Full Report
The April 2025 cyber attacks targeting U.K. retailers Marks & Spencer and Co-op have been classified as a "single combined cyber event." That's according to an assessment from the Cyber Monitoring Centre (CMC), a U.K.-based independent, non-profit body set up by the insurance industry to categorize major cyber events. "Given that one threat actor claimed responsibility for both M&S and
Analysis Summary
# Incident Report: Combined Retail Cyberattack by Scattered Spider
## Executive Summary
Cyberattacks targeting U.K. retailers Marks & Spencer (M&S) and Co-op in April 2025 were assessed by the Cyber Monitoring Centre (CMC) as a single, combined cyber event attributed to the threat actor Scattered Spider (UNC3944). The attacks utilized social engineering against IT help desks, resulting in a "narrow and deep" impact across the two companies, with estimated damages ranging from $363 million to $592 million. Response actions involved categorization as a "Category 2 systemic event" by the CMC, though specific containment and recovery details for the victims were not detailed in the assessment.
## Incident Details
- **Discovery Date:** Assessment published June 2025 (indicating attacks occurred prior).
- **Incident Date:** April 2025 (attacks occurred).
- **Affected Organization:** Marks & Spencer (M&S) and Co-op.
- **Sector:** Retail.
- **Geography:** United Kingdom (U.K.).
## Timeline of Events
### Initial Access
- **Date/Time:** April 2025 (Specific dates not provided).
- **Vector:** Social engineering tactics targeting IT help desks.
- **Details:** Attackers impersonated company IT personnel to gain unauthorized access, leveraging English-speaking group members characteristic of Scattered Spider.
### Lateral Movement
- **Details:** Not explicitly detailed, but implied to have occurred given the depth of the systemic impact.
### Data Exfiltration/Impact
- **Details:** The impact was characterized as "narrow and deep" for the two primary companies, with "knock-on effects for suppliers, partners, and service providers." Financial damage is substantial (up to $592M).
### Detection & Response
- **How it was discovered:** The assessment was conducted by the Cyber Monitoring Centre (CMC).
- **Response actions taken:** CMC categorized the incidents as a "single combined cyber event" and a "Category 2 systemic event."
## Attack Methodology
- **Initial Access:** Social engineering (impersonating IT staff to target help desks).
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Implied via successful social engineering leading to access.
- **Discovery:** Not specified.
- **Lateral Movement:** Implied.
- **Collection:** Not specified.
- **Exfiltration:** Implied, leading to significant financial impact.
- **Impact:** Operational disruption to M&S and Co-op, leading to large financial losses.
## Impact Assessment
- **Financial:** Estimated impact between £270 million ($363 million) and £440 million ($592 million).
- **Data Breach:** Not explicitly detailed regarding data type/volume, but implied significant compromise given the financial scale.
- **Operational:** Significant disruption to M&S and Co-op, with "knock-on effects" on partners and suppliers.
- **Reputational:** High-profile incidents involving major U.K. brands.
## Indicators of Compromise
- *(No specific network, file, or behavioral IOCs were provided in the summary text.)*
- **Note:** The similarity in TTPs suggests a common set of behavioral IOCs related to help desk interaction and social engineering fraud.
## Response Actions
- **Containment measures:** Not specified.
- **Eradication steps:** Not specified.
- **Recovery actions:** Not specified.
- *(Primary response noted was the industry categorization by the CMC.)*
## Lessons Learned
- **Key takeaways:** Social engineering remains an extremely effective vector, particularly against established IT support structures.
- **What could have been done better:** The need for heightened vigilance among U.K. critical sectors (retail) regarding social engineering targeting help desks.
## Recommendations
- **Prevention measures for similar incidents:** Organizations, especially those in focused sectors like insurance warned subsequently, should implement rigorous verification processes for help desk interactions to counter impersonation by actors like Scattered Spider.
- Implement advanced training for IT support staff focusing on sophisticated social engineering scenarios.