Vigilance urged among industries as Spider's strategies adapt Chaotically

Vigilance urged among industries as Spider's strategies adapt Chaotically

Scattered Spider Resumes Activities, Poseing Ongoing Threat to Multiple Industries

The cybercrime gang Scattered Spider has resumed activities despite recent arrests, and their tactics continue to evolve with new malware variants and social engineering methods.

In 2025, Scattered Spider re-emerged strongly, targeting UK retailers initially before expanding to the U.S., Canada, and Australia. The group has been attacking the insurance, retail, and airline industries, with high-profile targets including British department store Marks & Spencer, Whole Foods distributor United Natural Foods, and Australian airline Qantas.

Law enforcement agencies, including the FBI, CISA, the UK's NCSC, and counterparts in Australia and Canada, have issued updated warnings about Scattered Spider’s sophisticated social engineering attacks. The cybercriminal collective has a large membership, reportedly up to 1,000 individuals, primarily young English-speaking men from the U.S. and UK, making its structure loosely organized yet capable of global reach.

Scattered Spider frequently changes tactics, techniques, and procedures (TTPs) to avoid detection while continuing data theft, extortion, and ransomware attacks. The group has perfected a strategy based on tricking IT help desks into handing over user credentials or bypassing multifactor authentication technology.

To mitigate potential attacks by Scattered Spider, a coalition of information-sharing groups has urged their members to take additional steps. Recommended measures include strengthening helpdesk and IT support training, implementing and enforcing multifactor authentication, monitoring and restricting use of remote access tools, enhancing visibility and monitoring for suspicious activity, following detailed advisory and mitigation guidance, and proactively conducting internal phishing simulations and cybersecurity awareness programs.

Financial services firms must remain diligent in the face of the ongoing threat posed by Scattered Spider and its associates. Multiple layers of approvals should be implemented for sensitive requests such as large financial transfers to prevent theft. The ISACs have also urged their members to develop multichannel verification methods to ensure password resets or other requests are coming from a real employee.

The ISACs warn that Scattered Spider has developed an evolving set of tactics to conduct social-engineering attacks on its targets. Threat groups, either affiliated or inspired by Scattered Spider, continue to pose a threat and may find new ways to evade existing security measures.

In summary, despite recent arrests, Scattered Spider remains an active and adaptive threat. Organisations, particularly in critical infrastructure, retail, telecommunications, and aviation sectors, should urgently apply recommended cybersecurity controls and monitor updated threat intelligence to mitigate the risk of compromise.

[1] CISA Advisory: Scattered Spider Cybercrime Group Resumes Activities [2] NCSC Advisory: Scattered Spider Cybercrime Group Targeting UK Retailers [3] FBI Advisory: Scattered Spider Cybercrime Group Social Engineering Attacks [4] Australian Cyber Security Centre Advisory: Scattered Spider Cybercrime Group [5] Canadian Centre for Cyber Security Advisory: Scattered Spider Cybercrime Group

1. The evolving tactics employed by Scattered Spider, such as data theft, extortion, and ransomware attacks, pose an ongoing threat not only to the retail, insurance, and airline industries, but also to privacy in the banking-and-insurance and technology sectors.
2. Scattered Spider's large membership poses a significant cybersecurity threat to multiple industries, including finance, aviation, and transportation, as their social engineering methods have been proven effective.
3. The cybersecurity industry must collaborate to combat the ongoing activities of Scattered Spider, developing multichannel verification methods and enhancing awareness programs to protect sensitive data.
4. With Scattered Spider targeting high-profile companies such as Marks & Spencer and Qantas, it is crucial for the cybersecurity industry to share threat intelligence and implement additional security measures to protect customer privacy.
5. The resumption of activities by Scattered Spider underscores the need for continued vigilance in cybersecurity across all industries, as their adaptive nature and global reach indicate a prolonged cyber threat.

Read also: