Mark Tibbs, Partner
Mishcon de Reya
Hello folks. We’re just waiting for a few of the attendees to join us and then we’ll get started. Thanks for joining us today. See a few names in there that I recognise already. I’ll just give it a couple of minutes to get everyone into the webinar and then we’ll get started.
Right, I’m going to, I’m going to kick off. So, thanks, thanks everyone for joining us today. Welcome to the latest Digital Session, this is a series of sessions that we’ve been running and this time we’re focussing on a series of high profile cyberattacks against well known high street brands – I’m sure you’re all familiar with the news coverage – and the significant impact those had on the victims. They’ve, the incidents have been linked to a threat group known as ‘Scattered Spider’ amongst other names, but today we’re going to talk with our panel around who they are and what techniques they use and how you defend against them.
If you want to, just a bit of housekeeping, if you want to get in contact with any of the speakers directly, please click on the ‘Resources’ tab down below and you’ll be taken to their bios and their contact details and there will be a recording of the session for anyone who signed up so, so please, and if, if you’re wanting to ask questions, please use the Q&A function at the bottom to submit these. So let’s get kicked off.
So, in today’s session we’ll be looking at this, this group called Scattered Spider; they are an audacious group, known for its tactics and high profile intrusions. In 2023 the group gained attention for major cyberattacks against MGM Resorts and Caesars Entertainment and then more recently, at least two, if not more, retailers have suspected of falling victim to the group causing data loss, operational disruption, financial costs and so no.
So, thanks for joining us, I look forward to an engaging and informative session. My name’s Mark Tibbs, I’m a Partner here at the Cyber Risk and Complex Investigations team at Mishcon de Reya and we have our panel joined to us today, joining us today. Our guest speaker is Keith Mularski, an old friend of mine from law enforcement days and Keith was a special agent at the FBI, where he worked closely with private industry, law enforcement and academia for twenty years, I think it was, Keth. And famously, Keith worked undercover to infiltrate international underground criminal organisations so if you want to read up more about that, you can read Misha Glenny’s book, ‘Dark Market’, to find out about that but they were, yeah, pretty audacious again, operations by Keith. But anyway, let’s get stuck into the first question. So, the landscape of cybercrime, it’s, I, I think it’s changed by both technology but also the way that cyberc… cybercriminals operate so there’s a sort of social aspect to it, so what I want to explore in this first question is like how did we get to this point and you know, when you look at the bigger picture of cybercrime in 2025, what are the overarching trends that give rise to groups like Scattered Spiders? I mean, should we be surprised, Keith?
Keith Mularski
No, not at all. I mean, you know, I think, you know, a lot of timbes people think of cybercriminals, you know you always have that stereotypical picture of, you know, a guy in a hoodie, you know, down in a basement, but really cybercrime is organised crime and we’ve really seen that evolve over the last twenty years, you know, twenty years ago maybe you know cybercriminals were focussing on just credit cards, you know maybe buying some things online with CBBs and things like that but we’ve really seen over the last fifteen years, really the emergence of really organised cybercriminal groups, you know, where, where they are, you know, opening up LLCs to launder their money, Money Group, you know, had a film company in Russia that they would launder their money through, there’s another group called the ‘Evil Corp’ which has been sanctioned, you know, they own, they own restaurants and they kind of viewed themselves as kind of like a, you know, the Italian Mafia from like The Godfather and things like that, you know, and, and they moved now, really moved from you know that credit cards to banking trojans really to ransomware because you know there’s just so much money in, in that ransomware space so, you know, we, you know, with ransomware there was, there was a famous bank robber back in the 1950s in the United States where they asked them, “Well why do you rob banks?” and he said, “Well because that’s where the money is” and really in ransomware that’s where the money is right now. So, traditionally, we thought of these ransomware groups mostly being Russian speaking but now with the Scattered Spider, what’s really unique about them is that they are English speaking and they are partnering now with these Russian ransomware groups to really you know bring a new, different type of attack that, you know, that obviously we’ll be diving into but, but we’ve really just kind of seen that landscape change really, you know, the last ten years.
Mark Tibbs, Partner
Mishcon de Reya
So, good point for me to introduce the other panellists actually, which I forgot to do. So, Joe, Joe Hancock. Do you want to introduce yourself? And Francisco, do you want to introduce yourself and then maybe you can have a, a few thoughts about that question as well.
Joe Hancock, Partner
Mishcon de Reya
Yes, so, Joe Hancock, I’m the Head of the practice here, the Cyber Risk and Complex Investigations practice, Cyber security and IR work. Francisco, do you want to go next?
Francisco Sanches, Director
Mishcon de Reya
Cyber Risk Director within the same team. I’m responsible for instant response, digital forensics and overall cybersecurity support for our clients.
Mark Tibbs, Partner
Mishcon de Reya
Thanks. Guys, do you have any thoughts about that?
Francisco Sanches, Director
Mishcon de Reya
Sure, so you’re asking about what other action…?
Mark Tibbs, Partner
Mishcon de Reya
Yeah, how did we get here, like what is it that’s brought us to this point where Scattered Spider can operate.
Francisco Sanches, Director
Mishcon de Reya
Yeah, very briefly I would highlight probably three key trends. One of them as Keith was saying the profitisation of cybercrimes so, threat groups like Scattered Spider are operating more like businesses than underground gangs, we’re seeing structures and roles, affiliate programmes, even customer services if you need to contact them. They use initial access broker, brokers, provide tools as a service, and outsource part of the operations so this makes them, their campaigns much easier to launch and much harder to attribute. A second one is exploitation of identity social engineering so they are known to target identity rather than infrastructure so they bypass the traditional perimeter defences by going straight for user credentials, phishing being of course the key of them. Last but not least, it’s the effect of globalisation, the global access to sophisticated tools like AI and such making powerful tools easily available to all of them so, I tend when we talk about groups like Scattered Spider, we’re not just looking at the single trajectory, we’re seeing the outcome of a much broader sheet I think like cybercrime as a scalable, globalised and increasingly human target business model.
Joe Hancock, Partner
Mishcon de Reya
Yep. Can I just say, the thing I always kind of think about this is that we’re, we’re kind of, and it’s the key like kind of bank robbers from the 1950s, right, you know we have this idea that these groups have come out of nowhere and we’re really surprised that they’re actually really good at what they do and you know when we’ve had highly organised, very professional and very good at what they do criminals for you know over a hundred years and I mean longer than that, right and it’s, I think sometimes we’re surprised because actually we seem to have this idea that if you’re a criminal, you can’t be very good at what you do and you, you know, you must be slightly amateur and it’s, it’s not, it’s a kind of profession that some people, you know, choose to be and for a variety of reasons and actually, you know, they have some advantages over us. You do have to put a business case together to invest in new technology, you can try good stuff whenever you want to do it and also frankly, you only have to be sometimes lucky once, whereas a defender has to be lucky all the time so, in some ways they’re kind of, you know, the deck is sometimes stacked towards the attackers, you know, and I always say that they’re doing kind of old crimes in, in new ways and are very good at it.
Mark Tibbs, Partner
Mishcon de Reya
Yeah, I agree with all those points, it’s like the, the, globalisation, professionalisation, lowering of barriers to entry, all those kind of things that have brought us here and it’s not, it shouldn’t be a surprise I don’t think to anyone after twenty, thirty years of, of the professionalisation of cybercrime communities which sort of underpin all this kind of work. They are slightly different I’d say than, than really highly professionalised elite groups, although they’ve had such a disproportionate impact obviously, but I’m going to ask the next question Francisco to you about how Scattered Spider operates so, as you said, you know cybercrime often mirrors legitimate businesses, specialist teams do one job, client relationship management etc, but what do we know about Scattered Spider and how they organise themselves and what does this, yeah, and also, sort of relatedly, what do we know about their core methods of attack?
Francisco Sanches, Director
Mishcon de Reya
Sure, so, as the name implies, they operate more like a loose network than a traditional gang and that tells us a lot about how they attack. One of the things, they are decentralised but coordinated, they’re often made up of young English speaking individuals who collaborate through forums and encrypted channels. There’s no strong evidence of a rigid hierarchy, just like shared goals and playbooks and this agility really helps them to move fast and adapt quickly and avoid detection. They, their signature method is exploiting humans 10.03 not systems and then once inside they often exploit remote access tools or any 10.09 environment and that leads me to the third point, is that they use a lot living off the land techniques so that means instead of deploying hacking tools that could be more quickly detected, they rely on legitimate tools that might be available like the Power Shelf?10.22 and built in admin utilities. This makes their activity blend with normal operations and that delays detection. So in summary, they succeed in great part because they blend in socially and technically quite well on their victims and their structure reflects their attack style. Opportunistic, what credentials are available to them at that point in time, user focussed and fast-moving, I would say.
Keith Mularski
And I think, if I could just add to that, you know, what I think is brilliant about that is that you know you think of you know the cyber defence of you know in all the organisations, there’s millions of dollars spent on the best tools, you know, your EDR detecting, you know, the malware and all that, and really kind of what they’re doing here is, they’re doing on the run and in the round, you know, it’s like okay, well this is kind of a hard target, you know, in that traditional infosec space, so now we’re kind of what we’re going to go through is that social engineering, we’re going to hit the help desk and we’re going to hit people through smishing, like that where, where organisations are really weak because you know you think in the infosec group, everybody’s trained on how to detect and respond to things, but the held desk really has no training for the most part, you know, social engineering training, because they haven’t been a target, so that’s really what makes them so unique and brilliant with the way that they’re attacking.
Mark Tibbs, Partner
Mishcon de Reya
Yep, great, okay. And how about we move onto the next, the next question then and I’m going to, I’m going to point this at you, Joe, but businesses are sometimes shy to talk about the details of attacks and understandably why and you know, but mainly because, I think, because they don’t actually know what’s happened as well sometimes especially in the early stages, but, but from, from the experience of, of businesses already caught in the crossfire, can we, can we gain any insights about how these criminals operate, you know, and, and more importantly probably, how should organisations adjust their defences or do they need to adjust their defences to stay safe from this group in particular, but also other groups?
Joe Hancock, Partner
Mishcon de Reya
Yeah, I mean, the obvious answer is the kind of social engineering piece which we’ve kind of covered already and I will talk about that a little bit, I mean, the, the first kind of comment I have is that on that kind of, you know, organisations not sharing or not knowing what’s happened, you know, in, I tend to find there’s actually a lot more sharing now in 2025 than there ever used to be, it’s ad hoc and informal and people are much more prepared to talk than they ever were before, you know, and we’ve seen that with the Scattered Spider attack, you know, I’ve seen more sharing of IOCs, TTPs, good kind of stuff coming out the back of them than I’ve ever had before and I think that’s really refreshing, you know, it’s, it’s you know it feels like some of the walls are kind of coming down, which is really great. And that is one way in which, you know, as a defender community we’ll be able to kind of fight these things is with that kind of wider information sharing more quickly. On, on the kind of what’s different and then what could people do about it, again, to come back to that kind of social engineering point, social engineering in this, in this context, especially against the help desk works because you have a set of people in the organisation who have customer service metrics who want to be helpful, who you deliberately select to be good, customer focussing people, who, who often want to help people and that’s what you’ve incentivised them on and you also incentivised them to, you know, receive emails with links in, you receive, they take phone calls publicly, you know, they, it’s what they do and so it’s very difficult then to kind of, to train those people to be suspicious because you, you’re incentivising them not to be, you know, at the bottom level of it, you know, but there is an opportunity that comes out of this which is that kind of you, you want people to, to think about actually what’s in front of them and to start looking for some of the signs that you know are, a call into the service desk, can we just focus on that example, not the only bit of an organisation that gets social engineered at all, let’s focus on that now because we, we, we know that’s kind of pertinent, you know, it is that, you know, okay, is this person trying to pressure me? Is this the usual pressure I get of somebody who can’t work or is it a bit more? Should I tell somebody else about this? Do I feel like I have the support of my manager and my organisation if I say no, I’m going to go and check this and I’m going to come back to, that my manager and the organisation are going to support me? Because ultimately, we can give, you know, let’s think of a service desk, all the training in the world but unless organisationally we’re going to back them to say “No!” or we’re going to back them to escalate things or we’re going to back them to perhaps divert from that gold standard level of customer service that we incentivise, it’s never going to work and the attackers will always have that kind piece so, for me, it’s two-fold, there’s the training bit, there’s kind of, but you know which we need to do, but we need to create that safe space by which people if they feel under pressure, you know if they think a call is suspicious, if they’re not sure about something that they can say no to the person on the line, politely and nicely and you know all those kind of things, and know that they’re going to be backed up by the organisation they’re in because as soon, as soon as somebody pushes back on someone, finds out it’s not a social engineered attack and gets in trouble for it, they’re never going to do it again, they, you know, because there’s an immediate impact from their manager or the organisation compared to a potential impact from the attackers that might never come and so, that’s the thing I think we need to fix, it’s that kind of environment of safety really for any team or individual or you think that they’re going to potentially have these kind of attacks against them.
Mark Tibbs, Partner
Mishcon de Reya
I guess in some ways you could, you could see this as being a reflection of like good, you know, information security, cybersecurity practices because this group have had to find a niche whereby they can do it in other ways, you know, they’re not, they’re not doing it through malware, you know, sometimes they’re not doing it through malware, sometimes they’re not doing it through, through, through, you know, technical means let’s say, but you know they’re doing it through these social engineering, these con tricks basically to get into organisations, you know, it’s, it’s a, it’s maybe an easier route now, I don’t know.
Joe Hancock, Partner
Mishcon de Reya
Maybe I’m slightly cynical, I kind of, I’m not sure it’s an easier route because everything else has got better. It might be an easier, it might be a quicker route. My view would probably be that you can get, you can get the same level of access with less effort and more speed. You could it the technical way, but why would you bother, if you look at kind of the ROI of these kind of things, right, you know, why would I bother developing that technical capability, paying for it, having it not work, when actually, you know my hit rate with the, with the kind of social engineering is 80%...
Mark Tibbs, Partner
Mishcon de Reya
Much higher.
Joe Hancock, Partner
Mishcon de Reya
…17.16 was 20%.
Mark Tibbs, Partner
Mishcon de Reya
Yeah.
Joe Hancock, Partner
Mishcon de Reya
Maybe that’s the cynic in me there, maybe it is growing.
Mark Tibbs, Partner
Mishcon de Reya
Yeah.
Keith Mularski
Just one thing to add to kind of what Joe was saying in addition to the, you know, that training there with the help desk, you know, really recommend doing tabletop exercises, you know, make sure you know that, that you’re kind of going through one of these instances that you kind of game play and practice so that when something does happen, because most likely if you’re you know a big organisation or especially right now in the retail sector, if you know, you’re probably going to get hit in some way or at least attacked, so you know to, to throw that, you know, doing tabletop exercises so that you kind of have that muscle memory so that when it actually does happen, you, you know what to do as opposed to that you’re just reacting for the first time.
Mark Tibbs, Partner
Mishcon de Reya
Yep, sure, and I suppose that leads us onto, really onto the next question, which is around you know looking at the aftermath and, and sort of trying to learn, because it’s obviously you know extremely bad news for some of these organisations but, but there are always learning points and, you know, my question to the panel really and maybe, maybe to you, Joe, primarily, is, is what are the lesson that, that especially for retailers who want to limit the fallout and prevent repeat incidents, I mean tabletop exercises is one of them, I would argue that there’s, you know, with tabletop exercises you’ve got to do them right.
Joe Hancock, Partner
Mishcon de Reya
Yeah, I mean, and on that it is this is actually you know we didn’t plan this but we have had a press release this morning where we are the first law firm in the UK now to be accredited by National Cyber Security Centre for our kind of cyber incident exercise and capability, which is, yeah, because it is one of the kind of things and to build that kind of corporate muscle memory and also frankly because you know it exposes in a safe space things that kind of you know need to be fixed. I always take a wider step back though, often these problems, I say, problem is the wrong word, some of the more structural vulnerabilities are strategic, it, depending how you approach your, your kind of systems provision, how you approach cybersecurity, how you approach risk management overall, over a number of years, is what gets you to the point where you can have systemic vulnerability. Systemic vulnerabilities don’t appear overnight. I come back to that point where, you know, stretch my kind of help desk example, if you have a help desk that is constantly beaten up for metrics, is constantly beaten up for kind of saying yes to people, you know, eventually you know over a number of years you’re going to have a help desk that whoever calls, they’re going to do as they’re told because they have been pushed into that space, it doesn’t happen in a week, it happens over a long period of time, you know, you know the enemy of kind of good, basic security hygiene is scale and complexity. Scale and complexity comes with time, you don’t build largescale, complex systems quickly and so, you know, to me really, it’s kind of having a good hard look at, okay strategically, are we getting the value we need from kind of security? Are we delivering structurally and strategically the right things? And these attacks overall, and others, show that for you know, for some sectors that that isn’t the case and you know, often I think in part the reason that retail has been targeted is because with a cost of living crisis comes a squeeze on retail profit margins and therefore comes cost reduction across the board and you start thinking about having to do a bit less in all sorts of spaces, you do less marketing but you also will do less security, less compliance work and less IT refreshes and so, you know, you, I think there’s also a kind of connection there between a wider economic kind of issue and the level of investment in all sorts of things which unfortunately includes, includes security. And that isn’t to say that everyone should go out tomorrow and say right, you know, we’ll do no more marketing and only cybersecurity, because that’s not a good way to run any kind of organisation, you know, it would be great security but would be very short-lived, but there’s definitely a need I think sometimes to just think are we taking, is this the right, are we running the right level of risk here? Accepting we can’t do everything. What actually are the bad guys out there doing? Are we really doing enough? Can I, if something happens, am I happy to stand up and say we, we knew this was, you know, potentially our case, we did everything we could have done proportionally, here it is and now it’s happened and we’re going to deal with it. And sometimes I think there’s a bit of regret sometimes after these things and that isn’t’ true.
Francisco Sanches, Director
Mishcon de Reya
If I may, out of the, the recent, or thinking about the lessons, thinking about the recent events for retailers, for me, they would boil down to three areas and there’s a bit of 22.12 of what’s been said until now it’s, and I think it’s visibility, resilience and response. Visibility, I would say you need to know your digital supply chain and many breaches start with third party accesses like outsourced IT, call centres or social providers. You, retailers really need to map out who has access to what and applies through controls, list privilege, all the goods that should be then that space. From resilience, it’s, I think it’s resilience over perfection so, it’s unrealistic to stop every breach attempt, every attack, so what matters, or is becoming increasingly more important is how quickly you detect and contain it so, there really needs to be some investment or really thinking about your detection and response capabilities, whether in-house or through a reliable third partner. And last, and Keith was talking about that, is preparedness reduces fallout effectively so, retailers who have tested incident response plans, clear communication channels and good back-up strategies, would have recovered far more smoothly than others and those without that pay the price and then 23.11 reputational damage and potential regulatory scrutiny so, we need to assume compromise going forward, watch closely and be ready to act fast when it happens.
Mark Tibbs, Partner
Mishcon de Reya
Yeah, very good. I think our final question, because we’re leading up to the, the very short 25 minute slot that we’ve got, but it’s one for you again, Keith, with your, your years of experience, so, so, how do the broader trends such as international cooperation and sort of things like emerging technologies, like how does that factor into the group success do you think and our collective ability to counter them?
Keith Mularski
Yeah, so, you know, still international cyber cooperation between law enforcement agencies isn’t seamless, you know, every country has their own jurisdiction, their own laws, their own way, you know, their own priorities, you know, so like when I was at the FBI sometimes we couldn’t call it cybercrime if we were dealing with a certain country, we had to call it organised crime or fraud because they didn’t look at cybercrime so, so, you have to learn how to frame it, but there are still, you know when you have threat actors that spread across the globe, when you have to follow international cooperation procedures like sending neutral assistance treaties, you know, cybercrime moves very quickly and unfortunately, the processes and the laws, you know for many countries, are slow and you know so, and aren’t designed to move at the speed so, so there is that, that impediment there, however, law enforcement has been making a lot of strides recently where they’ve arrested a couple of the Scatter Spider individuals, one that was a UK individual, he was in Spain and he was arrested and another one in the United States so, so they are making some progress.
Mark Tibbs, Partner
Mishcon de Reya
And, and quickly I’d argue as well, so it used to be the, the, the, gone are the days of five years to wait before you got an arrest, it’s much more quick than how I remember it as well.
Keith Mularski
Yeah, absolutely. And then, you know, on the criminal side, the emerge you know like both Joe and Francisco both said the emergence of AI really makes these laws, you know, a lot more legitimate, gone are the days and the spellings and things like that, you know, so, so using you know they, the bad guys are using AI just like the regular businesses are to improve their operations and we’re going to see really that emergence there.
Francisco Sanches, Director
Mishcon de Reya
But that cuts both ways, so I mean threat actors use AI to craft better phishing, deepfakes voices for vishing and ultimation to scale attacks but blue teams, defenders, we now also have AI powered detection, threat in terms of platforms and that is giving us faster response tools that are closing the gap.
Mark Tibbs, Partner
Mishcon de Reya
Yeah, so it’s not complete one-sided. Yeah. Uh yeah, that’s the good news, the silver lining to, to, to you know the technology race kind of thing.
Francisco Sanches, Director
Mishcon de Reya
And just one last on that one, I think that, and Keith has mentioned that all more the police will level force but I think collaboration widely is gaining ground so, I think we’ve seen more improved sharing of trap data between governments, ISBs, tech providers, retailers, this kind of coordination and faster coordination is essential to track these fast moving groups and so that we can learn from this incidents in real time and I do believe that there’s still a way to go but it is improving, there are signs of that, very positive ones.
Mark Tibbs, Partner
Mishcon de Reya
Agreed.
Keith Mularski
Yeah, absolutely, I mean really in the last three weeks, I think there’s been four major international takedowns, you know, multinational so, you know, the good guys are making strides for sure.
Mark Tibbs, Partner
Mishcon de Reya
Yep, keep up the good fight. Right, okay, thank you very much, guys. We are up to the, up to our time, but just to say thanks to Francisco, Keith and Joe for your insights and yeah, if there’s any more questions that you want us to answer, we can answer them by email. There’ll be a recording sent to those who signed up and our contact details and if you want to contact, just once again, if you want to contact any of the speakers directly, just click on the ‘Resources’ tab down below and you’ll be taken to their bios and their contact details. So, thanks very much indeed.