As reported by Google, members of the UK-based spider-hacking community are actively “promoting” cyberattacks amid the increasing disruption faced by UK retailers in the US market.

A hacker collective known as the “scattered spiders” has been connected to attacks on British retailers such as Marks & Spencer, Co-op, and Harrods. Google Cybersecurity experts have now warned that unidentified retailers in the Atlantic region are also under threat.

Charles Carmakal, the chief technology officer for Google’s Mandiant Cybersecurity division, noted that the threat has shifted to the US, following a pattern commonly observed with scattered spider attackers.

“They focus on a specific industrial sector and geographic location for a short period, before moving on to a new target,” he explained. “Currently, their attention is on retail organizations. They began in the UK and have now extended their focus to firms in the US.”

When asked about the involvement of British members in the M&S hacking, he stated, “While I can’t name specific victims, it’s clear that UK-based scattered spider members are promoting and facilitating these incursions.”

On Friday, it was disclosed that M&S alerted employees that some personal data may have been compromised during a cyber attack last month. Sources informed the Daily Telegraph that staff members were notified that their email addresses and full names were potentially exposed in the breach.

Earlier this week, M&S reported that hackers had accessed personal information of thousands of customers.

In light of these attacks on UK retailers, cybersecurity agencies have urged businesses to remain vigilant and aware of specific tactics employed by scattered spiders.

In an advisory notice, the National Cyber Security Center recommended businesses to leverage IT support to assist staff in resetting their passwords. One tactic associated with scattered spiders—named for a set of hacking tactics rather than a unified group—involves calling help desks to gain access to corporate systems while impersonating an employee or contractor.

“We have observed instances where they call the help desk, masquerade as employees, and convince the staff to reset their passwords,” Carmakal explained.

Carmakal also noted that these calls to help desks are sometimes made by younger members of the scattered spider network.

“It’s not always the threat actor themselves making the call… some tasks are outsourced to other community members, often younger individuals looking to earn some quick money through various schemes and inconsistencies,” he shared.

Scattered spiders primarily consist of native English speakers from the UK, US, and Canada, which sets them apart from other ransomware groups. Karmakal mentioned that he has received reports of “numerous calls” made by scattered spider hackers to corporate employees.

Ransomware gangs typically infiltrate target computer systems with malware that effectively locks users out of their internal files. These groups usually originate from Russia or former Soviet states.

Carmakal’s remarks coincided with French luxury brand Dior disclosing that “fraudulent external parties” had accessed some customer data. The Paris-based brand has yet to clarify the nature or extent of the attacker’s incursions.

This week, Google’s cybersecurity team affirmed that scattered spiders have shifted their focus to US retailers.

“We are dedicated to offering a variety of services to our customers,” stated John Hultquist, chief analyst at Google Threat Intelligence Group. “The group that originally targeted retail in the UK, after a significant hiatus, has a track record of concentrating on one sector at a time, and we anticipate they will continue to prioritize this sector in the near future. US retailers should exercise caution.”