WeeklyWorker

29.05.2025
We can see you: jumping spider eyes

Dark forces of extraction

Who are Scattered Spider and how do they do what they do? Paul Demarty investigates the recent spate of ransomware-attacks on top companies and the extreme fragility of global IT systems

Last week, the National Crime Agency - whose job it is to look busy when large-scale skulduggery strikes in Britain - announced that it had a suspect in the case of a series of crippling cyberattacks on major retailers, including Marks and Spencer and the Co-op.

Paul Foster, head of cyber-crime at the NCA, fingered the notorious collective, Scattered Spider, which has already attacked major US casinos, as well as various major companies that use the cloud database and storage service, Snowflake (including AT&T and Ticketmaster). The Scattered Spiders are, according to the bourgeois media, notable primarily for their youth (many participants in these antics appear to be teenagers) and for their not hailing from what we are told are the real hotbeds of cybercrime, Russia and North Korea.

In reality, of course, these are not such great distinguishing features after all. Certainly there is a lot of cybercrime originating in Russia, and the North Korean state sponsors a great deal of cyber-sabotage, given its available means. Yet such crimes are, at this point, as American as apple pie - I am not aware of any especially great British capability on this point, but the extremely aggressive hackers of Israel mysteriously go unmentioned in the output of the BBC and the like when they discuss these questions. Israel’s Unit 8200, meanwhile, makes a point of recruiting teenagers - who are presumably on the hunt for a relatively low-risk posting during their military service.

Basics

So in these respects, after all, Scattered Spider is all too typical. So, in fact, are its crimes. There is something almost admirable in how it goes about its business: like an overperforming football team which succeeds simply by doing the basics well. Their hackers first of all acquire personal information that will grant them access to systems - by simply buying it from the dark web, or by ‘phishing’ (sending deceptive emails to targets), or other kinds of social engineering (communicating with individuals to con them out of information). Having acquired such information, they use off-the-peg ransomware software to claim bounties of millions of dollars in cryptocurrencies. It is good, old-fashioned, meat-and-potatoes, 4-4-2 cybercrime.

To take the M&S hack as an example: while details are still emerging, it is clear from CEO Stuart Machin’s emphasis on “human error” in his public statements that social engineering was used (ie, some human erroneously gave up the keys to the kingdom). The Financial Times reported on May 23 that the Indian outsourcing giant, Tata Consultancy Services, was conducting an internal investigation into its own possible role. If that was the way in, it would hardly be atypical: security measures often have to be massaged to allow contractors to do their jobs effectively. Outsourcers often take on jobs like internal IT support, which are juicy targets for social engineers, since IT support workers definitionally need to be able to grant access to different systems and do jobs like changing authentication details.

The troubling thing about this is that it works. In the early days of ransomware, 10 years ago or so, the big-name victims would make a big noise about not paying up - “never negotiate with terrorists”, and all that. Mysteriously such statements have become rarer. It is not altogether surprising: by the time you are reading the ransom note, the truth is that you are - to use the computing jargon - already completely fucked. How so? There are two major options, when a hacker has obtained the keys to the kingdom. One is data exfiltration - just download all the sensitive data (customer credit card numbers, detailed personal information that can be used for fraud, etc) and threaten to put it on the dark web market if the ransom is not met. The other is to encrypt all the information, rendering it unusable, and refuse to decrypt unless the demand is met.

Either way, leaving aside the vanishingly small possibility that the police will interrupt the scam while it is in progress, the hacker has already won. The target’s information security measures have already been defeated. The willingness of the world’s states to tolerate cryptocurrencies, meanwhile, ensures that there is a relatively risk-free way to take payment, with well-established mechanisms for laundering crypto funds into good old greenbacks. The ultimate proof that this works is merely that people keep doing it. Major corporations are, after all, hard targets. One has to commit serious crimes to compromise them - identity fraud, above all. (Humans tend to be the weakest points in the structure.) Nobody would take the risk if there was no actual money at the back end. Having worked in the software industry for over 10 years, I am surprised only that it does not happen more.

Threat models

Prevention of such breaches is a bit like barricading a door against a zombie invasion. It is not so much a matter of constructing a single, perfect defence according to a plan, but piling up stuff and hoping that the accumulated materials will do the job.

Multi-factor authentication will usually be enforced (that is, additional authentication steps beyond logging in with a username and password, typically sending one-time passwords via SMS or generating them with a phone app. This way, an attacker will need not only your password, but your actual phone). Access should be granted according to the principle of least privilege - that you should only be able to access things you actually need to do your job. Access to private information should be disabled by default for everyone and only granted when a special request is made for it. Ideally it should not be possible to access such information alone - that way an attacker needs to compromise two user accounts, not just one. So it goes on.

All this stuff costs money and time to set up and keep going. Organisations typically have to make a decision about how far they are willing to go, which will usually be a matter of what is called ‘threat-modelling’ - that is, trying to decide what kind of ‘adversaries’ they actually face. To take an extreme example: in 2010, the Israeli security services successfully introduced the Stuxnet malware into Iran’s Natanz uranium enrichment plant. The malware was specifically targeted to compromise the industrial control systems in use at the plant. The facility was ‘air-gapped’ - not connected to the internet - so the malware had to be brought in physically, likely on a USB memory stick. All this was done successfully, and Stuxnet raised merry hell in Natanz.

Now, if you are the head of ‘infosec’ at Marks and Spencer, the threat you have in mind is probably not the best and brightest saboteurs employed by the Israeli state. That is a relief, because the expense and complexity of keeping such people out is prohibitive; one could hypothetically, perhaps, run a single nuclear facility like that (which purpose defeated the Iranian state), but hardening every aspect of even a relatively modest retail empire like M&S to the point that you stand a chance of defeating a determined and well-resourced hostile state is a daunting proposition and, if achieved, would introduce so much paranoid bureaucracy as to make day-to-day business basically impossible. For that reason, such measures are rarely found outside the state core of major powers - where, however, they are very typical.

So, perhaps, a company like M&S will think instead of the more modest capabilities of cybercriminal organisations like Scattered Spider. Even these, clearly, are not straightforward to target. Part of the problem is simply that there is development in this sphere. “No universal history leads from savagery to humanitarianism,” Theodor Adorno once wrote, “but there is one leading from the slingshot to the megaton bomb.” Likewise, the innovations produced in the most daring cyberattacks have a way of leaking out to the wider criminal underground, improving the general intellect and developing the forces of destruction. No great ingenuity is required here - just diligent research into the weak points in the software and services supply chain and canny choices of off-the-peg software, which keeps getting better.

Lessons

What can we learn from all this? Firstly something about capitalism. Adorno is hardly the only person to have noticed the way that progress in the forces of production has as its dialectical shadow ‘progress’ in the forces of destruction. Typically we, like Adorno, think of nuclear weaponry or other such genocidal novelties. Yet this is also true, so to speak, fractally: means of destruction great and small appear throughout the economic edifice. Industrial machinery immanently poses the possibility of sabotage - the very fact that the machine works in such and such a way implies specific techniques of machine-wrecking.

The greater the complexity of the machine, the more diverse the mechanisms of sabotage. A modern corporation of the usual type, whose operations span supply chains across the world and are operated out of networks of datacentres, is an extraordinary marvel of technique, and by the same token a giant, soft target. Massively networked computing makes all this possible, but also enables a gang of teenagers to conduct very dramatic shakedowns with relatively little effort.

Capitalism, of course, provides the incentive structure that makes it all worthwhile; so much dumb money sloshing around, waiting to be grasped. It is put perceptively in Raymond Chandler’s masterpiece, The long goodbye: “We’re a big, rough, rich, wild people and crime is the price we pay for it, and organised crime is the price we pay for organisation. We’ll have it with us for a long time. Organised crime is just the dirty side of the sharp dollar.”

The second lesson is for us, in the revolutionary movement. We are presently powerless enough that threat-modelling is largely a matter of daydreaming - one of the few upsides of that state of affairs. Yet we are dependent on much the same technology as corporations - the internet, above all - for disseminating our ideas and organising our activity.

Suppose that we were not so powerless - that the organised left sank sufficiently deep roots in society to be a real political actor. Then we would face countermeasures, and, more’s the pity, we would face the kind of determined nation-state adversaries that keep infosec people awake at night, in addition to ‘lawfare’ and various kinds of legal takedown initiatives.

To suppose that we could defeat such attacks by means of technique and iron discipline seems to me a fantasy. It is like the fantasy entertained by certain Trotskyist and Maoist sects, that the revolutionary movement will one day face the armed forces of the bourgeois state in a fair fight and win.

In the military struggle against the state, the wildcard is the morale of the forces of the state. The Russian Revolution triumphed precisely by putting this factor in play, with fearless agitation among the ranks of the tsar’s army, and later those of the white generals. Only when state power had been conquered was it possible for direct conflict in the field to result in victory for the Red Army during the civil war.

As regards mass communication with modern technology, there is also a question of morale - of building hegemony in society such that the censors and state-employed hackers question their loyalties. But there is also the need merely for resilience in the face of successful attacks. When a website is taken down, it must be replaced in short order; the dark web must be understood and exploited; in extremis, the sinews of the party and the movement must function even when cut off from the internet entirely.

The fragility of modern IT is on display for all to see: we must expect it to be weaponised against any movement the state deems it necessary to fight.