.”

Participated in additional reports from Laura Unita and Kiran Smith