The April 2025 cyberattack targeting British retailers Marks & Spencer and Co-op is categorized as a “single combined cyber events.”
This is according to an assessment by the Cyber Monitoring Centre (CMC), an independent UK-based nonprofit organization set up by the insurance industry to classify major cyber events.
“Given that one threat actor claimed responsibility for both M&S and cooperatives, close timing, similar tactics, techniques and procedures (TTPS), the CMC evaluated the incident as a single cyber event,” CMC said.
The organization classifies retailer disruption as “Category 2 whole-body events.” The security breaches are estimated to have a total financial impact of £270 million ($363 million) to £440 million ($592 million).
However, cyberattacks on Harod cite the lack of adequate information on the cause and impact at this stage.
The initial access vectors and cooperatives employed in the attack targeting Marks & Spencer revolve around the use of social engineering tactics, specifically targeting IT help desks.
The CMC further noted that its attribution efforts were still underway. That said, the infamous cybercriminal group known as the scattered spider (aka UNC3944) is thought to be behind the invasion.
A derivative of the larger cybercrime community known as COM, the group has a proven track record of leveraging its English-speaking members to carry out sophisticated social engineering attacks to gain unauthorized access to members of the company’s IT department.
“The impact from this event will be “narrow and deep,” meaningful to the two companies, and will have a knock-on effect on suppliers, partners and service providers,” CMC said.
Earlier this week, Google Threat Intelligence Group (GTIG) revealed that scattered spider actors have begun targeting major US insurance companies.
“Given the history of this actor’s focus on the sector at once, the insurance industry must be on high alert, especially due to social engineering schemes targeting their help desks and call centers,” said John Hartquist, GTIG’s chief analyst.
“While the expected threat to Iran’s cyber capabilities to US organizations has been the focus of many discussions recently, these actors have already targeted critical infrastructure. We look forward to more notable events in the near future along with the transition from sector to sector.”
The development is because India’s consulting giant TATA Consultant Services (TCS) has revealed that its system or users have not compromised as part of an attack on Marks & Spencer. Last month, the Financial Times reported that TCS was internally investigating whether its system was being used as launchpads for attacks.
It also follows a new strategy from Qilin ransomware operations, which involves providing legal assistance to strengthen pressure during ransom negotiations. Threat officials also claim they have an in-house team of journalists who can work with the legal department to create blog posts and help victims negotiate.
