Nihon Cyber Defence

What Leaders Should Know About UNC3944

The Shift to Persistent Access and Real-Time Disruption in High-Risk Sectors

Factory worker facing ransomware message on screen in warehouse environment
Manufacturing systems are increasingly targeted by attackers like UNC3944, where disruption doesn’t require breaching industrial controls, just access to the right screen.

Recent cyber attacks on UK retailers, including Marks & Spencer, Harrods, and the Co-op, have brought renewed attention to a threat group known as UNC3944 (also called Scattered Spider or Gold Harvest).

While these incidents appear focused on the retail sector, the tactics used by this group signal a wider risk. Leaders across critical infrastructure, financial services, and manufacturing should take note.

This is not traditional ransomware. It is persistent access, deep impersonation, and real-time disruption. It is a new kind of threat that puts operational continuity and trust at risk.

Ransomware But Worse

UNC3944 often deploys ransomware as a final payload using software-as-a-service (SaaS) tools like DragonForce to evade endpoint detection and response (EDR) technologies, before encrypting the data, making them hard to detect and stop.

The unique aspect is how they breach the networks, and this isn’t traditional cyber tactics. It’s social engineering on another level using mobile phones and impersonation.

Once inside, they monitor internal communications and disrupt response efforts in real time. In the UK campaign, they reportedly used Microsoft Teams and email to track and interfere with real-time coordination.

This is not just data theft. It is active disruption.

Why This Threat Model Matters for Critical Sectors

UNC3944 have been publicly linked to major infrastructure or manufacturing attacks. However, the methods they use are well suited to silently compromise operational environments, especially in sectors with distributed identity systems, complex supply chains, and fragmented response models.

For Critical Infrastructure

Recovery depends on speed and coordination. If attackers have access to your communications, response efforts can be delayed or misdirected.

For Financial Services

Cloud-native identity platforms such as Microsoft 365 and Okta are already part of UNC3944’s toolkit. Financial institutions are highly exposed to this mode of intrusion.

For Manufacturing

Attackers do not need to touch industrial systems to create disruption. Interfering with planning or scheduling tools can halt production without triggering alarms.

Lessons from the UK Campaign

Even organisations with strong cyber programmes are struggling to contain this type of attack. What breaks down is not always the firewall. It is the response, especially when attackers have visibility into executive channels or are engaging with the media during an active breach.

In some cases, UNC3944 has contacted journalists directly with stolen data. This puts public trust, regulatory compliance, and executive credibility at risk before containment is complete.

How NCD Helps Clients Stay in Control

At Nihon Cyber Defence, we provide retained incident management services that address both the technical and operational risks posed by groups like UNC3944. This includes:

  • Secure communications channels set up before any incident
  • Live simulations tailored to identity-based compromise and persistent access scenarios
  • Coordinated support across five core areas: technical containment, business impact reduction, intelligence, regulatory response, and crisis communications
  • A single, senior-led response team that brings clarity, speed, and control to complex situations

The question is not whether your organisation will be targeted by UNC3944. It is whether you are prepared for attackers who are already inside your systems.

This group represents a growing class of threat actors that aim to disrupt operations, not just steal data, and these attacks cannot be addressed by technical response alone.

To maintain business continuity and preserve trust, organisations must prepare to manage the full incident, not just the breach. Contact Us.

Dougie Grant - Executive Director
Dougie Grant

Executive Director and Head of Global Incident Management @ Nihon Cyber Defence

With 30 years’ experience in law enforcement and the UK’s NCSC, Grant leads NCD’s global cyber incident management and response.

Edit Template

More from NCD​

Toshio Nawa Appointed as CTO of Nihon Cyber Defence

The collaboration combines Fivecast’s advanced AI-powered OSINT technology with NCD’s expertise in cyber threat intelligence and Japanese cyber security needs, delivering actionable intelligence...

Enhancing Japan’s Cyber Resilience Against Information Warfare | NCD

Mandatory reporting and ransom payment bans sound tough on cybercrime, but will they actually work? Businesses need a smarter approach to ransomware resilience. Here’s what needs to change...

Japan’s Active Cyber Defense Bill Passes Lower House

Japan passes cyber security bill enabling preemptive threat disruption by 2027. What critical infrastructure, finance, and industry leaders must prepare for...

The Ransomware Dilemma

Mandatory reporting and ransom payment bans sound tough on cybercrime, but will they actually work? Businesses need a smarter approach to ransomware resilience. Here’s what needs to change...

Lessons from the UK CyberFirst Program for Japan

Japan can bridge its cybersecurity talent gap by leveraging public-private partnerships, corporate sponsorships, and government-backed education programs, inspired by CyberFirst...

Educational Strategies and Initiatives to Address the Cyber security Talent Gap

Learn how education programs and strategic initiatives are addressing Japan’s cybersecurity workforce gap...

The Rise of AI-Driven Warfare

Explore how AI is transforming the battlefield, from autonomous drones to cyberwarfare tactics. Understand key trends shaping the future of global defense...

Leadership & Cyber Resilience | Vol. II

North Korean hackers from Lazarus stole $1.4B in crypto from Bybit, exploiting cold wallet security flaws. Learn how the attack happened & what it means...

Japan’s Growing Cyber Security Talent Gap and Its Impacts

Japan faces a cyber security talent shortage of 110,000 experts. Explore the challenges, impacts, and solutions to bridge this critical skills gap...
Edit Template