The author is director of the Cambridge Cyber Crime Center and a professor of emerging injury at the University of Cambridge
Over the past few weeks, you may have heard the name "scattered spider" related to the ongoing destruction of Marks and Spencer (co-op and Harrods). Although there are currently no public cyberattacks attributed to retail in the UK, there are speculations that the strategy used is similar to networks with loosely associated online misconduct under this name. Other reports suggest that it is working with Dragonforce, another cybercrime group, which allegedly provides ransomware as a service.
The scattered spiders are linked to the destruction of many high-profile companies and permeates the collective imagination of cybersecurity professionals, media and governments. However, its symbolic power (amplified by its amazing name) far exceeds its technical skills.
The scale of the group's so-called goal may make it seem like it requires impressive hacking capabilities. But the report shows that it enters the organization through the backdoor by persuading unknown employees to enable access.
This can be done through social engineering (manipulating people to share private information), targeted phishing, leveraging multifactor fatigue and SIM card exchange. These strategies are not novel. They involve smooth employees, pushing them to fake websites to steal their certificates and exploit bad verification practices. None of these crimes requires highly skilled opponents.
But, in the cybersecurity industry, marketing is everything. Choose a name to induce visceral reactions and promote fear. This fear helps turn people to expensive high-tech security products.
In fact, the scattered spiders are not the official group that name themselves. Its name was first called in 2022 by cybersecurity company CrowdStrike. You can even buy scattered spider statues, t-shirts, mouse pads, cups and skateboards from CrowdStrike's online store. (You may remember CrowdStrike as the company blamed millions of offline computers last summer, disrupting airlines, news media, health services and emergency call centers due to software updates.)
It's not just Crowdstrike who proposed the names of the groups involved in abnormal behavior. Other security companies are scrambling to choose the most attractive nickname that will play a role in the media and ensure that their website is in search results. The Scattered Spider has also obtained many other names, including Interstellar Florida, UNC3944, Scatter Swine, and Muddled Libra.
There are some exceptions. Dragonforce does seem to have named itself, perhaps in order to earn the title that is notorious and prevented security companies from choosing from the marketing department.
Names distributed to cybercrime gangs not only describe their behavior, but also shape it. These language choices can inflate the symbolic capital of a group, thus legitizing its members, who are often young people who seek peer recognition and prestige. For them, cybercrime may not only be a means of wealth, but also through rituals. Therefore, scattered spiders are amplified by the same industry designed to neutralize them.
Typically, high-tech services sold by cybersecurity departments protect the front door, while criminals continue to use low-tech methods to sneak into the back door.
In a world where affiliation with hacker groups can be a badge of honor, criminals can be driven by reputation and peer recognition regardless of country or language. To deal with cyber threats, we need better deterrence, as cybercriminal criminals usually do not have any consequences for their crimes. The global prosecution rate is extremely low. Despite the high number, many criminals have relatively low criminals’ crime value, so many criminals have relatively low crimes.
Effective cross-border cooperation is crucial to addressing all issues other than the most mundane cybercrime and police training is required to deal with this. We need a responsive ecosystem that can work in the early stages of security vulnerabilities.
If we are to protect ourselves from cybercrime, we need to raise prosecution and a mature computer security industry that introduces neither vulnerability nor provocation.