Best of 2025: Huge Food Wholesaler Paralyzed by Hack — is it Scattered Spider Again?
None
<h5 style="text-align: center;"><strong><a href="#sbbwis"><img decoding="async" class="alignright size-full" title="Aritras Saha (Unsplash license)" src="https://securityboulevard.com/wp-content/uploads/2025/05/scattered-spider-richixbw-aritras-saha-5Hlo8_5ceYE-unsplash-130x90.png" alt="A spider from above" width="130" height="90"></a><a title="Warning to US Retail: ‘Scattered Spider’ Targets YOU (with DragonForce Ransomware)" href="https://securityboulevard.com/2025/05/scattered-spider-us-retail-google-richixbw/#sbbwis" target="_blank" rel="noopener">We were warned this would happen.</a> And now here we are.</strong></h5><p><strong>United Natural Foods (UNFI) has had to switch off systems after a cyberattack,</strong> crippling its operations. This is a <i>huge</i> deal, because UNFI is a big part of the grocery distribution network in the U.S. and Canada.<br><!--br--><br><strong>Once again, it looks like the work of UNC3944, a/k/a “Scattered Spider.”</strong> In today’s <a href="https://securityboulevard.com/tag/sb-blogwatch/" target="_blank" rel="noopener">SB Blogwatch</a>, we hoard canned goods.<br><!--br--><br><a title="Richi Jennings" href="https://www.richi.uk/" target="_blank" rel="noopener">Your humble blogwatcher</a> curated these bloggy bits for your entertainment. Not to mention: <i>Farewell, Skype sounds</i>.<br><!--br--></p><h5 style="text-align: center;"></h5><h2>UNFInished Business</h2><p id="sbbw1"><strong>What’s the craic?</strong> Sergiu Gatlan reports: <a title="read the full text" href="https://www.bleepingcomputer.com/news/security/grocery-wholesale-giant-united-natural-foods-hit-by-cyberattack/" target="_blank" rel="ugc noopener">Grocery wholesale giant United Natural Foods hit by cyberattack</a></p><p style="padding-left: 40px;"><strong>“<tt>Attacks linked to Scattered Spider</tt>”</strong><br>UNFI, North America’s largest publicly traded wholesale [food] distributor, was forced to shut down some systems following a recent cyberattack. … This disclosure follows widespread reports … since Thursday that the company’s systems were down and employees were having their shifts canceled.<br>…<br>The Rhode Island-based company operates 53 distribution centers and delivers fresh and frozen products to over 30,000 locations. [It] reported $31 billion in annual revenues in August 2024, works with more than 11,000 suppliers, and has over 28,000 employees.<br>…<br>UNFI has not yet revealed the nature of the attack or whether the attackers stole any data. … No ransomware operations have claimed responsibility for the breach. … Over the last months, attacks linked to Scattered Spider threat actors and the DragonForce ransomware operation have also targeted retailers across the United Kingdom (including Harrods) … and recently switched their attention to U.S. companies.<br><!-----------------------------------------------------------------------------></p><p id="sbbw2"><strong><em>Those</em> scrotes again?</strong> AJ Vicens and Raphael Satter have more: <a title="read the full text" href="https://www.reuters.com/business/whole-foods-supplier-united-natural-foods-says-cyber-incident-disrupted-2025-06-09/" target="_blank" rel="ugc noopener">Whole Foods supplier United Natural Foods says cyber incident disrupted operations</a></p><p style="padding-left: 40px;"><strong>“<tt>Whole Foods</tt>”</strong><br>In the past, disruptions that caused companies to take actions similar to those it described have often been linked to ransomware incidents, where extortion-minded cybercriminals disable a firm’s computers by encrypting them, promising to release the decryption key only in exchange for massive cryptocurrency payments. … Shares of United Natural fell more than 8% during Monday’s session and closed down by almost 7% at $25.94.<br>…<br>United Natural Foods is the largest publicly traded wholesale distributor of “healthier food options” in the U.S. and Canada, according to its website. In May 2024 the company announced an eight-year extension to serve as primary distributor for Amazon-owned Whole Foods. … A Whole Foods spokesperson [said] the company was “working to restock our shelves as quickly as possible.”<br><!-----------------------------------------------------------------------------></p><p id="sbbw3"><strong>Horse’s mouth?</strong> Thus spoke spokes Kristen Jimenez and Grace Turiano: <a title="read the full text" href="https://ir.unfi.com/news/press-release-details/2025/statement/default.aspx" target="_blank" rel="ugc noopener">UNFI Systems Update</a></p><p style="padding-left: 40px;"><strong>“<tt>Our highest priority</tt>”</strong><br>We have identified unauthorized activity in our systems and have proactively taken some systems offline while we investigate. As soon as we discovered the activity, an investigation was initiated with the help of leading forensics experts.<br>…<br>We are assessing the unauthorized activity and working to restore our systems to safely bring them back online. As we work through this issue, our customers, suppliers, and associates are our highest priority. We are working closely with them to minimize disruption as much as possible.<br><!-----------------------------------------------------------------------------></p><p id="sbbw5"><strong>What’s happening on the ground?</strong> <a title="read the full text" href="https://www.reddit.com/r/wholefoods/comments/1l7594a/unfi_was_hacked/mwx66pc/" target="_blank" rel="ugc noopener">u/Prestigious_Peace761</a> claims to work there:</p><p style="padding-left: 40px;">[Supervisor] said they had cyber attack meeting last week and on Thursday last week we had fire drill then Friday it all went down from there. And last week there was a new update in the system they think it was a fake update that caused the attack.<br>…<br>We did the past 2 days on paper. I asked my supervisor before I left today; he said it will be same way tomorrow as well.<br><!-----------------------------------------------------------------------------></p><p id="sbbw4"><strong>Schadenfreude, anyone?</strong> <a title="read the full text" href="https://news.slashdot.org/comments.pl?sid=23713853&cid=65438043" target="_blank" rel="ugc noopener">CEC-P</a> just laughs:</p><p style="padding-left: 40px;">Oh darn. I find this especially funny because:<br>1. grocery store IT systems are right up there with bowling alleys,<br>2. their competitor is one of our largest customers.<br><!-----------------------------------------------------------------------------></p><p id="sbbw7"><strong>What a shame for Jeff Bezos, though.</strong> <a title="read the full text" href="https://www.reddit.com/r/wholefoods/comments/1l7594a/unfi_was_hacked/mx03rqr/" target="_blank" rel="ugc noopener">u/Impossible-Tax1033</a> points out the real victims:</p><p style="padding-left: 40px;">Sadly its not just Bezos: UNFI supplies the [National Cooperative Grocers Association], which is a buying group of 500 small co-ops. So … it actually hurts the little guy much much more.<br><!-----------------------------------------------------------------------------></p><p id="sbbw6"><strong>How does this happen?</strong> <a title="read the full text" href="https://news.slashdot.org/comments.pl?sid=23713853&cid=65437965" target="_blank" rel="ugc noopener">rsilvergun</a> counts the ways:</p><p style="padding-left: 40px;">All the market consolidation [means] a small disruption in a single company can completely **** up our entire food supply. Like how there is two factories making all of the baby formula in the entire freaking country. So we had a massive baby formula shortage when one of the two factories had to shut down because of rampant safety violations. … Enjoy your $800 a month grocery bill.<br><!-----------------------------------------------------------------------------></p><p id="sbbw9"><strong>The outsourcing of UNFI’s IT to low-wage economies hasn’t escaped people’s notice.</strong> People such as <a title="read the full text" href="https://www.reddit.com/r/wholefoods/comments/1l7594a/unfi_was_hacked/mwwdnow/" target="_blank" rel="ugc noopener">u/Fit-Remove-6597</a>, for example:</p><p style="padding-left: 40px;">Karma for laying off critical IT workers and offshoring them. Now they get to pay a third party 10x more to fix the issue.<br><!-----------------------------------------------------------------------------></p><p id="sbbw8"><strong>Buy cheap—buy twice?</strong> That seems to be <a title="read the full text" href="https://forums.theregister.com/forum/all/2025/06/09/united_natural_foods_cyber_incident/#c_5087444" target="_blank" rel="ugc noopener">MachDiamond</a>’s POV:</p><p style="padding-left: 40px;">One would hope this company has learned that computer security is cheaper than not being able to deliver and possibly losing some key accounts.<br><!-----------------------------------------------------------------------------></p><p id="sbbw12"><strong>Meanwhile,</strong> <a title="read the full text" href="https://news.slashdot.org/comments.pl?sid=23713853&cid=65437905" target="_blank" rel="ugc noopener">YuppieScum</a> dreams of an alternate universe:</p><p style="padding-left: 40px;">Or, … if this were the headline, perhaps we’d see fewer of them: …<br><i>Insecure IT systems at Fortune 500 company cause loss of shareholder value. CIO/CTO fired and charges of criminal negligence pending.</i><br><!-----------------------------------------------------------------------------></p><p><b><a title="And Finally" href="https://www.youtube.com/watch?v=nD7lJcI8UWc&list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj" target="_blank" rel="noopener">Finally! Now it can be told.</a></b><script src="https://scripts.withcabin.com/hello.js" async="" defer></script><!-- zero-cookie analytics privacy: https://withcabin.com/privacy/securityboulevard.com --></p><p>Hat tip: <a href="https://b3ta.com/links/A_sound_that_one_day_will_be_forgotten_along_with_the_Nokia_ringtone" target="_blank" rel="noopener">simbosan</a></p><p><a href="https://www.youtube.com/watch?v=CxX92BBhHBw&list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj" target="_blank" rel="noopener">Previously in <em>And Finally</em></a></p><hr><p><em>You have been reading <i>SB Blogwatch</i> by <a href="https://www.richi.uk/" target="_blank" rel="noopener">Richi Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to <a href="https://twitter.com/richi" target="_blank" rel="ugc noopener">@RiCHi</a>, <a href="https://threads.net/@richij" target="_blank" rel="ugc noopener">@richij</a>, <a href="https://vmst.io/@richi" target="_blank" rel="ugc noopener">@<span class="__cf_email__" data-cfemail="0c7e656f64654c7a617f78226563">[email protected]</span></a>, <a href="https://bsky.app/profile/richi.bsky.social" target="_blank" rel="ugc noopener">@richi.bsky.social</a> or <a href="/cdn-cgi/l/email-protection#e695848491a6948f858e8fc88589c8938dd99593848c838592dbcb95848491cb"><span class="__cf_email__" data-cfemail="0c7f6e6e7b4c7e656f6465227967">[email protected]</span></a>. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.</em></p><p>Image sauce: <a href="https://unsplash.com/photos/a-black-and-white-photo-of-a-spider-5Hlo8_5ceYE" target="_blank" rel="noopener" name="sbbwis">Aritras Saha</a> (via <a title="Some rights reserved" href="https://unsplash.com/license" target="_blank" rel="ugc noopener">Unsplash</a>; leveled and cropped)</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/01/huge-food-wholesaler-paralyzed-by-hack-is-it-scattered-spider-again-2/" data-a2a-title="Best of 2025: Huge Food Wholesaler Paralyzed by Hack — is it Scattered Spider Again?"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fhuge-food-wholesaler-paralyzed-by-hack-is-it-scattered-spider-again-2%2F&linkname=Best%20of%202025%3A%20Huge%20Food%20Wholesaler%20Paralyzed%20by%20Hack%20%E2%80%94%20is%20it%20Scattered%20Spider%20Again%3F" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fhuge-food-wholesaler-paralyzed-by-hack-is-it-scattered-spider-again-2%2F&linkname=Best%20of%202025%3A%20Huge%20Food%20Wholesaler%20Paralyzed%20by%20Hack%20%E2%80%94%20is%20it%20Scattered%20Spider%20Again%3F" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fhuge-food-wholesaler-paralyzed-by-hack-is-it-scattered-spider-again-2%2F&linkname=Best%20of%202025%3A%20Huge%20Food%20Wholesaler%20Paralyzed%20by%20Hack%20%E2%80%94%20is%20it%20Scattered%20Spider%20Again%3F" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fhuge-food-wholesaler-paralyzed-by-hack-is-it-scattered-spider-again-2%2F&linkname=Best%20of%202025%3A%20Huge%20Food%20Wholesaler%20Paralyzed%20by%20Hack%20%E2%80%94%20is%20it%20Scattered%20Spider%20Again%3F" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fhuge-food-wholesaler-paralyzed-by-hack-is-it-scattered-spider-again-2%2F&linkname=Best%20of%202025%3A%20Huge%20Food%20Wholesaler%20Paralyzed%20by%20Hack%20%E2%80%94%20is%20it%20Scattered%20Spider%20Again%3F" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>