CyberSecurity news

FlagThis - #cyberattack

Dissent@DataBreaches.Net //
Pearson, the global education and publishing giant, has confirmed it suffered a cyberattack resulting in the theft of corporate data and customer information. The breach was discovered by BleepingComputer, who reported that the attackers gained unauthorized access to Pearson's systems. Pearson, a UK-based company, is a major player in academic publishing, digital learning tools, and standardized assessments, serving schools, universities, and individuals across over 70 countries.

Pearson stated that after discovering the unauthorized access, they acted to stop the breach, investigate the incident, and ascertain what data was affected with forensics experts. They also supported law enforcements investigation. Furthermore, Pearson said they've taken steps to deploy additional security measures onto their systems, including enhanced security monitoring and authentication. BleepingComputer was tipped off that someone used an exposed GitLab Personal Access token to compromise Pearson’s development environment in January 2025. The token was found in a public .git/config file, with the attackers using this access to find even more login credentials, hardcoded in the source code, which they then used to infiltrate the company’s network and steal corporate and customer information.

The company downplayed the significance of the breach, suggesting the stolen data was largely outdated, referring to it as "legacy data." Pearson has not disclosed the number of individuals affected, nor the specific types of information exposed. There was no employee information among the stolen files, it was confirmed.

Recommended read:
References :
  • DataBreaches.Net: Lawrence Abrams reports: Education giant Pearson suffered a cyberattack, allowing threat actors to steal corporate data and customer information, BleepingComputer has learned.
  • BleepingComputer: Education giant Pearson suffered a cyberattack, allowing threat actors to steal corporate data and customer information, BleepingComputer has learned.
  • www.techradar.com: Another case of exposed Git configuration files leading up to a larger compromise, this time against education giant Pearson.
  • malware.news: Cyberattack compromises Pearson data

Dissent@DataBreaches.Net //
References: Davey Winder , DataBreaches.Net , bsky.app ...
Hackers claiming affiliation with Anonymous have targeted GlobalX Airlines, an airline reportedly used by the Trump administration for deportations to El Salvador. The hacktivists defaced the airline's website, leaving a message aimed at former President Trump. They also claimed to have stolen sensitive data, including flight records and passenger manifests, potentially exposing details about deportees. The attackers asserted that they were acting because GlobalX was ignoring lawful orders against what they called "fascist plans."

The leaked data, as reported by 404 Media, provides granular insight into who was deported on GlobalX flights, when, and to where. The breached information includes flight logs, passenger lists, and itinerary details spanning from January to May 2025. Concerns have been raised about the potential impact on individuals deported, especially those whose whereabouts were previously unknown, with at least one case showing the hacked data held more accurate records than official government lists.

The hack exposed vulnerabilities in GlobalX's cybersecurity, as the hackers claim to have accessed the company's AWS cloud infrastructure and GitHub account through a developer token. They also claimed to have sent messages to pilots through a flight operations tool. As of this report, neither GlobalX nor the U.S. immigration authorities have issued an official response to the security breach.

Recommended read:
References :
  • Davey Winder: Anonymous Hacks Airline Used In Trump El Salvador Deportations
  • DataBreaches.Net: GlobalX, Airline for Trump’s Deportations, Hacked
  • techcrunch.com: GlobalX, airline used for Trump deportations, gets hacked: Report
  • bsky.app: Hackers hit deportation airline GlobalX, leak flight manifests, and leave an unsubtle message for "Donnie" Trump
  • www.404media.co: Man ‘Disappeared’ by ICE Was on El Salvador Flight Manifest, Hacked Data Shows
  • www.bitdefender.com: Hackers hit deportation airline GlobalX, leak flight manifests, and leave an unsubtle message for “Donnie†Trump

Mayura Kathir@gbhackers.com //
Scattered Spider, a sophisticated hacking collective known for its social engineering tactics, has allegedly breached Marks & Spencer by targeting the company's IT help desk. The cybercriminals reportedly duped an IT help desk employee into resetting a password, which then granted them access to internal networks. This breach is said to have disrupted M&S's online operations, leading to the temporary suspension of online orders, as reported between April and May 2025. Scattered Spider, also known as UNC3944, Octo Tempest, and Muddled Libra, has become prominent for using social engineering to exploit corporate service desks.

This attack on Marks & Spencer is part of a broader trend impacting UK retailers. The National Cyber Security Centre (NCSC) has issued warnings to organizations, urging them to be wary of phony IT helpdesk calls. Other retailers such as Co-op and Harrods have also been linked to attacks resulting in stolen member data and crippled payment systems. Any organization with a service desk is theoretically vulnerable to these low-tech, high-impact tactics employed by Scattered Spider and similar groups.

Scattered Spider is believed to be composed of young US and UK citizens who are part of a collective known as "The Comm," an underground community of English-speaking criminals that communicates and coordinates using social media platforms like Discord or Telegram. While five users associated with Scattered Spider, including the alleged leader, were detained in the first half of 2024, the complete composition of the group remains undetermined. After a period of relative silence following these arrests, Scattered Spider has resurfaced with this latest string of attacks on UK retail brands, prompting renewed cybersecurity concerns.

Recommended read:
References :
  • cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
  • specopssoft.com: Scattered Spider service desk attacks: How to defend your organization
  • Cybersecurity Blog: The Marks and Spencer Cyber Attack: Everything You Need to Know
  • Malware ? Graham Cluley: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked
  • www.cysecurity.news: M&S Hackers Conned IT Help Desk Workers Into Accessing Firm Systems
  • bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked. https://www.exponential-e.com/blog/ncsc-warns-of-it-helpdesk-impersonation-trick-being-used-by-ransomware-gangs-after-uk-retailers-attacked
  • gbhackers.com: Cyberattackers Targeting IT Help Desks for Initial Breach
  • Delinea Blog: M&S and Co-op Breaches: Lessons in Identity Security
  • Malware ? Graham Cluley: Smashing Security podcast #416: High street hacks, and Disney’s Wingdings woe

Jacob Santos@feeds.trendmicro.com //
The Agenda ransomware group, also known as Qilin, has enhanced its attack capabilities by incorporating SmokeLoader and NETXLOADER into its campaigns. Trend Micro researchers discovered this shift, highlighting the group's ongoing evolution and increased sophistication. The group is actively targeting organizations across multiple sectors, including healthcare, technology, financial services, and telecommunications. These attacks are spanning across various geographical regions, with a primary focus on the US, the Netherlands, Brazil, India, and the Philippines, demonstrating a broad and aggressive targeting strategy.

The newly identified NETXLOADER plays a crucial role in these attacks by stealthily deploying malicious payloads, including the Agenda ransomware and SmokeLoader. NETXLOADER is a .NET-based loader protected by .NET Reactor 6, making it difficult to analyze. Its complexity is enhanced by the utilization of JIT hooking techniques, obfuscated method names, and AES-decrypted GZip payloads to evade detection, indicating a significant leap in malware delivery methods. SmokeLoader further contributes to the group's arsenal with its own set of evasion tactics, including virtualization/sandbox detection and process injection, which complicates attribution and defense efforts.

Qilin has emerged as a dominant ransomware group, leading in data leak disclosures in April 2025. This surge in activity is partly attributed to the group gaining affiliates from the RansomHub uncertainty. Cyble reported that Qilin claimed responsibility for 74 attacks in April, surpassing other groups in ransomware activity. The incorporation of NETXLOADER and SmokeLoader, coupled with their stealthy delivery methods, further solidifies Qilin's position as a formidable threat in the current ransomware landscape, posing a significant risk to organizations worldwide.

Recommended read:
References :
  • Virus Bulletin: Trend Micro researchers discovered that the Agenda ransomware group added SmokeLoader & NETXLOADER to its recent campaigns. Targets include healthcare, technology, financial services & telecommunications sectors in the US, the Netherlands, Brazil, India & the Philippines.
  • securityonline.info: Agenda Ransomware Evolves with NETXLOADER and SmokeLoader in Global Campaigns
  • www.trendmicro.com: Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal
  • The Hacker News: Qilin Ransomware Ranked Highest in April 2025 with Over 45 Data Leak Disclosures
  • cyble.com: Cyble stated that Qilin gained affiliates from the RansomHub uncertainty, led all groups with 74 attacks claimed in April.
  • redpiranha.net: Red Piranha stated that the threat group Qilin has been active for over one year or for multiple years and Qilin also Tool usage is going to be slightly outdated due to the time it takes incident response teams to wrap up an investigation, compile findings, and publish a report.
  • MeatMutts: Qilin Ransomware Gang Targets Hamilton County Sheriff's Office

Dissent@DataBreaches.Net //
The LockBit ransomware group, a major player in the Ransomware-as-a-Service (RaaS) sector, has suffered a significant data breach. On May 7, 2025, the group's dark web affiliate panels were defaced, revealing a link to a MySQL database dump containing sensitive operational information. This exposed data includes Bitcoin addresses, private communications with victim organizations, user credentials, and other details related to LockBit's illicit activities. The defacement message, "Don't do crime CRIME IS BAD xoxo from Prague," accompanied the data leak, suggesting a possible motive of disrupting or discrediting the ransomware operation.

The exposed data from LockBit's affiliate panel is extensive, including nearly 60,000 unique Bitcoin wallet addresses and over 4,400 victim negotiation messages spanning from December 2024 through April 2025. Security researchers have confirmed the authenticity of the leaked data, highlighting the severity of the breach. The LockBit operator, known as "LockBitSupp," acknowledged the breach but claimed that no private keys were compromised. Despite previous setbacks, such as the "Operation Cronos" law enforcement action in February 2024, LockBit had managed to rebuild its operations, making this recent breach a significant blow to their infrastructure.

Analysis of the leaked information has uncovered a list of 20 critical Common Vulnerabilities and Exposures (CVEs) frequently exploited by LockBit in their attacks. These vulnerabilities span multiple vendors and technologies, including Citrix, PaperCut, Microsoft, VMware, Apache, F5 Networks, SonicWall, Fortinet, Ivanti, Fortra, and Potix. Additionally, the leaked negotiations revealed LockBit’s preference for Monero (XMR) cryptocurrency, offering discounts to victims who paid ransoms using this privacy-focused digital currency. Ransom demands typically ranged from $4,000 to $150,000, depending on the scale of the attack.

Recommended read:
References :
  • DataBreaches.Net: CoinPedia reports: “Don’t do crime. CRIME IS BAD. xoxo from Prague.” That’s the message left behind after hackers gave LockBit – a ransomware gang known for extorting millions. Yes, they just got a brutal taste of their own medicine.
  • Metacurity: All of the ransomware gang's admin panels now state. "Don't do crime CRIME IS BAD xoxo from Prague," with a link to download a "paneldb_dump.zip." LockBit ransomware gang hacked, victim negotiations exposed
  • Searchlight Cyber: Searchlight’s threat intelligence team shares their early observations from the LockBit data leak On May 7 2025 it was reported that the dark web affiliate panel of the Ransomware-as-a-Service (RaaS) group LockBit has been hijacked.
  • www.bitdegree.org: LockBit Hacked: 60,000 Bitcoin Addresses and 4,400 Ransom Chats Go Public
  • BleepingComputer: The LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump.
  • hackread.com: LockBit’s dark web domains were hacked, exposing internal data, affiliate tools, and over 60,000 Bitcoin wallets in a…
  • Davey Winder: 60,000 Bitcoin Wallets Leaked As LockBit Ransomware Hackers Get Hacked
  • www.it-daily.net: LockBit hacker group was hacked
  • socradar.io: LockBit Hacked: 60,000 Bitcoin Addresses Leaked
  • securityaffairs.com: The LockBit ransomware site was breached, database dump was leaked online
  • slcyber.io: Early Analysis of the LockBit Data Leak
  • hackread.com: LockBit’s Dark Web Domains Hacked, Internal Data and Wallets Leaked
  • The DefendOps Diaries: LockBit Ransomware Gang Hacked: Internal Operations Exposed
  • www.scworld.com: Data breach exposes LockBit ransomware gang
  • www.itpro.com: LockBit ransomware group falls victim to hackers itself
  • Help Net Security: LockBit Hacked: What does the leaked data show?
  • Talkback Resources: Valuable information leaked from LockBit ransomware operation's administration panel, revealing details on affiliates, ransom negotiations, and potential infighting within the cybercriminal community.
  • ComputerWeekly.com: reports analysis of the LockBit 3.0 data leak
  • Tech Monitor: Ransomware group LockBit faces breach, affiliate data exposed
  • Graham Cluley: LockBit ransomware gang breached, secrets exposed
  • cybersecuritynews.com: The affiliate panel of the infamous LockBit Ransomware-as-a-Service (RaaS) group has been hacked and defaced, showing a link to a MySQL database dump ostensibly containing leaked data relating to the group’s operations.
  • bsky.app: LockBit Ransomware Gang Breached, Secrets Exposed

Dissent@DataBreaches.Net //
In December 2024, PowerSchool, a major provider of K-12 software serving 60 million students across North America, experienced a significant data breach. Hackers gained access to sensitive student and teacher data, including personally identifiable information such as Social Security numbers and health data, through a single stolen credential. The company, believing it was the best course of action, paid an undisclosed ransom to the threat actor to prevent the data from being made public, however this has proven to be unsuccessful.

Months later, it has been revealed that the threat actors are now directly targeting individual school districts with extortion demands, using the stolen data from the initial breach. The Toronto District School Board (TDSB), along with other schools in North America, has confirmed receiving ransom demands from the attackers. The exposed information includes names, contact details, birth dates, Social Security numbers, and even some medical alert data. PowerSchool has confirmed that these extortion attempts are related to the original breach and is working with law enforcement.

Cybersecurity experts have warned against paying ransoms, as there is no guarantee that hackers will delete the stolen data. This case exemplifies the risk of paying extortion demands, as the threat actors have resurfaced to revictimize affected individuals and institutions with additional demands. PowerSchool is offering two years of free identity protection to affected individuals, however there will be pressure for them to improve its security and reassure stakeholders that it can prevent similar incidents in the future.

Recommended read:
References :
  • bsky.app: The hacker behind PowerSchool's December breach is now extorting schools, threatening to release stolen student and teacher data.
  • Threats | CyberScoop: The large education tech vendor was hit by a cyberattack and paid a ransom in December. Now, a threat actor is attempting to extort the company’s customers with stolen data.
  • The Register - Security: PowerSchool paid thieves to delete stolen student, teacher data. Crooks may have lied
  • The DefendOps Diaries: Report discussing the PowerSchool data breach and its implications.
  • BleepingComputer: PowerSchool is warning that the hacker behind its December cyberattack is now individually extorting schools, threatening to release the previously stolen student and teacher data if a ransom is not paid. [...]
  • www.bleepingcomputer.com: BleepingComputer reports on PowerSchool hacker extorting school districts.
  • cyberscoop.com: PowerSchool customers hit by downstream extortion threats
  • BleepingComputer: PowerSchool hacker now extorting individual school districts
  • malware.news: PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (2)
  • DataBreaches.Net: PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • PCMag UK security: UK PCMag covers PowerSchool attackers extorting teachers.
  • go.theregister.com: PowerSchool paid thieves to delete stolen student, teacher data. Crooks may have lied Now individual school districts extorted by fiends
  • Metacurity: PowerSchool hackers are extorting schools despite the company's ransom payment
  • techcrunch.com: TechCrunch article on PowerSchool being hacked.
  • hackread.com: PowerSchool Paid Ransom, Now Hackers Target Teachers for More
  • ExpressVPN Blog: Teachers report that bad actors are now targeting them with threatening emails demanding payment following a massive 2024 breach affecting schools across the US and Canada. One of the largest hacks of US schools continues as teachers across the country say that threat actors are extorting them for more money and threatening to release the data.
  • www.metacurity.com: PowerSchool hackers are extorting schools despite the company's ransom payment
  • thecyberexpress.com: Toronto School Board Hit with Extortion Demand After PowerSchool Data Breach
  • Blog: PowerSchool clients now targeted directly by threat actor
  • cyberinsider.com: PowerSchool Ransom Fallout: Extortion Attempts Hit Schools Months After Data Breach
  • www.techradar.com: PowerSchool hackers return, and may not have deleted stolen data as promised
  • malware.news: Double-extortion tactics used in PowerSchool ransomware attack
  • CyberInsider: Months after paying a ransom to suppress the fallout of a major data breach, PowerSchool is facing renewed turmoil as threat actors have begun extorting individual school districts using the same stolen data.
  • Matthew Rosenquist: More extortions, same - a perfect example of how not to deal with risks. The nightmare continues for schools, students, and teachers who's private data was exposed by PowerSchool.
  • matthewrosenquist.substack.com: PowerSchool data breach round 2 extortions
  • aboutdfir.com: Reports an education tech provider paid thieves to delete stolen student, teacher data.
  • MeatMutts: The educational sector has been rocked by a significant data breach involving PowerSchool, a leading education technology provider serving over 60 million students globally.

@cyble.com //
References: arcticwolf.com , cyble.com , www.itpro.com ...
Recent cyberattacks have targeted major UK retailers, prompting a call for increased vigilance and stronger defenses from the National Cyber Security Centre (NCSC). High-profile organizations such as Harrods, Marks & Spencer (M&S), and Co-op have been affected, causing significant operational disruptions. These attacks have led to restricted internet access, pauses in online order processing, and in some instances, potential data extraction, highlighting the severity and broad impact of these cyber incidents on the retail sector.

The NCSC has issued an urgent warning to UK firms, emphasizing the escalating risk of ransomware attacks, particularly within the retail industry. The agency anticipates a potential increase in similar attacks in the coming days. In response, the NCSC has released a comprehensive set of guidelines designed to assist businesses in bolstering their defenses against these threats and minimizing potential financial losses. This includes reviewing password reset policies, being cautious of senior employees with escalated priviledges such as Domain Admin, Enterprise Admin and Cloud Admin accounts.

The NCSC's guidelines emphasize proactive measures such as isolating and containing threats quickly by severing internet connectivity to prevent malware spread and ensuring backup servers remain unaffected. It also highlights leveraging backup systems for recovery and implementing multi-factor authentication (MFA) across the board. The NCSC advises businesses to constantly be on the look out for ‘risky logins’ within Microsoft Entra ID Protection, where sign-in attempts are flagged as potentially compromised due to suspicious activity or unusual behaviour. Furthermore, the agency urges organizations to assess their cyber resilience and adopt best practices for both prevention and recovery to mitigate future attacks.

Recommended read:
References :

Pierluigi Paganini@securityaffairs.com //
The Hive0117 group, linked to DarkWatchman, is reportedly targeting Russian critical infrastructure in a broad cyber campaign. According to F6 Threat Intelligence, the group is conducting a large-scale phishing campaign aimed at Russian companies across various industries, including media, tourism, finance, insurance, manufacturing, retail, energy, telecommunications, transport, and biotechnology. The attacks, which have been ongoing since February 2022, involve mass mailings disguised as legitimate organizations, using registered infrastructure for managing domains and often reusing domains.

The malicious emails contain password-protected archives which, when opened, trigger a chain reaction leading to system infection by a modified version of the DarkWatchman VPO. This variant is designed to operate stealthily and evade detection by traditional security tools. Analysis reveals that the domains used in these attacks share registration data with domains previously used by the group in 2023, indicating a persistent and evolving threat. The DarkWatchman malware itself is a JavaScript-based remote access trojan capable of keylogging, collecting system information, and deploying secondary payloads.

The financially motivated Hive0117 group has previously targeted users in Lithuania, Estonia, and Russia in sectors like telecom, electronics, and industry. Past campaigns have also used courier delivery-themed lures to target Russian banks, retailers, telecom operators, agro-industrial enterprises, fuel and energy companies, logistics businesses, and IT firms. The DarkWatchman malware's fileless nature, use of JavaScript and a C#-based keylogger, and ability to remove traces of its existence highlight its sophisticated capabilities, posing a significant risk to targeted organizations.

Recommended read:
References :
  • industrialcyber.co: DarkWatchman-linked group Hive0117 targets Russian critical infrastructure sector in broad cyber campaign
  • securityaffairs.com: Hive0117 group targets Russian firms with new variant of DarkWatchman malware
  • Industrial Cyber: DarkWatchman-linked group Hive0117 targets Russian critical infrastructure sector in broad cyber campaign
  • bsky.app: DarkWatchman-linked group Hive0117 targets Russian critical infrastructure sector in broad cyber campaign
  • Cyber Security News: DarkWatchman-linked group Hive0117 targets Russian critical infrastructure sector in broad cyber campaign

Lawrence Abrams@BleepingComputer //
Ryan Kramer, a 25-year-old from California, has pleaded guilty to two criminal charges related to a significant data breach at Disney. Kramer, operating under the alias "NullBulge," admitted to illegally accessing Disney's internal Slack channels and stealing over 1.1 terabytes of confidential data. The stolen data included internal communications, sensitive information, images, source code, and credentials. The breach led Disney to switch from Slack to Microsoft Teams following the incident, which impacted over 10,000 Slack channels.

He distributed a malicious program, disguised as an AI-powered image generation tool, on platforms like GitHub. This program contained a backdoor that allowed him to access the computers of those who downloaded and executed it. According to prosecutors, a Disney employee fell victim to this poisoned project between April and May of 2024, inadvertently granting Kramer access to their network and online credentials. This initial breach then allowed Kramer to move laterally within Disney's systems, compromising various platforms and confidential data storage areas.

Armed with the stolen data, Kramer, falsely claiming affiliation with the Russian hacking group NullBulge, attempted to extort the victim. When the victim did not respond, Kramer proceeded to release their personal information, including bank, medical, and other sensitive details, across multiple platforms. While Kramer awaits sentencing, he faces a maximum of five years in federal prison for each felony count of accessing a computer to obtain information and threatening to damage a protected computer. The FBI is also investigating the extent to which data from at least two other victims who downloaded Kramer's malicious GitHub project may have been compromised.

Recommended read:
References :
  • bsky.app: Hacker 'NullBulge' pleads guilty to stealing Disney's Slack data
  • cyberinsider.com: A 25-year-old Santa Clarita man has agreed to plead guilty to hacking a Disney employee's personal computer, stealing login credentials, and exfiltrating 1.1 terabytes of confidential data from internal Slack channels used by the entertainment giant.
  • The DefendOps Diaries: Explore lessons from Disney's Slack breach, highlighting corporate cybersecurity vulnerabilities and strategies for protection.
  • BleepingComputer: Hacker 'NullBulge' pleads guilty to stealing Disney's Slack data
  • www.scworld.com: California man admits to Disney cyberattack
  • The Register - Security: Disney Slack attack wasn't Russian protesters, just a Cali dude with malware
  • www.scworld.com: Hacker pleads guilty to orchestrating Disney data heist
  • www.techradar.com: Hacker pleads guilty to illegally accessing Disney Slack channels and stealing huge tranche of data
  • The Register: Disney Slack attack wasn't Russian protesters, just a Cali dude with malware A 25-year-old California man pleaded guilty to stealing and dumping 1.1TB of data from the House of Mouse When someone stole more than a terabyte of data from Disney last year, it was believed to be the work of Russian hacktivists protesting for artist rights. We now know it was actually a 25-year-old Calif…
  • go.theregister.com: Disney Slack attack wasn't Russian protesters, just a Cali dude with malware
  • gbhackers.com: GBHackers Article: Disney Hacker Admits Guilt After Stealing 1.1TB of Internal Data
  • Talkback Resources: Disney Slack hacker was Californian, not Russian: DoJ
  • DataBreaches.Net: Disney Hacker Who Accessed 1.1 Terabytes of Data Pleads Guilty
  • CyberInsider: Disney Hacker Admits Using Malware-Laced AI Art App to Achieve Breach
  • securityonline.info: California Man to Plead Guilty in Hack of Disney Employee, Theft of 1.1TB of Confidential Slack Data

@cyble.com //
UK retailers have been targeted by a series of cyberattacks, prompting a national alert from the National Cyber Security Centre (NCSC). These attacks involved ransomware tactics and social engineering, leading to system disruptions and data breaches at several high-profile retail chains. The NCSC has issued a wake-up call to organizations, urging them to bolster their cybersecurity posture amid the growing threats. Attackers have also been impersonating IT helpdesks, tricking employees into handing over login credentials and security codes to gain access to company systems.

Marks & Spencer, Co-op, and Harrods have all been targeted recently, with DragonForce, an infamous ransomware group, claiming responsibility for the disruptions. The initial breach occurred at M&S, followed by an attempted hack at Harrods just days after the Co-op breach. Co-op revealed that its recent breach was more serious than initially reported, with a significant amount of data from current and former customers stolen. Attackers stole names and contact information in the Co-op breach but did not access passwords, payment data, or transaction histories. M&S has suspended online orders and is working to restore affected systems.

Mandiant has linked the DragonForce ransomware attacks on UK retailers to UNC3944 tactics, highlighting links to RansomHub. UNC3944, also known as Scattered Spider, is a financially motivated threat actor known for its persistent use of social engineering and bold interactions with victims. DragonForce operates under a ransomware-as-a-service (RaaS) model, where affiliates carry out the attacks, keeping most of the ransom, while the group provides the tools and hosts leak sites. The NCSC warns organizations to remain vigilant, with DragonForce hinting at more attacks in the near future.

Recommended read:
References :
  • www.sentinelone.com: DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists
  • doublepulsar.com: DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door
  • securityaffairs.com: DragonForce group claims the theft of data after Co-op cyberattack
  • BleepingComputer: Co-op confirms data theft after DragonForce ransomware claims attack
  • Resources-2: Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
  • DataBreaches.Net: Co-op hackers boast of ‘stealing 20 million customers’ data’ – as retailer admits impacts of ‘significant’ attack
  • www.bbc.co.uk: BBC News reports on the Co-op cyberattack, confirming the theft of a 'significant' amount of data by the DragonForce hackers.
  • Rescana: Detailed Report on the DragonForce Cyber Attack on Co-op Introduction: The DragonForce cyber attack on Co-op has emerged as a significant...
  • cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
  • arcticwolf.com: Uptick in Ransomware Threat Activity Targeting Retailers in the UK
  • cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
  • arcticwolf.com: Uptick in Ransomware Threat Activity Targeting Retailers in the UK
  • CyberInsider: Co-op has officially confirmed that hackers accessed and exfiltrated member data in a recent cyberattack, marking a significant escalation in a wave of coordinated intrusions targeting UK retail giants.
  • cyberinsider.com: Cyber Insider reports on Co-op Confirms Member Data Breach Following Cyberattack Incident
  • bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked.
  • industrialcyber.co: Mandiant links DragonForce ransomware attacks on UK retailers to UNC3944 tactics, highlighting links to RansomHub
  • phishingtackle.com: Rise In Cyberattacks On UK Retailers Sparks National Alert
  • www.cysecurity.news: UK Retail Sector Hit by String of Cyberattacks, NCSC Warns of Wake-Up Call

@cyble.com //
Following a series of cyberattacks targeting major UK retailers including Marks & Spencer, Co-op, and Harrods, the National Cyber Security Centre (NCSC) has issued an urgent alert, urging organizations to bolster their defenses. The attacks, which involved ransomware and data theft, have caused significant operational disruptions and data breaches, highlighting the increasing risk faced by the retail sector. The NCSC anticipates that similar attacks are likely to escalate and emphasizes that preparation is key to ensuring business continuity and minimizing financial losses.

The NCSC advises businesses to take immediate and proactive measures to mitigate risks. A key recommendation is to isolate and contain threats quickly by severing internet connectivity immediately to prevent malware from spreading further across networks. It's equally important to ensure that backup servers remain isolated and unaffected by the attack, so they can be used for disaster recovery. The security agency is also calling on firms to review their password reset policies, and in particular how IT help desks authenticate workers when they make a reset request, especially in the case of senior employees with escalated privileges.

To enhance cyber resilience, the NCSC stresses the importance of implementing multi-factor authentication (MFA) across the board. The agency also warns organizations to be constantly on the lookout for ‘risky logins’ within Microsoft Entra ID Protection, where sign-in attempts are flagged as potentially compromised due to suspicious activity or unusual behaviour. The Information Commissioner's Office (ICO) has similar advice warning organizations to make sure that accounts are protected by a strong password, and that passwords aren't being reused across multiple accounts. While attacks against UK retailers have rocked the industry in recent weeks, the NCSC's guidance aims to help businesses avoid falling victim to similar incidents.

Recommended read:
References :
  • DataBreaches.Net: Marks & Spencer breach linked to Scattered Spider ransomware attack
  • Davey Winder: Harrods is the latest major U.K. retailer to confirm a cyberattack as M&S continues to struggle with ransomware strike fallout.
  • securityaffairs.com: Luxury department store Harrods suffered a cyberattack
  • The Register - Security: British govt agents step in as Harrods becomes third mega retailer under cyberattack
  • www.itpro.com: Harrods hit by cyber attack as UK retailers battle threats
  • Graham Cluley: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a attack. No organisation is 100% safe.
  • techcrunch.com: UK retail giant Co-op warns of disruption as it battles cyberattack
  • Bloomberg Technology: DragonForce hacking gang takes credit for UK retail attacks
  • NCSC News Feed: NCSC statement: Incident impacting retailers
  • Resources-2: Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
  • Zack Whittaker: Bloomberg reporting that DragonForce ransomware gang "and its partners" were behind cyberattacks targeting U.K. retail giants Marks & Spencer, Co-op and Harrods. The gang also claimed to have stolen customer data.
  • doublepulsar.com: DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door
  • Metacurity: Harrods becomes the third top UK retailer to fend off a cyberattack
  • hackread.com: UK Retailer Harrods Hit by Cyber Attack After M&S, Co-op
  • NPR Topics: Technology: Harrods, the iconic luxury department store, has become the latest British retailer to fall victim to a cyberattack.
  • bsky.app: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a #ransomware attack.
  • www.bbc.co.uk: The BBC reports on DragonForce's attacks on Co-op, details data theft.
  • www.thetimes.com: The Sunday Times article details the DragonForce attack on Marks & Spencer.
  • BleepingComputer: Cybersecurity firm BleepingComputer reported the Co-op's confirmation of significant data theft, contrasting with previous downplayed assessments of the incident.
  • Help Net Security: The Co-op hack is detailed with an update of stolen data and the impact on the company's systems.
  • DataBreaches.Net: BleepingComputer reports on the escalation of the Co-op cyberattack, with hackers boasting about stealing data from millions of customers.
  • arcticwolf.com: Threat Event Timeline 22 April 2025 – Marks & Spencer released a cyber incident update on the London stock exchange website.
  • Rescana: Detailed Report on the DragonForce Cyber Attack on Co-op Introduction: The DragonForce cyber attack on Co-op has emerged as a significant...
  • Tech Monitor: The Co-op Group has acknowledged a substantial data breach in a cyberattack that was reportedly perpetrated by the DragonForce group.
  • arcticwolf.com: Threat Event Timeline 04/22/2025 – Marks & Spencer released a cyber incident update on the London stock exchange website. The incident resulted in the organization having to pause online clothing orders for six days.
  • www.techradar.com: Hackers claim to have stolen private information on 20 million Co-op shoppers
  • cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
  • cyble.com: Multiple cyberattacks have recently struck some of the UK’s most iconic retailers, prompting concern from industry leaders and cybersecurity authorities.
  • www.cybersecurity-insiders.com: NCSC issues alert against more ransomware attacks on retailers
  • www.itpro.com: In an official statement, addressed the situation, saying: “The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers, and the public.
  • cyberinsider.com: Cyber Insider reports on Co-op Confirms Member Data Breach Following Cyberattack Incident
  • Check Point Research: Three major UK retailers – Co-op, Harrods and Marks & Spencer (M&S) – were hit by cyberattacks that disrupted operations and compromised sensitive data.
  • www.bleepingcomputer.com: Marks and Spencer breach linked to Scattered Spider ransomware attack
  • cyberinsider.com: NCSC Issues Urgent Guidance After Major UK Retailers Breached by Hackers
  • www.cybersecurity-insiders.com: New Cyber threats emerge from Cyber Attacks on UK Companies.
  • TechInformed: Recent retail cyber attacks have highlighted growing vulnerabilities in the UK sector.
  • techinformed.com: A recent spate of retail cyber attacks has highlighted growing vulnerabilities in the UK sector, with high street names including M&S, the Co-op and Harrods…
  • Cybersecurity Blog: The Marks and Spencer Cyber Attack: Everything You Need to Know
  • Malware ? Graham Cluley: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked
  • Phishing Tackle: Co-op has revealed that its recent breach was far more serious than initially reported, with a significant amount of data from current and former customers stolen.
  • bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked.
  • www.cysecurity.news: The United Kingdom’s National Cyber Security Centre (NCSC) has issued a stark warning following a wave of cyberattacks targeting some of the country’s most prominent retail chains.

securebulletin.com@Secure Bulletin //
Attackers are increasingly turning to trusted services like Gmail and Google APIs to create stealthy command-and-control (C2) channels. This tactic allows them to mask malicious activities within legitimate network traffic, making detection and mitigation significantly harder. By leveraging platforms like Gmail and Google Drive, threat actors can embed their communications within encrypted channels provided by reputable services, bypassing many traditional security measures. These communications are encrypted by Gmail’s TLS, further complicating detection efforts.

A recent investigation by Socket's Threat Research Team uncovered a campaign using malicious Python packages to establish covert tunnels via Gmail’s SMTP protocol, enabling attackers to exfiltrate data and execute remote commands undetected. Seven malicious PyPI packages, operating under the "Coffin Codes" theme, were found abusing Gmail's SMTP servers and WebSockets for data exfiltration and remote command execution. These packages, once installed, establish an encrypted connection to Gmail’s SMTP server using hardcoded credentials, sending signals and critical information to attacker-controlled email addresses.

The identified packages include Coffin-Codes-Pro, Coffin-Codes-NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, Coffin-Grave, and cfc-bsb. While the packages have been removed from PyPI, one of them was downloaded over 18,000 times before removal. The most advanced variants of the packages also establish outbound WebSocket connections, enabling attackers to issue commands, transfer files, and potentially gain deeper access into the victim's network. This highlights the ongoing risks posed by supply chain attacks and the exploitation of trusted cloud services.

Recommended read:
References :
  • securityonline.info: Malicious Python Packages Exploited Gmail as Covert Command-and-Control Channels
  • BleepingComputer: Malicious PyPI packages abuse Gmail, websockets to hijack systems
  • bsky.app: Seven malicious PyPi packages were found using Gmail's SMTP servers and WebSockets for data exfiltration and remote command execution.
  • bsky.app: Socket Security has spotted seven malicious PyPI packages that use Gmail SMTP servers as tunnels to infected systems
  • socket.dev: Packages use Gmail, making these attempts less likely to be flagged by firewalls and endpoint detection systems since SMTP is commonly treated as legitimate traffic.
  • securityonline.info: Malicious Python Packages Exploited Gmail as Covert Command-and-Control Channels
  • Cyber Security News: Seven Malicious Packages Exploit Gmail SMTP to Execute Harmful Commands
  • gbhackers.com: Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands
  • Virus Bulletin: Socket’s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail. These seven packages: use Gmail, making these attempts less likely to be flagged by firewalls and endpoint detection systems since SMTP is commonly treated as legitimate traffic.
  • gbhackers.com: Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands
  • cyberpress.org: Seven Malicious Packages Exploit Gmail SMTP to Execute Harmful Commands
  • socket.dev: Using Trusted Protocols Against You: Gmail as a C2 Mechanism
  • Secure Bulletin: In the ever-evolving landscape of cybersecurity, attackers are increasingly exploiting trusted services to establish covert command-and-control (C2) channels.
  • securebulletin.com: Hijacking Trust: how Gmail and Google APIs are being weaponized for stealthy C2 channels
  • bsky.app: Socket Security has spotted seven malicious PyPI packages that use Gmail SMTP servers as tunnels to infected systems
  • Davey Winder: Gmail Warning As Data-Stealing Hacker Tunnel Confirmed
  • Cyber Security News: 7 Malicious PyPI Packages Abuse Gmail’s SMTP Protocol to Execute Malicious Commands

@industrialcyber.co //
Nova Scotia Power and its parent company, Emera Inc., are actively responding to a cybersecurity incident that has impacted their Canadian IT network. The companies detected unauthorized access to parts of their network and servers which support certain business applications. Immediately upon discovering the intrusion, both companies activated their incident response and business continuity protocols. Top-tier third-party cybersecurity experts have been engaged to assist in isolating the affected systems and preventing any further unauthorized access.

Law enforcement agencies have been notified and an investigation is currently underway. Despite the breach, Emera and Nova Scotia Power stated that there has been no disruption to any of their Canadian physical operations. This includes Nova Scotia Power's generation, transmission, and distribution facilities, as well as the Maritime Link and the Brunswick Pipeline. The incident has not affected the utility's ability to safely and reliably serve its customers in Nova Scotia, nor has it impacted Emera's utilities in the U.S. or the Caribbean.

The IT team is working diligently with cybersecurity experts to restore the affected portions of the IT system back online. Nova Scotia Power customers can find the latest updates online. Emera is scheduled to publish its first quarter financial statements and management disclosure on May 8, 2025, as planned. Currently, the incident is not expected to have a material impact on the financial performance of the business.

Recommended read:
References :
  • industrialcyber.co: Emera, Nova Scotia Power respond to cybersecurity breach; incident response teams mobilized
  • securityaffairs.com: Canadian electric utility Nova Scotia Power and parent company Emera suffered a cyberattack
  • cyberinsider.com: Nova Scotia Power Says Cybersecurity Incident Impacting IT Systems
  • www.scworld.com: Cyberattack impacts Nova Scotia Power's systems
  • www.cybersecurity-insiders.com: Canadian electric utility Nova Scotia Power and parent company Emera are facing a cyberattack that disrupted their IT systems and networks.

Swagath Bandhakavi@Tech Monitor //
France has officially accused the APT28 hacking group, linked to Russia's military intelligence service (GRU), of orchestrating a series of cyberattacks against French institutions over the past four years. The French foreign ministry condemned these actions "in the strongest possible terms," highlighting the targeting or breaching of a dozen French entities. The attacks have affected a range of organizations, including public services, private companies, and even a sports organization involved in preparations for the 2024 Olympic Games which was hosted in France.

France views these cyber operations as "unacceptable and unworthy" of a permanent member of the UN Security Council, asserting that Russia has violated international norms of responsible behavior in cyberspace. The ministry emphasized that such destabilizing activities undermine the integrity of international relations and security. This public attribution of the attacks to the GRU signifies a firm stance against Russia's malicious cyber activities and a commitment to defending French interests in the digital realm.

France, alongside its partners, is determined to anticipate, deter, and respond to Russia’s malicious cyber behavior, employing all available means. The French foreign ministry's statement also referenced past incidents, including the 2015 sabotage of TV5Monde and attempts to disrupt the 2017 presidential election, underscoring a pattern of APT28's disruptive activities targeting French interests. The French national agency for information systems security (ANSSI) has released a report on the threat linked to APT28 in order to prevent future attacks.

Recommended read:
References :
  • therecord.media: In a rare public attribution, the French foreign ministry said it “condemns in the strongest possible terms†the actions of the GRU-linked threat actor known as APT28 for attacks against local entities.
  • BleepingComputer: Today, the French foreign ministry blamed the APT28 hacking group linked to Russia's military intelligence service (GRU) for targeting or breaching a dozen French entities over the last four years.
  • www.diplomatie.gouv.fr: Government of attributes a wide range of dating back ten years, targeting the French-hosted 2024 Olympics, prior elections, and against entities like television networks, to Russia's GRU
  • The Record: Mastodon post referencing the French foreign ministry statement that it “condemns in the strongest possible terms†the actions of the GRU-linked threat actor known as APT28 for attacks against local entities.
  • The DefendOps Diaries: The article is about unmasking APT28: The Sophisticated Threat to French Cybersecurity
  • bsky.app: Russian military intelligence cyber operations targeting French entities
  • www.techradar.com: France accuses Russian GRU hackers of targeting French organizations
  • securityaffairs.com: France links Russian APT28 to attacks on dozen French entities
  • Metacurity: France accuses Russia's APT28 of a string of serious cyberattacks going back to 2021
  • Risky.Biz: Risky Bulletin: French government grows a spine and calls out Russia's hacks
  • www.metacurity.com: France accuses Russia's APT28 of a string of serious cyberattacks going back to 2021
  • Tech Monitor: France links Russian military-backed hackers APT28 to multiple cyber intrusions
  • hackread.com: France accuses Russia’s APT28 hacking group (Fancy Bear) of targeting French government entities in a cyber espionage campaign.
  • Risky Business Media: Risky Bulletin: French government grows spine, calls out Russian hacks
  • bsky.app: Russian military intelligence cyber operations targeting French entities. Primarily includes governmental, diplomatic, and research entities, as well as think-tanks.
  • www.scworld.com: French authorities have condemned a long-term cyber-espionage campaign by a Russian military intelligence group, APT28, targeting various French institutions.
  • Andrew ? Brandt ?: The government of attributes a wide range of dating back ten years, targeting the French-hosted 2024 Olympics, prior elections, and against entities like television networks, to Russia's GRU ( ), and condemns them, officially, in a statement posted to their website.
  • www.csoonline.com: France has publicly accused Russias GRU military intelligence agency, specifically its APT28 unit, of orchestrating a sustained cyber campaign targeting French institutions to undermine national stability, Reuters reports.
  • Industrial Cyber: The French foreign ministry has attributed a series of cyberattacks on national interests to APT28, a group linked...
  • industrialcyber.co: The French foreign ministry has attributed a series of cyberattacks on national interests to APT28, a group linked... The post appeared first on .
  • hackread.com: From TV5Monde to Critical Infrastructure: France Blames Russia’s APT28 for Persistent Cyberattacks
  • securityonline.info: APT28 Cyber Espionage Campaign Targets French Institutions Since 2021