"We are looking at the group that is publicly known as Scattered Spider, but we've got a range of different hypotheses and we'll follow the evidence to get to the offenders," Paul Foster, head of the NCA's national cyber crime unit, said in a new BBC documentary.

"In light of all the damage that we're seeing, catching whoever is behind these attacks is our top priority," he added.

The wave of attacks, which began at Easter, have resulted in empty shelves in stores, the suspension of online ordering, and millions of people's private data being stolen.

The attacks have been carried out using DragonForce, a platform that gives criminals the tools to carry out ransomware attacks. However, the hackers pulling the strings have still not been identified and no arrests have been made.

Some cyber experts say the hackers display the traits of Scattered Spider, a loose community of often young individuals who organise across sites like Discord, Telegram and in forums, most likely located in the UK and US.

Although the NCA says it is exploring all parts of the cyber crime ecosystem, it too is looking in the same direction.

"We know that Scattered Spider are largely English-speaking but that doesn't necessarily mean that they're in the UK - we know that they communicate online amongst themselves in a range of different platforms and channels, which is, I guess, key to their ability to then be able to operate as a collective," Mr Foster said.

M&S has been hit with ransomware, which has scrambled the company's servers rendering computer systems useless. The high street giant is still struggling to keep shelves stocked and has halted online shopping for weeks. Hackers have also stolen customer and employee data from the company.

At Co-op, staff took systems offline to prevent a ransomware infection but a huge amount of customer and staff data was stolen and is being held to ransom. Operations at the firm's supermarkets, insurance offices and funeral services have been badly affected.

It is not known what is happening at Harrods but the company admitted it had to pull computer systems offline because of an attempted cyber attack.

When the hackers behind the M&S and Co-op attacks anonymously contacted the BBC last week, they declined to say whether or not they were Scattered Spider.

Cyber security researchers at CrowdStrike formed the name "Scattered Spider" because of the group's sporadic nature, but other cyber companies have given the cluster nicknames including Octo Tempest and Muddled Libra.

The group was also linked to high-profile attacks including on two US casinos in 2023 and Transport for London last year.

In November, the US charged five British and American men and boys in their twenties and teens for alleged Scattered Spider activity. One is 23-year-old Scottish man Tyler Buchanan, who has not made a plea, and the rest are US based.

NCA investigators will not say how the hackers have managed to breach victim organisations but earlier this month, the National Cyber Security Centre issued guidance to organisations urging them to review their IT help desk password reset processes.

"Calling up IT help desks is a tactic that Scattered Spider seems to favour and they use social engineering techniques to manipulate someone into doing something like clicking on a link or resetting someone's account to a password they can use," Lisa Forte from cyber security firm Red Goat said.

In the BBC documentary, a former teen hacker who was arrested nine years ago and now works in cyber security, said he was not surprised that teenagers could be behind the hacks.

"It wouldn't surprise me - quite [the] opposite. The tools are readily available and it's very easy to jump online and search straight away. You can feel a bit untouchable but for what end? You're gonna be arrested 99% of the time," he said.