This article was written by Chris Henderson, chief information security officer at Huntress.
Retailers across the U.S., U.K., and Canada are facing a relentless new threat: Scattered Spider, one of today’s most aggressive and sophisticated cybercriminal groups. Known for high-profile takedowns like MGM Resorts and Caesars, the group is now hitting the retail sector with a mix of social engineering, SIM swapping, and cloud exploitation tactics.
The impact? Disrupted operations, stolen customer data, and widespread payment outages. As these attacks escalate, managed service providers have a critical role to play in helping retail clients stay ahead of evolving threats, especially around identity protection, cloud security, and third-party risk management.
Here’s how MSPs can help retail clients harden defenses, avoid business disruptions, and prepare for the next inevitable breach.
Scattered Spider’s Creative and Brazen Playbook
Scattered Spider first emerged in 2022, before conducting high-profile ransomware attacks on MGM Resorts and Caesars Entertainment in 2023.
Then earlier this spring, a wave of cyberattacks on retailers, first in the U.K. and then in the U.S., put the sector on high alert. The cyberattacks impacted Marks and Spencer, the Co-op, Harrods, and, later, United Natural Foods. The incidents led to data theft, widespread disruption for payment systems and online ordering, and, in some cases, the deployment of the DragonForce ransomware. (DragonForce is a malware strain that emerged in 2023 and operates under the ransomware-as-a-service (RaaS) model.)
The infamous Scattered Spider cybercriminal collective, known for its identity- and cloud-centric techniques, has been linked to some of these attacks. By July, the group had expanded its spree to disrupt operations across retailers, grocery chains, insurance providers, and airlines in the U.S., U.K., and Canada.
The group is particularly known for using SIM swapping and for targeting help desk personnel. In some incidents, Scattered Spider has posed as help desk staff in order to steal credentials from victims, direct them to run remote access tools, or convince them to share their one-time password. The group has also used social engineering to convince IT help desk workers to reset passwords or multifactor authentication (MFA) tokens.
After gaining initial access, Scattered Spider has used tools to collect data in cloud environments and created cloud instances for lateral movement. In some cases, Scattered Spider even joined incident response calls to figure out how security teams were hunting them and get around defenses. According to a CISA advisory, they achieved this by creating new identities within the compromised environment, allowing them to covertly access teleconferences and snoop on security teams’ strategies.
The Retail Sector: Specific Risks
The retail sector is lucrative for attackers like Scattered Spider because it faces several unique cybersecurity risks. Retailers process valuable customer data, which typically involves personally identifiable information and financial data, such as credit card information.
One major risk for retailers is that they work with a variety of vendors. That expands the potential threat surface for attackers. Threat actors are targeting retailers through their third-party partners, like suppliers, help desk personnel, and outsourced customer support teams. For example, Adidas said its recent breach was launched through a third-party customer service provider.
As the recent United Natural Foods and Co-op incidents have shown, the impacts of these attacks directly affect customers, leading to disruptions in orders and empty shelves. It’s important for retailers to proactively build up defenses and prepare incident response plans in case they’re targeted.
Best Practices For Retail Clients
MSPs should make sure their clients in the retail sector have the right identity, cloud, and third-party defenses in place to help prevent attacks. Since threat actors are increasingly targeting security gaps in third-party relationships, MSPs can assist retailers in continuously identifying, assessing, and mitigating these risks. In addition, MSPs should advise their retail clients to incorporate strong security requirements into their third-party vendor contracts, including strict access controls, regular testing, and security awareness training.
Improving Authentication
Retailers should enable MFA as a baseline security measure to protect against Scattered Spider attacks. However, previous incidents have shown that the group attempts to bypass existing authentication controls, like SMS-based two-factor authentication, through social engineering and SIM swapping. Therefore, MSPs should recommend the use of authenticator apps that involve number matching, passwordless authentication, or FIDO security keys.
Protecting Cloud Accounts
The threat group is also known for using cloud-based techniques. Businesses should configure administrative portals so that they can only be accessed from privileged identities and follow the principle of least privilege for accessing cloud resources. MSPs should also make sure that retailers have effective monitoring set up to detect unauthorized account misuse. That means that sign-in attempts will be flagged if they include suspicious activity or unusual behavior. Pay close attention to Domain Admin, Enterprise Admin, and Cloud Admin to make sure access is legitimate.
Setting Up Post-Compromise Defenses
Scattered Spider has proved to be exceptionally persistent and innovative. Therefore, MSPs should also work with their clients to set up defenses in the event of a breach. Here, endpoint detection and response (EDR) tools can help MSPs monitor, detect, and remediate threats on retailers’ endpoints as they happen. Finally, MSPs should work with retailers to develop comprehensive incident response plans, which outline who is in charge of what after an attack unfolds.
Defense for Retailers = Opportunity for MSPs
Scattered Spider continues to wreak havoc across the retail industry using aggressive and creative social engineering, initial access, and persistence strategies.
MSPs play a critical part in pinpointing supply-chain security and third-party risk management gaps. These weaknesses will be a big focus for retailers as they evaluate gaps in their security models—particularly as they are favorite areas for Scattered Spider to target.
As retailers face an onslaught of sophisticated cyber threats, MSPs are uniquely positioned to serve as strategic advisors and trusted security partners. This is a critical moment to lead clients toward stronger defenses, smarter risk management, and a state of true cyber readiness.
