The Google Threat Intelligence Group (GTIG) recently revealed that the well-known hacker collective UNC3944, which also overlaps with the widely publicized Scattered Spider, is a persistent and dynamic cyberthreat.
Initially focused on telecommunications for SIM swap operations, UNC3944 has since pivoted to ransomware and data theft extortion tactics since early 2023, casting a wider net across industries.
After a brief decline in activity following law enforcement actions in 2024, the group appears to be rebounding, potentially leveraging ties with a broader criminal network.
.png
)
Their latest activities include targeting retail organizations in the UK, with possible links to DragonForce ransomware-a strain recently tied to the revived RansomHub ransomware-as-a-service (RaaS) platform, where UNC3944 previously operated as an affiliate.
Targeting English-Speaking Nations
UNC3944’s modus operandi heavily relies on sophisticated social engineering, often impersonating IT personnel to trick employees into divulging sensitive information or resetting credentials.
Their victimology reveals a strategic focus on large enterprises in English-speaking countries like the United States, Canada, the United Kingdom, and Australia, with emerging campaigns in Singapore and India.
The group has orchestrated sector-specific waves of attacks, notably hitting financial services in late 2023, food services in May 2024, and now retail sectors, where personally identifiable information (PII) and financial data make lucrative targets.
Recent BBC News reports suggest DragonForce operators, potentially linked to UNC3944, claimed responsibility for attacks on multiple UK retailers, highlighting a trend where retail victims on data leak sites (DLS) have risen to 11% in 2025, up from 8.5% in 2024.
This escalation underscores the group’s intent to exploit high-stakes environments, often pressuring victims through public data exposure or operational disruptions.
GTIG notes that UNC3944 frequently targets organizations with large help desks or outsourced IT functions, exploiting these as entry points through tactics like MFA fatigue attacks and impersonation via collaboration tools such as Microsoft Teams.
Technical Tactics
Technically, UNC3944 employs a range of tactics, techniques, and procedures (TTPs) detailed in GTIG’s attack lifecycle analysis, spanning initial access via social engineering to lateral movement and data exfiltration.
Their proficiency in bypassing multi-factor authentication (MFA) by manipulating registration processes or exploiting trusted locations is particularly alarming.
To counter this, GTIG recommends robust identity verification protocols, including on-camera ID checks and out-of-band confirmation for high-risk changes, alongside phasing out vulnerable authentication methods like SMS or email.
Organizations are urged to enforce phishing-resistant MFA, restrict administrative access to trusted IPs, and monitor for anomalies like unauthorized MFA device registrations or reconnaissance tools such as ADRecon.
Network segmentation, egress traffic restrictions, and isolation of critical infrastructure like backup systems are also critical to thwarting UNC3944’s persistence mechanisms.
For cloud environments, vigilance over newly created resources or modified security rules is essential to prevent backdoor access.
As UNC3944 continues to adapt post-law enforcement disruptions, potentially targeting US entities next after their UK retail campaign, GTIG stresses the urgency of proactive hardening-emphasizing visibility across identity and infrastructure as a foundational defense against this financially motivated adversary.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
