Google has issued a new warning to US retailers. A cybercrime group behind recent high-profile attacks in the UK is now targeting American companies. The group, known as Scattered Spider or UNC3944, has a history of launching aggressive, fast-moving attacks using social engineering, SIM swapping, and ransomware.
John Hultquist, Chief Analyst at Google’s Threat Intelligence team, shared the alert on X, formerly Twitter. His message was clear: “Shields up US retailers. They’re here.”
According to Google’s Mandiant division, Scattered Spider often moves in waves. In late 2023, they hit financial institutions. By May 2024, they had turned to food service companies. Now, it’s retail’s turn.
Mandiant released a blog on May 7 describing the group’s tactics. These include fake help desk calls to reset passwords, ransomware deployment, and extortion. The warning followed a string of UK retail breaches involving companies like Co-op, Harrods, and Marks & Spencer (M&S). M&S has since confirmed that attackers stole customer data.
The group behind these attacks is believed to be working with DragonForce, a ransomware gang that recently claimed control of the RansomHub ransomware-as-a-service (RaaS) operation. Scattered Spider has reportedly partnered with RansomHub throughout 2024.
Although Google hasn’t directly linked Scattered Spider to the UK attacks, it believes the same threat actors are now targeting US retailers. The goal is to steal sensitive data and pressure companies into paying ransoms.
“These actors move fast and think creatively,” Hultquist said. “They know how to trick people and use third-party access points to break into networks. Even mature security systems aren’t stopping them.”
Retailers are especially vulnerable. They store vast amounts of personal and financial data. And if systems that handle payments go down, companies often feel forced to pay up to avoid losing business.
Mandiant CTO Charles Carmakal confirmed that fewer than 10 US retailers have already been attacked. Some of them took systems offline to limit damage—though doing so also disrupted their operations.
“This group targets retailers by calling support desks and asking for password resets,” Carmakal explained. “They’re fast and clever. It’s tough for defenders to keep pace.”
Mandiant has shared a hardening guide based on its research. It offers detailed steps to help companies prevent or respond to these attacks. Both Google and Mandiant urge retailers to act now.
“The pattern is clear. Retailers are being targeted again,” Hultquist added. “Other companies still have time to prepare—but the window is closing.”
