{"id":12251,"date":"2025-07-16T16:35:25","date_gmt":"2025-07-16T15:35:25","guid":{"rendered":"https:\/\/mspglobal.com\/blog\/?p=12251"},"modified":"2025-08-26T11:10:38","modified_gmt":"2025-08-26T10:10:38","slug":"scattered-spider-m-s-attack-msp-advice","status":"publish","type":"post","link":"https:\/\/mspglobal.com\/blog\/scattered-spider-m-s-attack-msp-advice\/","title":{"rendered":"Scattered Spider, the M&S Hack, and How MSPs should respond"},"content":{"rendered":"\n

Scattered Spider, the cybercrime and ransomware hackers group, is making headlines again after four young people were arrested in the UK, and MSPs need to take notice.<\/p>\n\n\n\n

The arrests were made by police investigating the cyberattacks on large UK-based retailers Marks & Spencer (M&S) and Co-op. Those arrested were aged between 17 and 20, suggesting possible links to Scattered Spider, which is believed to be mostly made up of teenagers and young men<\/a> from Britain and the US.<\/p>\n\n\n\n

Scattered Spider is known to target IT helpdesks and mid-market companies, with <\/a>Infosecurity<\/a> magazine reporting:<\/p>\n\n\n\n

\u201cInvestigators collaborating with M&S disclosed that Scattered <\/a>Spider<\/a> leveraged compromised credentials from Tata Consultancy Services (TCS), a major IT outsourcing firm, to infiltrate systems.\u201d<\/p>\n\n\n\n

This is both a threat and an opportunity for MSPs, MSSPs and anyone in IT consulting and outsourcing. Here’s what you need to know\u2014and what you should do about it.<\/p>\n\n\n\n

Who\u2014or what\u2014is Scattered Spider?<\/h2>\n\n\n\n

Scattered Spider is the name given to a loosely affiliated but highly skilled group of cybercriminals, known for sophisticated social engineering tactics and a preference for living-off-the-land (LOTL) techniques. <\/p>\n\n\n\n

Active since at least 2022, they have been linked to attacks on major corporations including Qantas and MGM Resorts, often bypassing traditional defenses not through malware, but through manipulation, such as social engineering.<\/p>\n\n\n\n

They\u2019ve been associated with the larger umbrella group ALPHV\/BlackCat, but increasingly appear to act independently.<\/p>\n\n\n\n

What happened at Marks & Spencer? And how does it fit Scattered Spider\u2019s profile?<\/h2>\n\n\n\n

In April 2025, UK retailer Marks & Spencer suffered a security breach, allegedly at the hands of Scattered Spider. The attack stopped all ecommerce for weeks, which has cost the business an estimated \u20ac345 million in lost sales.<\/p>\n\n\n\n

While full details remain under wraps, reports indicate that attackers gained access to internal systems via phishing and impersonation of IT staff, two trademarks of the group.<\/p>\n\n\n\n

In a statement, M&S said customer payment data was not affected\u2014but employee data may have been exposed. That aligns with the group’s tactics: steal employee identity data, move laterally, escalate privileges, then monetize via extortion or data sale.<\/p>\n\n\n\n

This wasn\u2019t a smash-and-grab ransomware incident. It was stealthy, patient, and heavily reliant on exploiting human trust and any weaknesses in identity controls.<\/p>\n\n\n\n

Why should MSPs care about Scattered Spider?<\/h2>\n\n\n\n

These attackers aren\u2019t coming through the back door anymore\u2014they\u2019re walking right past the front desk, clipboard in hand.<\/p>\n\n\n\n

Scattered Spider and groups like them are exploiting:<\/p>\n\n\n\n