In the last few weeks, the UK retail sector has suffered a series of cyber attacks targeting prominent retailers Marks & Spencer, the Co-op, and Harrods. These attacks, attributed to the hacking group known as Scattered Spider, have caused significant disruptions and financial losses. We aim to provide our clients and prospective clients with a comprehensive understanding of these incidents and in addition offer proactive hardening recommendations to help safeguard against similar threats.

Scattered Spider is a loosely affiliated and adaptive hacking group, mostly composed of English-speaking teenagers and young adults based in the UK and US. Operating like an organised criminal network, they have been linked to over 100 cyber-attacks across various sectors, including telecoms, finance, retail, and gaming, since their emergence in 2022. Their favoured method of attacking victims involves exploiting human vulnerabilities through social engineering tactics rather than technical system flaws to gain a foothold, then exploiting internal, technical vulnerabilities.

The recent attacks on these three companies, amongst others, have highlighted the group’s capabilities and the severe impact they can have on retail operations. Marks & Spencer experienced significant disruptions, including the suspension of online orders and job listings, shortages in stores, and a substantial loss in market value. Harrods, while continuing operations, has faced challenges in ensuring the security of customer data. The Co-op has also been affected and whilst details of their specific disruptions remain unclear, it is plain to see that their stock levels on a shop-by-shop basis are suffering.

Considering these attacks, it is crucial for businesses to adopt or continue proactive measures to enhance their cyber security posture. Based on recent guidance from Google’s security teams, here are some key recommendations to help mitigate the risk of similar incidents:

Identity Management

• Implement phishing-resistant authentication methods such as hardware security keys or software passkeys. These methods provide stronger protection against phishing attacks compared to traditional multi-factor authentication
• Transition to passwordless authentication where possible, again to provide a stronger defence against a phishing attack
• Ensure that users have the minimum level of access necessary to perform their job functions. Regularly review and adjust access permissions to reduce the risk of misuse
• Remove SMS, phone call and email as primary authentication controls due to their vulnerability to phishing
• Enforce positive identity verification for help desk requests, including on-camera/in-person verification, ID verification, challenge/response questions, and out-of-band verification
• Restrict MFA registration and modification to trusted IP locations and compliant devices
• Monitor and alert on MFA registration events and suspicious activities, such as the same MFA device/phone number associated with multiple users
• Enforce multi-context criteria (like device and location attributes) as part of authentication transactions
• Avoid reliance on publicly available personal data for identity verification, as attackers may possess this information

Endpoint Security

• Deploy Endpoint Detection & Response (EDR) solutions to continuously monitor and analyse endpoint activities for signs of compromise. EDR tools can help detect and respond to threats in real-time
• Ensure all software and systems are up-to-date with the latest security patches. Regular updates help close vulnerabilities that attackers might exploit

Application and Resource Protection

• Implement secure configurations for all applications and resources. Regularly review and update configurations to adhere to best practices and reduce exposure to threats
• Use application whitelisting to allow only approved applications to run on your systems. This can prevent the execution of malicious software

Network Infrastructure

• Segment your network to limit the spread of an attack. By isolating critical systems and data,the potential impact of a breach can be reduced and make it more challenging for attackers to move laterally within your network
• Adopt a Zero Trust approach to network security, where no entity, individual or system, is trusted by default. Continuously verify and authenticate all users and devices attempting to access network resources

Monitoring and Detection

• • Implement advanced threat detection and response solutions to continuously monitor network activity for signs of compromise. Establish an incident response plan to quickly address and mitigate any detected threats
  • Use behavioural analytics to identify unusual patterns of activity that may indicate a security incident. This can help detect threats that traditional signature-based methods might miss

These recent attacks serve as a reminder of the evolving threat landscape. By implementing the proactive hardening recommendations outlined above, businesses can significantly enhance their defences against sophisticated cyber threats. As a cybersecurity company, we are committed to supporting our clients in building robust security frameworks to protect their operations, customer data and revenue streams.

For more detailed guidance and support, please contact our team of experts who are ready to assist you in fortifying your cyber security posture. Whether you need help with implementing phishing-resistant login protection, deploying endpoint detection and response solutions, or adopting a Zero Trust architecture, we are here to provide tailored solutions to meet your specific needs.

Reach out to us today to ensure your business is protected against the latest cyber threats.