How Scattered Spider Compromised Marks & Spencer’s Network: Key Findings And Lessons Learned

Marks & Spencer (M&S), a British multinational retailer, was targeted in a significant cyberattack attributed to the “Scattered Spider” ransomware group. The attack led to widespread disruption, particularly in M&S’s payment systems and online ordering platforms. The breach caused operational delays and led to temporary shutdowns at some of their warehouse locations. The company confirmed that it suffered from a ransomware attack that encrypted several servers, significantly impacting its infrastructure.

Severity Level: High

HOW THE BREACH HAPPENED:

1. Initial Access: The breach is believed to have begun as early as February 2025, when the attackers first gained access to M&S’s network. The attackers’ first step involved stealing password hashes from the NTDS.dit file, allowing them to impersonate users and escalate privileges. This aligns with Scattered Spider’s frequent use of credential-stealing techniques in its attacks.
2. Lateral Movement: After gaining access to the initial system, the attackers were able to move laterally across the network, accessing more systems and increasing their foothold within the infrastructure.
3. Social Engineering: Scattered Spider is known for using social engineering, such as MFA fatigue (targeting MFA systems to overload users with authentication prompts) and SIM swapping, which may have been part of the initial access phase.
4. Phishing and Impersonation: The group’s reputation for impersonating IT staff to gain trust and execute attacks was likely utilized to bypass defenses and escalate privileges within M&S’s network.
5. Ransomware Deployment: On April 24, 2025, the attackers deployed the DragonForce ransomware encryptor, targeting M&S’s VMware ESXi hosts and virtual machines, which resulted in the encryption of numerous servers and data loss. DragonForce ransomware was previously identified as being used by Scattered Spider in earlier attacks, and its use here demonstrates the group’s evolving tactics, including their collaboration with various ransomware operations.

DATA STOLEN DURING THE BREACH:

• According to latest update on the M&S website the following data might have been stolen during the breach: Customers Full name, Email address, Home address, Phone number, Date of birth, Online order history, Household information, Sparks Pay reference numbers, and “Masked” payment card details.

LESSONS LEARNED:

• Lack of Adequate Network Segmentation: The attackers’ ability to gain access to the NTDS.dit file and laterally spread within the network suggests a failure in adequately segmenting critical systems and sensitive data. This allowed attackers to escalate privileges and move across the network undetected.
• Inadequate Credential Protection: The exposure of password hashes from the NTDS.dit file highlights a significant issue with the storage and management of credentials, potentially indicating weaknesses in password management or insufficient security measures, like multi-factor authentication (MFA), for critical systems.
• Delayed Detection: The fact that the breach went undetected for several months indicates potential gaps in M&S’s threat detection capabilities and incident response protocols.

THREAT ACTOR PROFILE:

• Threat actor: Scattered Spider (also known by several aliases, including UNC3944, Star Fraud, Octo Tempest, Scatter Swine, and Muddled Libra)
• Target Sectors: Financial, Retail, Entertainment, Telecommunications, Cloud Storage Platforms, and Software Providers.
• Target Regions: Global.
• Notable Attacks: Twilio Breach (August 2022) and MGM Resorts Breach (September 2023).
• 2025 Targets: They have continued to target high-profile organizations, including Nike, T-Mobile, Instacart, Louis Vuitton, Forbes, New York Digital Investment Group, Vodafone, etc,.

Key Findings:

• Advanced Phishing Kits: They have developed several phishing kits with updates over the years, such as:
• Phishing Kit #1: Used to impersonate Okta login pages, hosting them on newly created domains and rapidly taken down.
• Phishing Kit #2: A variation with simpler forms, often used in conjunction with other brand impersonations.
• Phishing Kit #3: Targets specific brands like Paxos, using advanced visual impersonation tactics.
• Phishing Kit #4: Minor change from Kit #3, visually identical to Kit #3 with subtle changes in code. Seen mostly in late 2024 and 2025, it mimics targeted organization’s Okta dashboards but with minor code differences.
• Phishing Kit #5: The newest version seen in 2025, hosted on dynamic DNS subdomains with subtle changes to phishing content. This kit continues to evolve and appears to be more difficult to trace with traditional domain pattern tracking. Key feature: The use of dynamic DNS, which complicates detection and blocking.
• A new version of Spectre RAT was discovered in early 2025, used by Scattered Spider to maintain persistent access on compromised systems.
• They rely on services like BitLaunch, DigitalOcean, Vultr, and Linode to host their malicious infrastructure, often paying for these services with cryptocurrency.
• Cloud storage platforms, such as Pure Storage and Snowflake, are often targeted by Scattered Spider, highlighting a focus on tech companies with valuable data.

Recommendations:

1. It is critical to protect sensitive files like the NTDS.dit file. This includes using strong encryption and segmentation to prevent unauthorized access to critical systems.
2. Enforcing MFA across all administrative accounts is crucial to prevent attackers from easily gaining access with stolen credentials.
3. Ensure that critical infrastructure, such as servers running Active Directory and VMware ESXi hosts, are isolated from other parts of the network.
4. Train employees on recognizing phishing attempts & MFA fatigue.
5. Implement regular, secure backups of all critical data & systems. Ensure backups are isolated & not directly accessible from the network. Test backups regularly to ensure data integrity.
6. Have a decryption plan in place for common ransomware strains & regularly update recovery protocols. Avoid paying ransom by maintaining a strong proactive defense & containment strategy.
7. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/765c80c7af47c283289a6fc81ae591fc55531cd4e59536d5a3507d5204ff6a03/iocs

Source:

• https://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/
• https://www.silentpush.com/blog/scattered-spider-2025/
• https://www.bleepingcomputer.com/news/security/mands-says-customer-data-stolen-in-cyberattack-forces-password-resets/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.