The U.K. Cyber Monitoring Centre (CMC) has officially classified the April 2025 cyber attacks that disrupted major retailers Marks & Spencer (M&S) and Co-op as a “single combined cyber event.” This designation, the first of its kind by the independent, non-profit body, underscores the sophisticated nature of the breaches and their significant financial repercussions, estimated to range between £270 million ($363 million) and £440 million ($592 million). This classification signifies a heightened concern for systemic risks within the retail sector.
The CMC, established by the insurance industry to categorize major cyber incidents, based its decision on the fact that a single threat actor claimed responsibility for both attacks. The close timing of the intrusions and the observed similarities in their tactics, techniques, and procedures (TTPs) further solidified the assessment. This event has been categorized as a “Category 2 systemic event,” indicating a widespread impact on a critical sector.
Assessing the Impact of the M&S and Co-op Cyber Event
The initial points of access for the attacks against M&S and Co-op were identified as social engineering tactics, with threat actors specifically targeting IT help desks. This allowed them to gain unauthorized access to sensitive systems. While attribution efforts are ongoing, the notorious cybercrime group Scattered Spider, also known as UNC3944, is widely believed to be behind these intrusions.
Scattered Spider is an offshoot of a larger cybercrime collective known as The Com. The group is known for its proficiency in advanced social engineering attacks, often leveraging its English-speaking members to impersonate IT personnel within target organizations to achieve their objectives. The CMC noted that the impact of this particular event is characterized as “narrow and deep,” causing significant disruption for the two affected retail giants and creating ripple effects for their respective supply chains, partners, and service providers.
In contrast to the M&S and Co-op attacks, the cyber intrusion targeting Harrods around the same period has not yet been included in this combined assessment. The CMC cited a lack of sufficient information regarding the cause and specific impact of the Harrods incident. The ongoing assessment highlights the challenges in definitively linking and categorizing cyber events without complete data.
Broader Implications and Related Threats
The recent revelations regarding Scattered Spider’s activities extend beyond the U.K. retail sector. Google Threat Intelligence Group (GTIG) recently reported that Scattered Spider actors have begun targeting major insurance companies in the United States. This suggests a strategic shift in their focus, prompting heightened vigilance within the insurance industry.
John Hultquist, Chief Analyst at GTIG, advised the insurance sector to be particularly wary of social engineering schemes targeting their help desks and call centers. He noted that while discussions often focus on nation-state threats, actors like Scattered Spider are already impacting critical infrastructure. GTIG anticipates a rise in high-profile incidents as these threat groups transition between sectors.
Meanwhile, concerns about the attack’s origin have surfaced. Tata Consultancy Services (TCS), an Indian consulting giant, has disclosed that its systems or users were not compromised as part of the attack against Marks & Spencer. This comes in the wake of reports from the Financial Times investigating whether TCS systems were used as a launchpad for the attack. The company is reportedly conducting internal probes into the matter.
Furthermore, the Qilin ransomware operation has adopted a new strategy aimed at increasing pressure during ransom negotiations. This includes offering legal assistance to victims and reportedly employs an in-house team of journalists. These journalists are said to collaborate with the legal department to craft blog posts and aid in negotiations with victims, adding another layer of complexity to post-breach demands.
Looking ahead, the ongoing attribution efforts for the M&S and Co-op attacks will be closely watched, particularly concerning the definitive link to Scattered Spider. The U.K. government and critical infrastructure operators will likely be reviewing their defense strategies in light of this combined cyber event and the evolving threat landscape, especially concerning social engineering tactics.