Nihon Cyber Defence

What Leaders Should Know About UNC3944

The Shift to Persistent Access and Real-Time Disruption in High-Risk Sectors

Factory worker facing ransomware message on screen in warehouse environment
Manufacturing systems are increasingly targeted by attackers like UNC3944, where disruption doesn’t require breaching industrial controls, just access to the right screen.

Recent cyber attacks on UK retailers, including Marks & Spencer, Harrods, and the Co-op, have brought renewed attention to a threat group known as UNC3944 (also called Scattered Spider or Gold Harvest).

While these incidents appear focused on the retail sector, the tactics used by this group signal a wider risk. Leaders across critical infrastructure, financial services, and manufacturing should take note.

This is not traditional ransomware. It is persistent access, deep impersonation, and real-time disruption. It is a new kind of threat that puts operational continuity and trust at risk.

Ransomware But Worse

UNC3944 often deploys ransomware as a final payload using software-as-a-service (SaaS) tools like DragonForce to evade endpoint detection and response (EDR) technologies, before encrypting the data, making them hard to detect and stop.

The unique aspect is how they breach the networks, and this isn’t traditional cyber tactics. It’s social engineering on another level using mobile phones and impersonation.

Once inside, they monitor internal communications and disrupt response efforts in real time. In the UK campaign, they reportedly used Microsoft Teams and email to track and interfere with real-time coordination.

This is not just data theft. It is active disruption.

Why This Threat Model Matters for Critical Sectors

UNC3944 have been publicly linked to major infrastructure or manufacturing attacks. However, the methods they use are well suited to silently compromise operational environments, especially in sectors with distributed identity systems, complex supply chains, and fragmented response models.

For Critical Infrastructure

Recovery depends on speed and coordination. If attackers have access to your communications, response efforts can be delayed or misdirected.

For Financial Services

Cloud-native identity platforms such as Microsoft 365 and Okta are already part of UNC3944’s toolkit. Financial institutions are highly exposed to this mode of intrusion.

For Manufacturing

Attackers do not need to touch industrial systems to create disruption. Interfering with planning or scheduling tools can halt production without triggering alarms.

Lessons from the UK Campaign

Even organisations with strong cyber programmes are struggling to contain this type of attack. What breaks down is not always the firewall. It is the response, especially when attackers have visibility into executive channels or are engaging with the media during an active breach.

In some cases, UNC3944 has contacted journalists directly with stolen data. This puts public trust, regulatory compliance, and executive credibility at risk before containment is complete.

How NCD Helps Clients Stay in Control

At Nihon Cyber Defence, we provide retained incident management services that address both the technical and operational risks posed by groups like UNC3944. This includes:

  • Secure communications channels set up before any incident
  • Live simulations tailored to identity-based compromise and persistent access scenarios
  • Coordinated support across five core areas: technical containment, business impact reduction, intelligence, regulatory response, and crisis communications
  • A single, senior-led response team that brings clarity, speed, and control to complex situations

The question is not whether your organisation will be targeted by UNC3944. It is whether you are prepared for attackers who are already inside your systems.

This group represents a growing class of threat actors that aim to disrupt operations, not just steal data, and these attacks cannot be addressed by technical response alone.

To maintain business continuity and preserve trust, organisations must prepare to manage the full incident, not just the breach. Contact Us.

Dougie Grant - Executive Director
Dougie Grant

Executive Director and Head of Global Incident Management @ Nihon Cyber Defence

With 30 years’ experience in law enforcement and the UK’s NCSC, Grant leads NCD’s global cyber incident management and response.

Edit Template

More from NCD​

Susumu Toriumi Appointed COO of Nihon Cyber Defence

NCD appoints Susumu Toriumi as Chief Operating Officer to lead growth and scale Japan-built cyber defence solutions across critical infrastructure...

Why Software Is Reshaping Global Warfare

Software is redefining national defence. Explore how Japan, the US, and allies are adapting to software-defined warfare and cyber security leadership...

UNC3944: What Business Leaders Need to Know

UNC3944 is not traditional ransomware. Learn how critical sectors can prepare for persistent access, real-time disruption, and identity-based attacks...

Robert Stevenson Appointed CRO of Nihon Cyber Defence

Robert Stevenson joins Nihon Cyber Defence as Chief Revenue Officer, bringing decades of experience in cyber security, OT, and enterprise tech in Japan...

What Cyber Leaders Need to Know About RansomHub’s Collapse and the Ransomware Cartel Model

Learn how RansomHub’s collapse signals a shift to ransomware cartel models. NCD CTO Toshio Nawa explains what Japanese cyber leaders must know to defend critical sectors...

John Moore Appointed CFO of Nihon Cyber Defence

Nihon Cyber Defence names John Moore as CFO to guide financial strategy and scalable growth. Moore brings over 20 years of leadership experience across Japan, APAC, and global markets, strengthening...

China’s APT Threats to Japan’s Critical Infrastructure

China-linked APT groups—Salt, Volt, and Silk Typhoon—are reshaping cyber warfare. Learn how these threats target Japan’s critical infrastructure and how to respond effectively...

Empowering the Next Generation of Cyber Security Talent

NCD joined the Empower Girls event in Belfast, inspiring 600 young girls to explore careers in cyber security through hands-on learning and role models...

Nihon Cyber Defence and Netcraft Strategic Partnership

NCD and Netcraft are teaming up to deliver real-time phishing detection and takedown in Japan. Learn how this partnership boosts national cyber resilience...
Edit Template