Victoria’s Secret Hit By ‘Security Incident’ After Attacks on UK Retailers – Source: securityboulevard.com

International lingerie seller Victoria’s Secret shut down its U.S. website this week due to what it calls a “security incident” that is suspected to be the work of the same threat group responsible for similar attacks on retailers in the UK earlier this month.

The website now displays a notice telling visitors that “we identified and are taking steps to address a security incident. We have taken down our website and some in store services as a precaution. Our team is working around the clock to fully restore operations.”

The notice, which has been up for at least three days, also says that the company’s Victoria’s Secret and PINK stores are still open.

The unspecified incident comes in the wake of reports that Scattered Spider – a threat group also known as UNC3944, Octo Tempest, Muddled Libra, and Oktapus – was behind attacks on several UK retails, including Marks & Spencer, which sells home goods, clothing, and luxury food products, the Co-op (convenience stores), and Harrods (various luxury items) over several weeks heading into May.

Hopping the Pond

As those campaigns were underway, John Hultquist, chief analyst at Google’s Threat Intelligence Group (TAG), told news outlets in a statement that Scattered Spider, which had been in hiatus since last year following law enforcement actions and personnel changes, had returned and warned that the “U.S. retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944, also known as Scattered Spider.”

Hultquist said that the threat group – which he said is “aggressive, creative, and particularly effective at circumventing mature security programs” – was known for targeting a single sector at a time and that TAG researchers “anticipate they will continue to target the sector in the near term. U.S. retailers should take note.”

In a post on X (formerly Twitter) in mid-May, he wrote, “Shields up US retailers. They’re here.”

The FBI reportedly had been talking with top U.S. retailers about the possibility of Scattered Spider attacks making the trip across the Atlantic Ocean from England. Hultquist told CNN two weeks ago that a hacker group had “successfully targeted multiple retail organizations in the U.S.,” though he declined to name the victims.

Back After a Hiatus

In early May, Google’s Mandiant unit published a blog detailing the operations of Scattered Spider – which has been around since 2023 and has targeted over industries like financial services and food services – and outlining protections against such attacks. Scattered Spider made its name with attacks against high-profile gaming companies MGM Resorts and Caesars Entertainment in 2023.

They also wrote that in targeting the UK retailers, Scattered Spider was deploying DragonForce ransomware and that members of DragonForce reportedly were claiming responsibility for multiple attacks on such retailers. The researchers also noted that the bad actors behind DragonForce, which started as a typical ransomware-as-a-service (RaaS), in March announced it was rebranding as a “cartel,” offering a new distribution model in which affiliates that use the malware and create their own brands, according to Secureworks.

The DragonForce is With Them

“Notably, the operators of DragonForce ransomware recently claimed control of RansomHub, a ransomware-as-a-service (RaaS) that seemingly ceased operations in March of this year,” Google’s TAG researcher wrote, adding that Scattered Spider had been a RansomHub affiliate in 2024 following the law enforcement disruption of the operation ransomware operation of BlackCat, which also was known as ALPHV.

Cybercrime can be a copycat industry, so it shouldn’t be surprising that the number of retail brands coming under attack is growing after earlier hacks, according to Ben Hutchison, associate principal consultant at cybersecurity firm Black Duck.

“They may be considered ‘victims of the moment,’ as unfortunately, once a particular attack or threat actor group has been successful in compromising a specific target [or] sector, this can serve as motivation both for others to engage in similar efforts and for the specific threat actor to double down on their efforts and launch attacks against similar targets,” Hutchison said. “Given the recent rising trend in attacks targeting retail organizations and high street stores, such organizations should treat this as a wakeup call to ensure they are prioritizing their cybersecurity and digital resiliency.”