- Threat Intelligence
- May 27, 2025
What Leaders Should Know About UNC3944
The Shift to Persistent Access and Real-Time Disruption in High-Risk Sectors

Recent cyber attacks on UK retailers, including Marks & Spencer, Harrods, and the Co-op, have brought renewed attention to a threat group known as UNC3944 (also called Scattered Spider or Gold Harvest).
While these incidents appear focused on the retail sector, the tactics used by this group signal a wider risk. Leaders across critical infrastructure, financial services, and manufacturing should take note.
This is not traditional ransomware. It is persistent access, deep impersonation, and real-time disruption. It is a new kind of threat that puts operational continuity and trust at risk.
Ransomware But Worse
UNC3944 often deploys ransomware as a final payload using software-as-a-service (SaaS) tools like DragonForce to evade endpoint detection and response (EDR) technologies, before encrypting the data, making them hard to detect and stop.
The unique aspect is how they breach the networks, and this isn’t traditional cyber tactics. It’s social engineering on another level using mobile phones and impersonation.
Once inside, they monitor internal communications and disrupt response efforts in real time. In the UK campaign, they reportedly used Microsoft Teams and email to track and interfere with real-time coordination.
This is not just data theft. It is active disruption.
Why This Threat Model Matters for Critical Sectors
UNC3944 have been publicly linked to major infrastructure or manufacturing attacks. However, the methods they use are well suited to silently compromise operational environments, especially in sectors with distributed identity systems, complex supply chains, and fragmented response models.
For Critical Infrastructure
Recovery depends on speed and coordination. If attackers have access to your communications, response efforts can be delayed or misdirected.
For Financial Services
Cloud-native identity platforms such as Microsoft 365 and Okta are already part of UNC3944’s toolkit. Financial institutions are highly exposed to this mode of intrusion.
For Manufacturing
Attackers do not need to touch industrial systems to create disruption. Interfering with planning or scheduling tools can halt production without triggering alarms.
Lessons from the UK Campaign
Even organisations with strong cyber programmes are struggling to contain this type of attack. What breaks down is not always the firewall. It is the response, especially when attackers have visibility into executive channels or are engaging with the media during an active breach.
In some cases, UNC3944 has contacted journalists directly with stolen data. This puts public trust, regulatory compliance, and executive credibility at risk before containment is complete.
How NCD Helps Clients Stay in Control
At Nihon Cyber Defence, we provide retained incident management services that address both the technical and operational risks posed by groups like UNC3944. This includes:
- Secure communications channels set up before any incident
- Live simulations tailored to identity-based compromise and persistent access scenarios
- Coordinated support across five core areas: technical containment, business impact reduction, intelligence, regulatory response, and crisis communications
- A single, senior-led response team that brings clarity, speed, and control to complex situations
The question is not whether your organisation will be targeted by UNC3944. It is whether you are prepared for attackers who are already inside your systems.
This group represents a growing class of threat actors that aim to disrupt operations, not just steal data, and these attacks cannot be addressed by technical response alone.
To maintain business continuity and preserve trust, organisations must prepare to manage the full incident, not just the breach. Contact Us.

Executive Director and Head of Global Incident Management @ Nihon Cyber Defence
With 30 years’ experience in law enforcement and the UK’s NCSC, Grant leads NCD’s global cyber incident management and response.