The recent UK retail cyberattacks that impacted Marks & Spencer and the Co-Op supermarket chain are only the tip of a very large iceberg that now threatens organizations on both sides of the Atlantic.
Although media reports have attributed the attacks to a group named “Scattered Spider,” the actual threat is far bigger. For a start, there is no criminal group that actually calls itself “Scattered Spider”, which is just a made-up name attributed by cybersecurity researchers. These attacks and many others in the US and the UK are now known to be the work of a vast sprawling network of hackers, some as young as 14, spread across the US and the UK. They call themselves “the Community”, or “the Com” for short, and are essentially a vast teenage subculture of criminal hackers.
The widespread availability of Ransomware-as-a-Service malware (RaaS) supplied by groups such as BlackCat working out of Russia enables even youngsters with limited computer skills to deploy highly sophisticated malware with ease. If they are having difficulties using the software, the cybercriminal gangs supplying it have 24-hour help desks who are eager to come to their assistance.
The real skillset possessed by American and British teenagers is that they speak English and are familiar with Western culture. This enables them to convincingly target individual employees within an organization, pretending to be from the in-house helpdesk. This type of scam is known as “social engineering”. The young hackers generally explain that the staff member’s computer has been compromised and that the passwords and entry codes need to be reset. Even the most gullible employee would likely become suspicious of a caller with a heavy Russian accent or poor English grammar. But a friendly young American or English voice sounding as if it could easily come from a member of the company’s IT helpdesk arouses far less suspicion.
Despite the simplicity of this type of cyber-attack, it has already proven to be remarkably effective. In addition to the UK retail sector attacks, members of the Com are known to have hacked into companies including MGM, Microsoft, Nvidia, and Electronic Arts. The attack on MGM casinos in September 2023 evidences how devastating a simple “social engineering” hack can be. The hacker used LinkedIn information to impersonate an employee and reset the targeted staff member’s credentials to hack into the system. After MGM refused to pay a $30 million ransom, the attack eventually resulted in a 36-hour outage, bringing gaming tables, slot machines, and even the lifts to a standstill. The attack is estimated to have cost MGM $100 million, plus a class-action lawsuit that was eventually settled for $45 million.
Law enforcement is powerless
While law enforcement agencies are working around the clock to bring the teenage hackers to justice, they are unable to stem the vast tide of youngsters hoping to gain cash and notoriety among their peers by executing increasingly audacious cyberattacks.
Over the past couple of years, some members of the Com have been convicted. For example, six Scattered Spider members were arrested in late 2024. But given that the Com is already believed to have thousands of members and their numbers are growing, the chances of any single hacker being caught are so slim that these sporadic arrests do little to deter the majority of what is a rapidly-growing subculture of very young, mostly male, criminals working from their bedrooms.
And while cybersecurity advisers recommend defense strategies such as “Zero Trust” and urge companies to educate staff as to the dangers of unsolicited calls, there is no easy fix for this growing and pernicious threat. The only workable defense would be to incur extra costs by adopting a policy whereby the organization’s helpdesk staff only make personal appearances and to tell employees to ignore any phone calls purporting to come from them.
