M&S hack: attackers gained access via compromised third-party

Investigators believe that DragonForce, the group behind both the M&S and Co-op attacks gained entry via systems of third-party

M&S is still struggling to regain control of its operations following a cyberattack which took place more than a month ago. It has now emerged that the attackers gained access via a third party.

The attackers behind the month-long cyber attack on retailer M&S are believed to have gained access via a compromised third-party system, according to the BBC.

The attack has been ongoing for almost a month – since the normally busy Easter weekend. The first indication of a problem occurred when shoppers experienced difficulties making contactless card payments in store. M&S was forced to suspend online orders and had to take down many of its IT systems in a bid to deal with the attack.

Whilst stock availability has improved since the first weeks, systems remain down. Analysts at Bank of America believe the company has lost more than £40 million in sales every week since the attack broke, but more details on the financial reckoning will emerge on Wednesday when the company is scheduled to publish its annual results.

Moreover, customer data is also believed to have been compromised, although the retailer claims that payment card information and passwords were not taken. The high street retailer said that information, including contact details, phone numbers, emails, order history and dates of birth, could now be in the hands of the attackers.

The group believed to be behind the attack, DragonForce, specialises in ransomware. It’s not known whether the group demanded payment.

The attack group Scattered Spider had initially been connected with the attack, following a breach at M&S earlier this year in February. Cyber security firm CultureAI believes that DragonForce acquired the ransomware-as-a-service tools known to be used by Scattered Spider.

DragonForce is based in Malaysia and specialises in ransomware. It emerged in August 2023. It originally claimed to be a pro-Palestine hacktivist organisation but quickly widened its goals.

“The modern-day operation is focused on financial gain and extortion although the operation still targets government entities, making it something of a hybrid actor, both politically aligned and profit motivated. The group operates a multi-extortion model, with victims threatened with data leakage via the group’s data leak sites, alongside reputational damage,” according to cyber security firm SentinelOne.

Initial access is via phishing emails and the exploitation of known vulnerabilities.

Cobalt Strike and other off-the-shelf tools are used for campaign management, as well as tools like mimikatz, Advanced IP Scanner, PingCastle, and a plethora of remote management tools to drill further into victim environments, ensuring both elevated privileges and persistence.

The group also heavily targets RDP services with credential stuffing attacks and VPN weaknesses to gain initial access into systems,” according to SentinelOne.

In particular, the group targets the following vulnerabilities:

Ransomware payloads are based on LockBit 3.0/Black.