Common MITRE ATT&CK Techniques in 2025 UK Retailer Cyberattacks

The UK retail sector has faced a significant cybersecurity challenge in 2025, as a series of attacks disrupted major players including Marks & Spencer (M&S), Co-Op, and Harrods. Online reports attribute these attacks to, among others, Scattered Spider, a well-resourced intrusion group that leveraged a mix of social engineering and technical skill to gain access. Rather than exploiting new or unknown vulnerabilities, the attackers relied heavily on existing human and identity weaknesses to compromise their targets.

The team at Prelude Security took a deep dive into common methodologies deployed, providing a detailed account of the techniques typically attributed to Scattered Spider and the latest retailer attacks, categorized by the MITRE ATT&CK framework.

Relevant techniques identified in recent attacks

Initial access and social Engineering 

Scattered Spider’s entry tactics emphasize exploiting human error through carefully crafted social engineering. Given the reliance on sophisticated social engineering plays, many organizations may struggle with their attempts to gain a foothold. Prioritizing security awareness training and reviewing anti-phishing settings in your existing tools is recommended.

Spearphishing via Voice or Vishing (T1566.004): Disguising themselves as IT personnel, the attackers manipulated internal help desks into granting access. By leveraging phishing and speaking in the target’s native language with a convincing local accent, the attackers tricked employees into resetting passwords or installing remote tools, giving them direct access to corporate networks. Beyond voice-based social engineering, Phishing and Smishing (Phishing over Email and SMS - T1566.002 ) has historically been employed, though reports for the current campaigns on this are few.

Multi-Factor Authentication (MFA) Fatigue (T1621): Perhaps the most insidious method, MFA fatigue, involved bombarding employees with repeated MFA push notifications. Overwhelmed or confused, some employees unknowingly approved fraudulent login attempts, bypassing two-factor protections.

Credential abuse and persistence

This phase entailed the reuse of stolen credentials to gain unauthorized access to critical systems and data. Attackers focused on leveraging these credentials to move laterally within the network, identifying high-value assets, and escalating privileges to strengthen their control. They often deployed tools to maintain persistence, such as creating new user accounts or modifying existing authentication mechanisms, ensuring long-term access. These actions allowed attackers to evade immediate detection and enact further malicious activities, such as exfiltrating sensitive data or implanting additional malware, all while blending with legitimate network traffic.

Valid Accounts - Cloud Accounts (T1078.004): Scattered Spider leveraged initial credentials (obtained via phishing or help-desk deception) to access corporate cloud services and VPNs as authenticated users. The use of legitimate accounts helped the attackers blend in with normal activity and maintain persistence.

External Remote Services (T133): Using the compromised credentials, the attackers accessed enterprise networks through legitimate remote access channels such as VPN gateways and remote desktop services. Specific cases identify that Scattered Spider used the reset credentials to log in via the companies’ VPN or Citrix remote access portals. Persistent access to the network without needing malware was obtained by exploiting these “legitimate” external access mechanisms, essentially living off the land through the victims’ own remote access infrastructure.

Remote Access Tools (T1219): Scattered Spider also made use of remote monitoring and management (RMM) tools to persist in the environment. Employees were tricked into installing legitimate remote control software (e.g., AnyDesk, Splashtop, or ConnectWise) under the guise of IT support. Misuse of these off-the-shelf remote access tools allowed the adversaries to maintain stealthy backdoor access (often as scheduled services or startup programs) while appearing to be normal IT activity.

Create Account (T1136): Post initial access, Scattered Spider created new accounts and authentication mechanisms to establish persistence. For instance, they would register new user accounts or cloud roles with high privileges, or enroll their own devices for MFA on victim accounts. By creating backdoor accounts and adding themselves to privileged groups, the attackers ensured they could regain access even if the initially compromised credentials were reset once the breach was discovered.

Privilege escalation and evasion 

Their next phase focused on increasing their privileges and circumventing detection from the targeted organizations’ defenses. They used advanced techniques such as credential dumping, token manipulation, and pass-the-hash attacks to move laterally within the network and elevate their privileges. These methods allowed them to access sensitive resources, exfiltrate data, and deploy additional malicious tools without raising immediate alarms.

Impair Defenses: Disable or Modify Security Tools (T1562.001): The attackers took active measures to evade detection by disabling security software and logging. Scattered Spider has been observed using a “Bring Your Own Vulnerable Driver (BYOVD)” technique–loading a legitimate but vulnerable kernel driver on victim machines and exploiting it to kill antivirus/EDR processes.

They also tampered with monitoring tools, turning off endpoint agents and altering logging settings to blind the security team. This allowed the attackers to operate freely (e.g. deploying ransomware) without interference from defensive controls.

The Prelude team has built tests for a number of these techniques, such as T1562.001. These tests are available within the Prelude Detect console and are listed below, but an example has been provided here.

OS Credential Dumping: NTDS (Active Directory Database) (T1003.003): Reports In the M&S breach, Scattered Spider obtained Active Directory password hashes by stealing the NTDS.dit file from a domain controller. This file contains hashed credentials for all domain users; by extracting and cracking these hashes offline, the attackers gained a trove of valid passwords for lateral movement.

Using the cracked credentials, they could impersonate many accounts (including admins) and freely spread through the Windows domain to further compromise servers and data.

Network and Cloud Discovery (T1046 / T1580): Once inside, the attackers performed extensive discovery of the environment, scanning networks and systems for targets – for example, running port scans (like RustScan) to identify VMware ESXi servers and other critical infrastructure. In parallel, they enumerated cloud resources and identity directories (Azure AD, AWS) to find sensitive data stores or misconfigured services.

This internal reconnaissance helped Scattered Spider map out the environment (databases, file shares, backups, etc.) and plan their next steps for data theft and sabotage.

Data exfiltration and impact 

The final steps of Scattered Spider’s attacks revealed their dual intentions of financial extortion and operational sabotage. 

Exfiltration to Cloud Storage (T1567.002): Before launching ransomware, Scattered Spider engaged in data theft for double extortion. They collected large volumes of sensitive data (customer records, business documents) and exported it to attacker-controlled cloud storage – in some cases uploading files to a leak site or file-sharing service like MEGA. This was confirmed in Co-op’s case, where the company acknowledged that adversaries “were able to access and extract data,” including members’ personal information. By staging data in cloud buckets and exfiltrating it, the attackers gained leverage to threaten public release if the ransom was not paid.

Data Encrypted for Impact (T1486): Finally, the attackers deployed ransomware (in this campaign, the “DragonForce” ransomware) to encrypt critical systems and disrupt operations. At M&S, the attackers simultaneously detonated the encryptor on servers and even VMware ESXi hosts, rendering virtual machines and services inaccessible. This caused widespread outages – M&S had to suspend online orders, and stores experienced payment system failures and stock shortages. The use of ransomware encryption amplified the impact of the breach, pressuring the victims to negotiate while crippling their business until systems could be restored.

Evaluate your defenses against Scattered Spider

The Prelude team provides an existing suite of tests to evaluate how your EDR observes, detects, or prevents certain behaviors mentioned in this post.

What organizations can learn from this threat

Scattered Spider’s targeted campaigns showcase how even the most robust organizations remain vulnerable to sophisticated, multi-faceted attack strategies. The group’s reliance on stealing and abusing legitimate credentials highlights the critical need for organizations to prioritize human defenses in addition to tuning their defensive technology. 

Consider these high-level efforts to hone existing policies and practices against Scattered Spider and similar threat groups.

• Enhance employee awareness: Conduct regular training to recognize and prevent spearphishing, smashing, and vishing attempts
• Implement robust MFA policies: Use hardened MFA systems that include biometrics or number matching to mitigate MFA fatigue attacks
• Monitor for anomalies: Employ advanced detection tools to identify unusual activity, such as repeated login attempts or the use of new accounts
• Limit privileged access: Enforce least-privilege access policies to reduce the damage potential of credential misuse‍
• Endpoint security: Ensure EDR tools are capable of and configured to detect BYOVD techniques and tampering attempts in real time

Sources: 

The above techniques and descriptions are drawn from credible 2024–2025 threat intelligence analyses, incident reports, and news coverage of the retail attacks. Key references include the Protos Networks security bulletin on the UK retail hacks, detailed reporting by BleepingComputer and Reuters on the M&S and Co-op breaches, as well as MITRE ATT&CK’s profile of the Scattered Spider group, which aligns with the tactics observed in these incidents. Each ATT&CK ID listed corresponds to a technique that was explicitly noted in these sources as being used during the attacks.

UK National Cyber Security Centre (NCSC)

• https://www.ncsc.gov.uk/blog-post/incidents-impacting-retailers

Bleeping Computer: 

• https://www.bleepingcomputer.com/news/security/harrods-the-next-uk-retailer-targeted-in-a-cyberattack
• https://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack
• https://www.bleepingcomputer.com/news/security/co-op-confirms-data-theft-after-dragonforce-ransomware-claims-attack

Protos Networks:

• https://protosnetworks.com/security-bulletin-escalating-cyber-attacks-targeting-uk-retail-sector

Picus Security: 

• https://www.picussecurity.com/resource/blog/dragonforce-ransomware-attacks-retail-giants

Trustwave:

• https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/trustwave-spiderlabs-insights-history-and-mitigations-for-scattered-spider/

TheWeek:

• https://theweek.com/crime/scattered-spider-who-are-the-hackers-linked-to-m-and-s-and-co-op-cyberattacks

Reuters: 

• https://www.reuters.com/business/retail-consumer/ms-co-op-cyberattackers-duped-it-help-desks-into-resetting-passwords-says-report-2025-05-06

MITRE: 

• https://attack.mitre.org/groups/G1015/

CrowdStrike:

• https://www.crowdstrike.com/adversaries/scattered-spider/

Mandiant:

• https://www.mandiant.com/resources/unc3944-midnight-blizzard