Stay informed with free updates
Simply sign up to the Cyber Security myFT Digest — delivered directly to your inbox.
The writer is director of the Cambridge Cybercrime Centre and professor of emergent harms at the University of Cambridge
In the past few weeks you might have heard the name “Scattered Spider” in relation to the ongoing disruption at Marks and Spencer, the Co-op and Harrods. While there has been no public attribution for the cyber attacks on UK retail as yet, there is speculation that the tactics used are similar to a network of loosely affiliated online miscreants that goes by this name. Other reports suggest collaboration with another cyber criminal group, DragonForce, which allegedly provides ransomware as a service.
Scattered Spider has been linked with breaches at a number of high-profile companies and has infiltrated the collective imagination of cyber security professionals, the media and the government. Yet its symbolic power — amplified by its striking name — far outweighs its technical skill.
The size of the group’s alleged targets may make it appear as if impressive hacking abilities are required. But reports indicate that it gets into organisations via back doors by convincing unwitting employees to enable access.
This can be done through social engineering (manipulating people into sharing private information), targeted phishing, taking advantage of multi-factor fatigue and Sim swapping. These tactics are not novel. They involve smooth-talking employees, driving them towards fake websites in order to steal their credentials and taking advantage of poor verification practices. None of these crimes requires highly skilled adversaries.
In the cyber security industry, however, marketing is everything. Names are chosen to invoke a visceral reaction and to promote fear. That fear helps to turn people towards expensive high-tech security products.
Scattered Spider is, in fact, not an official group that named itself. Its name was first invoked by the cyber security company CrowdStrike in 2022. You can even buy Scattered Spider figurines, T-shirts, mouse pads, mugs and a skateboard from CrowdStrike’s online shop. (CrowdStrike, you may remember, was the company blamed for millions of computers going offline last summer, disrupting airlines, news media, health services, and emergency call centres due to a botched software update.)
It’s not just CrowdStrike that comes up with names for groups involved in deviant behaviour. Other security companies jostle to choose the catchiest moniker, which will be splashed on media releases, and ensure their website comes at the top of search results. Scattered Spider has been given many other names, including Starfraud, UNC3944, Scatter Swine, and Muddled Libra.
There are some exceptions. DragonForce does appear to have named itself, perhaps in an attempt to gain notoriety and ward off a title picked by the marketing department of a security company.
The names handed out to cyber criminal gangs don’t just describe their behaviour, they can also shape it. These linguistic choices can inflate a group’s symbolic capital, granting legitimacy to its members, who are often adolescents or young adults seeking peer recognition and prestige. For them, cyber crime may be not only a means to wealth but a rite of passage. Scattered Spider is therefore being amplified by the same industry that is designed to neutralise them.
Often, the high-tech services that the cyber security sector sells protect the front door, while offenders continue to sneak in the back one using low-tech methods.
In a world where affiliation with hacker groups can be a badge of honour, regardless of country or language, offenders can be driven by reputation and peer recognition. To tackle cyber threats we need better deterrence, as cyber crime offenders usually do not face any consequences for their crimes. Global prosecution rates are extremely low. Many criminals evade investigation altogether as their crimes are relatively low in value, despite being high in volume.
Effective cross-border collaboration is essential for addressing all but the most mundane cyber crimes, and police need to be trained to deal with this. We need a responsive ecosystem that can act at the early stages of security breaches.
If we are to protect ourselves from the onslaught of cyber crime, we require both increased prosecution and a mature computer security industry that introduces neither vulnerabilities nor provocative names.