The hackers responsible for cyberattacks on UK retailers Marks & Spencer and Co-op have spoken to the BBC — and US retailers may now be in their crosshairs.
Google’s cybersecurity division has warned that the same group appears to be turning its attention to American companies next.
“US retailers should take note. These actors are aggressive, creative, and particularly effective at circumventing mature security programs,” said John Hultquist, an analyst at Google’s cybersecurity arm.
He told Reuters the culprit is likely linked to Scattered Spider — a loose network of cybercriminals with a history of targeting one sector at a time.
Meanwhile the BBC’s cybersecurity correspondent Joe Tidy, revealed that he received a direct message from the group behind the UK attacks, who were especially angry with the Co-op for refusing to pay a ransom and quickly disconnecting its systems.
“They sent me this very long, angry rant because clearly the Co-op has decided not to negotiate with them, although I don’t know if that’s true,” Tidy told the Today programme (one hour and 24 minutes in) this morning.
“And in this letter, they gave me this nugget: Co-op’s network never suffered ransomware — they yanked their own plug, tanking sales, burning logistics and torching shareholder value.”
Unexpected cyberthreat in the bagging area
While the hackers framed the move as damaging, experts have praised the Co-op’s decision to shut down its systems to contain the attack.
“So, Co-op took the measure of disconnecting all its systems as soon as it saw the attacks taking place. While hackers think this is a bad thing, speaking to the experts, this is a good move because what this prevented was the next level of the attack — which was perhaps what we are seeing in Marks & Spencer — which is that ransomware is deployed, scrambles the network and makes it unusable,” Tidy said.
Joe Tidy, BBC cyber correspondent
This may explain the differing impacts between the two companies. While the Co-op claims it took a “proactive” approach to the incident, Marks & Spencer is thought to have suffered deeper disruption.
On the flipside, on a visit to several M&S and Co-op stores in London by TechInformed found the shelves of M&S well stocked, while Co-op’s are practically bare still, suggesting that ‘plugging the plug’ to prevent a cyber-attack also has its consequences.
Teenage kicks?
The hackers are believed to be using a cybercrime service called Dragon Force to conduct their extortion campaigns.
Tidy told Today that cybersecurity analysts suspect the attackers he spoke with were part of Scattered Spider due to the tactics the group uses, although he says he hasn’t been told that directly.
“They are very young, and we know this because of previous arrests of people 17 years old and younger who are part of this group,” Tidy said.
“I haven’t been told directly that it’s this group, but others have. The tactics, techniques and procedures (TTPs) they use — the software, the methods — they all point to this group of hackers.”
Google’s warning suggests that this group may now be shifting its focus to US retailers, using the same methods seen in the UK. Hultquist said the group is likely to keep targeting the retail sector for some time.
