Member Notice: Cybersecurity Threat Actor Scattered Spider Attacks Retail Sector - Retail Council of Canada
Advocacy | Loss Prevention News | National

Member Notice: Cybersecurity Threat Actor Scattered Spider Attacks Retail Sector

June 23, 2025

UNC3944 Threat Overview

  • UNC3944, also known as Scattered Spider, is a financially motivated threat actor. ​
  • Initially targeted telecommunications for SIM swap operations, IT now focuses on ransomware and data theft.
  • Targeted sectors include financial services and food services, with a resurgence in RETAIL targeting in the US and UK.

Based on recent public reporting and Mandiant internal investigations, Google Threat Intelligence Group (GTIG) has observed a resurgence of UNC3944 with targeting of retailers in the US and UK among other targets. While these activities have been predominantly focused on the US and UK, UNC3944 has a history of targeting Canadian organizations, indicating that retailer entities in Canada remain at risk. It is plausible that threat actors including UNC3944 view retail organizations as attractive targets, given that they typically possess large quantities of personally identifiable information (PII) and financial data.

This Advisory, provided with the assistance of Mandiant, gives an overview of the methodologies and tools used by UNC3944 along with a link to the RCC/Mandiant recommendations to defend against this threat actor as well as links to Canadian government resources and contact information.

Known Retail Sector Breaches by Scattered Spider

CompanyCountryDateImpact
MGM ResortsU.S.Sep 2023Entire IT systems offline; estimated loss: $100M+
Caesars EntertainmentU.S.Sep 2023Paid ~$15M ransom; customer loyalty data exfiltrated
Marks & Spencer (M&S)UKApr 2025Systems disabled, ~9.4M customer records affected, £300M in losses
Co-op Group UKApr 2025IT and logistics operations disrupted; attribution to Scattered Spider
HarrodsUKApr 2025In-store and online operations impaired

Note: While no confirmed Canadian retail breaches have been attributed to Scattered Spider yet, the threat actor’s techniques and targeting patterns strongly suggest Canadian retailers are viable future targets.

Threat Assessment: How Big is the Risk?

  • High Capability: Use of legitimate tools (Living off the Land tactics), identity platform exploits (Okta, Active Directory).
  • Persistent Access: Known for maintaining deep access across networks undetected for weeks.
  • Ransomware Deployment: Use of ALPHV/BlackCat and newer variants like DragonForce has crippled major organizations.
  • Cross-Sector Targeting: While focusing on hospitality and retail, they have also breached telecommunications and financial entities.

Severity: High

Likelihood of Future Attacks on Canadian Retailers: Very Likely (based on tactics, regional expansion, and sector focus)

How Retailers can Combat UNC3944

Please view this guidance document for recommendations

  1. Identity and Access Management (IAM)
    • Strengthening Authentication
    • Hardening Privileged Access
    • Limiting Lateral Movement
  2. Endpoint Security
    • Reviewing authentication logs
    • Confirming installation and active running of your company’s Endpoint Detection and Response (EDR) agent.
    • More
  3. Network Security
    • Restricting outbound communications from all servers
    • Blocking outbound traffic to malicious domains
    • Enforcing strong authentication and more
  4. Monitoring and Detection
    • Sweeping for documents and spreadsheets that may contain shared credentials
    • Implementing controls to identify events related to suspicious registration or addition of new MFA devices or methods such as the same MFA device/ method/phone number being associated with multiple users
    • More
  5. Social Engineering Awareness
    • Training help desk staff and all employees to recognize and report any suspicious activity/attempt.
  6. Links to key resources for members

Final Notes for Canadian Retailers

  • The retail sector is a growing target for highly skilled threat actors like Scattered Spider.
  • Canadian businesses should treat this as a “when, not if” scenario.
  • Coordinated preparation with both internal teams and external government partners is critical to resilience.

Watch for more details on upcoming RCC information sessions.  Special thanks to Mandiant for assisting in the preparation of the backgrounder and recommendations.

For more information, contact:

Santo Ligotti

Related Resources

Quebec

Bill 112: Toward Barrier-Free Trade and Labour Mobility

Quebec

Québec Immigration Consultation – We Want Your Input

British Columbia

B.C. Releases Expert Panel Recommendations on Labour Relations Code Amendments