M&S, a major UK retail giant, has been severely impacted by a highly sophisticated cyber campaign attributed to the financially motivated hacking group Scattered Spider. The attackers exploited compromised Active Directory accounts to gain full control of VMware vSphere environments, stealing sensitive data and deploying ransomware. This method bypasses traditional security tools, rendering it invisible to in-guest security agents. The attack not only compromised financial and personal data but also disrupted business operations, causing significant financial loss and damage to the company's reputation.
Source: https://hackread.com/scattered-spider-ransomware-hijack-vmware-systems-google/
TPRM report: https://scoringcyber.rankiteo.com/company/marks-and-spencer
"id": "mar903072925",
"linkid": "marks-and-spencer",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Retail',
'location': 'UK',
'name': 'M&S',
'type': 'Retail'},
{'industry': 'Retail',
'location': 'UK',
'name': 'Harrods',
'type': 'Retail'},
{'industry': 'Retail',
'location': 'UK',
'name': 'Co-op',
'type': 'Retail'}],
'attack_vector': 'Phone-based social engineering, Compromised Active '
'Directory accounts, VMware vSphere environments',
'data_breach': {'type_of_data_compromised': ['Sensitive data',
'Active Directory database']},
'date_detected': 'mid-2025',
'description': 'A highly aggressive cyber campaign identified in mid-2025 by '
'Google’s Threat Intelligence Group (GTIG), targeting major '
'industries including retail, airlines, and insurance. The '
'campaign is attributed to Scattered Spider, a financially '
'motivated hacking group also known as 0ktapus and UNC3944.',
'impact': {'data_compromised': ['Sensitive data', 'Active Directory database'],
'systems_affected': ['VMware vSphere environments',
'ESXi hosts',
'VCSA']},
'initial_access_broker': {'entry_point': 'Phone-based social engineering',
'high_value_targets': ['vSphere administrators',
'Powerful Active Directory '
'groups']},
'lessons_learned': 'Proper training and a challenge process to validate the '
'caller is who they say they are can prevent social '
'engineering attacks. Using valid credentials and built-in '
'tools makes it difficult for security teams to discern if '
'they are compromised or not.',
'motivation': 'Financial',
'post_incident_analysis': {'root_causes': 'Weak identity verification '
'procedures in IT help desks'},
'ransomware': {'data_encryption': True, 'data_exfiltration': True},
'recommendations': 'Organisations must protect their virtualised assets '
'through strong identity verification, VMware hardening, '
'backup integrity, and continuous monitoring.',
'references': [{'date_accessed': 'mid-2025',
'source': 'Google’s Threat Intelligence Group (GTIG)'},
{'source': 'Thomas Richards, Infrastructure Security Practice '
'Director at Black Duck'}],
'response': {'enhanced_monitoring': ['Strong identity verification',
'VMware hardening',
'Backup integrity',
'Continuous monitoring']},
'threat_actor': 'Scattered Spider (0ktapus, UNC3944)',
'title': 'Scattered Spider Cyber Campaign',
'type': 'Ransomware, Data Theft',
'vulnerability_exploited': 'Weak identity verification procedures in IT help '
'desks'}