UK police looking at ‘range’ of potential perpetrators behind retail cyberattacks

Paul Foster, the head of the national cybercrime unit at Britain’s National Crime Agency (NCA), said the ongoing investigation into a spate of recent cyberattacks against the retail sector was considering “a range” of different perpetrators who could have been responsible.

Among these is an international threat group tracked as Scattered Spider, Foster acknowledged to BBC News, but he stressed the NCA was considering different hypotheses and was going to “follow the evidence to get to the offenders.”

The similarities between attacks previously attributed to Scattered Spider and a spate of incidents impacting British retailers Marks & Spencer, the Co-op and the London-based luxury store Harrods, have prompted speculation that the loosely-affiliated criminal subculture is involved, however there has not yet been a confident assessment from professionals that this is the case.

These attacks have led to widespread concern and disruption, with shelves in numerous M&S and Co-op stores running empty due to those companies’ logistics systems either being directly impacted by the hackers or taken offline as a precautionary measure.

Google warned last week that while it suspected the attacks were “linked to UNC3944, also known as Scattered Spider,” it could not confirm whether they were part of the same criminal grouping.

Earlier this month the National Cyber Security Centre said it was “not yet in a position to say if these attacks are linked, if this is a concerted campaign by a single actor or whether there is no link between them at all.” The agency did not respond to an enquiry on Wednesday regarding whether that was still the case.

Read more: M&S says cyberattack will hit profits by £300 million, disruption to last until July

The broader Scattered Spider group is believed to be responsible for ransomware attacks two years ago on casino giants MGM Resorts and Caesars Entertainment, prompting a warning from U.S. cybersecurity officials about the criminals’ SIM-swapping and social engineering activities.

Last July, police in the United Kingdom arrested a teenager for his alleged role in the MGM attack. Five other alleged members, all U.S. citizens, were last November charged for their alleged involvement with the group.

The group appeared to have disbanded following those arrests, but it had caught widespread attention with several high-profile attacks, including on the networks of Coinbase, Twilio, Mailchimp, LastPass, Riot Games and Reddit.