CyberSecurity news

FlagThis - #dragonforce

@www.bleepingcomputer.com //
DragonForce ransomware group has been actively exploiting vulnerabilities in SimpleHelp, a remote monitoring and management (RMM) software, to target managed service providers (MSPs) and their customers. This attack serves as a stark reminder of the supply chain risks inherent in relying on third-party software, particularly RMM tools which, if compromised, can grant attackers widespread access to numerous client systems. Sophos researchers uncovered that the DragonForce operator chained three specific SimpleHelp flaws, identified as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, to breach an MSP. This breach resulted in data theft and the subsequent deployment of ransomware across the MSP's customer endpoints, causing significant disruption and potential financial losses.

The vulnerabilities exploited by DragonForce allowed the attackers to perform several malicious actions. CVE-2024-57727 enabled unauthorized remote attackers to download arbitrary files, including server configuration files containing sensitive secrets and hashed user passwords. CVE-2024-57728 permitted admin users to upload arbitrary files, leading to potential arbitrary code execution on the host. Furthermore, CVE-2024-57726 allowed low-privilege technicians to create API keys with excessive permissions, potentially enabling them to escalate privileges to the server administrator role. All of these vulnerabilities were present in SimpleHelp's remote support software version 5.5.7 and earlier, highlighting the critical importance of promptly applying security patches.

The DragonForce attack on the MSP via SimpleHelp illustrates a growing trend of cybercriminals targeting RMM and other remote tools to facilitate software supply chain attacks. By compromising a single MSP, attackers can gain access to a large number of downstream customers, amplifying the impact of their attacks. Security experts warn that MSPs must prioritize the security of their RMM software, including implementing robust patch management processes and closely monitoring for suspicious activity. This incident underscores the need for a proactive and vigilant approach to cybersecurity to mitigate the risk of ransomware and other threats exploiting channel vulnerabilities.

Recommended read:
References :
  • Sophos News: Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network
  • bsky.app: The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
  • securityaffairs.com: Sophos researchers reported that a DragonForce ransomware operator exploited three chained vulnerabilities in SimpleHelp software to attack a managed service provider. SimpleHelp is a remote support and access software designed for IT professionals and support teams. It provides a streamlined way for IT teams to manage and monitor remote systems, making it a valuable tool for MSPs. However, the vulnerabilities exploited by DragonForce highlight the importance of keeping RMM software patched and up to date, as these tools can become attack vectors for ransomware and other threats.
  • www.bleepingcomputer.com: The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
  • BleepingComputer: DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
  • BleepingComputer: DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
  • The Register - Security: Updated DragonForce ransomware infected a managed service provider, and its customers, after attackers exploited security flaws in remote monitoring and management tool SimpleHelp.…
  • www.helpnetsecurity.com: Attackers hit MSP, use its RMM software to deliver ransomware to clients
  • Help Net Security: Attackers hit MSP, use its RMM software to deliver ransomware to clients
  • www.techradar.com: DragonForce ransomware hacks SimpleHelp RMM tool to attack MSPs
  • ciso2ciso.com: DragonForce double-whammy: First hit an MSP, then use RMM software to push ransomware – Source: go.theregister.com
  • Anonymous ???????? :af:: The ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data
  • MicroScope: Sophos warns MSPs over DragonForce threat
  • Daily CyberSecurity: Details of RMM tool abused to spread DragonForce.
  • MSSP feed for Latest: The bad actors exploited flaws in SimpleHelp's software to compromise the MSP and attack clients.
  • thehackernews.com: DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints
  • Tech Monitor: DragonForce exploits SimpleHelp in MSP breach
  • www.bleepingcomputer.com: DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
  • ciso2ciso.com: DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints – Source:thehackernews.com
  • Security Risk Advisors: Sophos Investigates DragonForce Ransomware Attack Exploiting SimpleHelp RMM Vulnerabilities Against MSP

Dhara Shrivastava@cysecurity.news //
Marks & Spencer (M&S) and Co-op, major UK retailers, have been hit by a Scattered Spider cyberattack involving DragonForce ransomware. The attack has caused weeks-long disruptions, impacting online transactions and the availability of food, fashion, and home goods. M&S warns that the disruption to online transactions could last until July. The cybercrime gang Scattered Spider is also believed to be behind attacks on other UK retailers, including Harrods.

The financial impact on M&S is expected to be significant. The company anticipates the cyberattack will cut $400 million from its profits and reported losing over £40 million in weekly sales since the attack began over the Easter bank holiday weekend. As a precaution, M&S took down some of its systems, resulting in short-term disruptions. This decision was made to protect its systems, customers, and partners from further compromise.

In response to the attack, M&S plans to accelerate its technology improvement plan, shortening the timeframe from two years to six months. This reflects the urgent need to bolster its cybersecurity defenses and prevent future disruptions. The company previously outlined plans in 2023 to improve its technology stack, including investments in infrastructure, network connectivity, store technology, and supply-chain systems. M&S acknowledged that personal data of customers had been stolen, including names, dates of birth, telephone numbers, home and email addresses, and online order histories. However, the retailer insisted that the data theft did not include usable card, payment, or login information.

Recommended read:
References :
  • www.cysecurity.news: Scattered Spider Cyberattack Cripples M&S, Co-op: DragonForce Ransomware Causes Weeks-Long Disruption
  • www.cybersecuritydive.com: M&S warns April cyberattack will cut $400 million from profits
  • Tech Monitor: Marks & Spencer faces £300m impact on profit from cyberattack
  • techxplore.com: Marks & Spencer cyberattack: How can retailers regain customers' trust after a hack?

Dhara Shrivastava@cysecurity.news //
British retailer giant Marks & Spencer (M&S) is facing a major financial impact following a recent cyberattack, with potential profit losses estimated at £300 million, equivalent to $402 million. The attack has caused widespread operational and sales disruptions, particularly affecting the company's online retail systems. According to a recent filing with the London Stock Exchange, M&S anticipates these disruptions to continue until at least July, impacting its fiscal year 2025/26 profits.

The cyberattack has significantly impacted M&S’s online sales channels, forcing the company to temporarily halt online shopping in its Fashion, Home & Beauty divisions. This downtime has led to substantial revenue loss, despite the resilience of its physical stores. The company has also faced increased logistics and waste management costs as it reverted to manual processes. CEO Stuart Machin acknowledged the challenging situation but expressed confidence in the company's recovery, emphasizing a focus on restoring systems and accelerating technical transformation.

M&S is actively implementing strategies to mitigate the financial repercussions, including cost management, insurance claims, and strategic trading actions. The retailer is reportedly preparing to claim up to £100 million from its cyber insurance policy to offset some of the losses. The company views this crisis as an opportunity to expedite its technical transformation, although specific details of this transformation have not yet been disclosed. The costs related to the attack itself and technical recovery are expected to be communicated at a later date as an adjustment item.

Recommended read:
References :
  • The Register - Security: Marks & Spencer warns of a £300M dent in profits from cyberattack
  • The DefendOps Diaries: Marks & Spencer Faces Major Financial Impact from Cyberattack
  • BleepingComputer: Marks & Spencer faces $402 million profit hit after cyberattack
  • ComputerWeekly.com: M&S cyber attack disruption likely to last until July
  • BleepingComputer: British retailer giant Marks & Spencer (M&S) is bracing for a potential profit hit of up to £300 million £300 million ($402 million) following a recent cyberattack that led to widespread operational and sales disruptions.
  • techxplore.com: Marks & Spencer cyberattack: How can retailers regain customers' trust after a hack?
  • www.cybersecuritydive.com: M&S warns April cyberattack will cut $400 million from profits
  • The Hacker News: Russian cyber threat actors have been attributed to a state-sponsored campaign targeting Western logistics entities and technology companies since 2022.
  • DataBreaches.Net: Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
  • techxplore.com: Cyberattack costs UK retailer Marks & Spencer £300 mn
  • www.cysecurity.news: Scattered Spider Cyberattack Cripples M&S, Co-op: DragonForce Ransomware Causes Weeks-Long Disruption
  • Tech Monitor: Marks & Spencer faces £300m impact on profit from cyberattack
  • www.bleepingcomputer.com: Marks & Spencer faces $402 million profit hit after cyberattack
  • socprime.com: A joint advisory from cybersecurity and intelligence agencies across North America, Europe, and Australia confirms a two-year-long cyberespionage campaign by russian GRU Unit 26165 (APT28, Forest Blizzard, Fancy Bear).
  • www.esecurityplanet.com: Russian military hackers are targeting Western firms aiding Ukraine, using cyberespionage to infiltrate logistics networks and spy on arms shipments.

Sergiu Gatlan@BleepingComputer //
Google's Threat Intelligence Group has issued a warning that the cyber collective known as Scattered Spider is now actively targeting US retailers after causing significant disruption to UK retailers like Marks & Spencer, Co-op, and Harrods. This group, also known as UNC3944, employs advanced cyber tactics including social engineering attacks like phishing, SIM swapping, and multi-factor authentication (MFA) bombing to infiltrate organizations. These methods allow the attackers to gain unauthorized access to sensitive systems and data. Experts are urging US retailers to take immediate note of Scattered Spider's tactics.

The shift in focus from UK to US retailers signals a strategic move by Scattered Spider, driven by the potential for higher financial gains and the opportunity to exploit vulnerabilities in the US retail sector’s cybersecurity infrastructure. The group's evolving tactics include new phishing kits and malware, such as the Spectre RAT, used to gain persistent access to compromised systems and exfiltrate sensitive data. Scattered Spider is believed to be composed mainly of young, English-speaking individuals based in the UK and US, and has reportedly executed over 100 cyberattacks.

Marks & Spencer has already experienced prolonged disruption following a large-scale cyberattack, highlighting the potential impact on US retailers. Customer data was stolen in the M&S cyberattack, forcing password resets and hampering online services. The stolen data included names, dates of birth, home addresses, and telephone numbers. While usable payment or card details were not compromised, the incident underscores the significant risk Scattered Spider poses to the digital infrastructures of US retailers, and experts warn that restoring normal operations could take months.

Recommended read:
References :
  • boB Rudis ?? ?? ??: I despise threat actor names, and am loathe to repeat "Scattered Spider" — now, but they did alot of damage to U.K. retailers and have set their sights on 'Murican retailers. They. Are. Not. Ready. (tho walmart may be…their cyber teams are ace) Buy what you need *now*.
  • The DefendOps Diaries: Explore how Scattered Spider targets US retailers with advanced cyber tactics, posing significant threats to digital infrastructures.
  • BleepingComputer: Google warned today that hackers using Scattered Spider tactics against retail chains in the United Kingdom have also started targeting retailers in the United States.
  • www.cysecurity.news: Marks & Spencer is facing prolonged disruption after falling victim to a large-scale cyberattack. Experts warn that restoring normal operations could take months, highlighting a growing trend of sophisticated breaches targeting major retailers.
  • ComputerWeekly.com: Details that scattered Spider retail attacks are spreading to US, says Google
  • therecord.media: "US retailers should take note" of recent cyberattacks on British companies, according to Google's Threat Intelligence Group, as the financially motivated collective known as Scattered Spider appears to be connected.
  • techinformed.com: Retail hackers speak to BBC, as Google warns US stores are next
  • The Record: "US retailers should take note" of recent cyberattacks on British companies, according to Google's Threat Intelligence Group, as the financially motivated collective known as Scattered Spider appears to be connected.
  • TechInformed: Retail hackers speak to BBC, as Google warns US stores are next
  • www.csoonline.com: ‘Aggressive, creative’ hackers behind UK breaches now eyeing US retailers
  • www.cybersecurity-insiders.com: Google warns of US retail cyber attacks and M & S insurance payout to cost £100m
  • www.cybersecurity-insiders.com: Google warns of US retail cyber attacks and M & S insurance payout to cost £100m
  • www.cybersecuritydive.com: Researchers warn threat actors in UK retail attacks are targeting US sector.
  • www.itnews.com.au: Google says hackers that hit UK retailers now targeting American stores
  • Tech Monitor: Google warns US retailers of Scattered Spider cyber threats
  • techhq.com: Hackers behind M&S breach may target US next
  • Cybersecurity Blog: UK Retailers Cyber Attack Saga; Is USA next for Scattered Spider?
  • The Register - Security: Cyber fiends battering UK retailers now turn to US stores
  • hackread.com: Hackers Now Targeting US Retailers After UK Attacks, Google
  • SecureWorld News: Scattered Spider Strikes Again: U.K. Attacks Spark U.S. Retailer Alarm
  • securityaffairs.com: Google warns that the cybercrime group Scattered Spider behind UK retailer attacks is now targeting U.S. companies, shifting their focus across the Atlantic.
  • www.techradar.com: Google is warning that the UK is no longer the only target as multiple retailers report suffering an attack.
  • Blog: Scattered Spider shifts focus to US targets
  • DataBreaches.Net: Ex-NSA bad-guy hunter listened to Scattered Spider’s fake help-desk calls: ‘Those guys are good’
  • bsky.app: -Chrome will de-elevate when run with admin privileges -US' largest steel producer halts production after cyberattack -Scattered Spider shifts to US retailers
  • securityaffairs.com: Google warns that the cybercrime group Scattered Spider behind UK retailer attacks is now targeting U.S. companies, shifting their focus across the Atlantic.

Jessica Lyons@theregister.com //
References: bsky.app , CyberInsider , techcrunch.com ...
Marks & Spencer (M&S) has confirmed that customer data was stolen during a recent cyberattack, with the ransomware group DragonForce claiming responsibility. The retail giant has initiated a mandatory password reset for all customers as a precautionary measure following the breach. The attack, which has shaken the UK retail sector, also affected other major retailers including the Co-operative Group (Co-op) and Harrods.

The stolen data includes customer names, dates of birth, home and email addresses, phone numbers, household information, and online order histories. However, M&S assures customers that the compromised information does not include usable card or payment details, or account passwords. The company is working with external experts to secure its systems and has reported the incident to the relevant government authorities and law enforcement agencies. Initially reports linked Scattered Spider to the attack, it has now been claimed that DragonForce are responsible.

DragonForce, a relatively new Ransomware-as-a-Service (RaaS) group, has emerged as a significant threat, initially framing itself as a pro-Palestinian hacktivist collective before shifting to profit-driven operations. They operate by leasing their ransomware to affiliates, who then carry out the attacks, with the developers taking a cut of the ransom payments. DragonForce has been targeting high-profile UK retailers, deploying ransomware to encrypt networks, disrupt online orders and payment systems, and threaten the public release of stolen data.

Recommended read:
References :
  • bsky.app: The inevitable has happened then. M&S now admits that customer data was stolen as part of the ransomware attack. The cyber world had been waiting (a long time) to hear this from the supermarket giant as DragonForce hackers are known to use double extortion method.
  • CyberInsider: Marks & Spencer Confirms Customer Data Theft in April Cyberattack
  • securityaffairs.com: Marks and Spencer confirms data breach after April cyber attack
  • techcrunch.com: Marks & Spencer confirms customers’ personal data was stolen in hack
  • ComputerWeekly.com: M&S forces customer password resets after data breach
  • slcyber.io: DragonForce Claims Responsibility for Series of Attacks on UK Retailers
  • www.itpro.com: The retailer confirmed hackers accessed customer data –but not payment information or passwords
  • cyberinsider.com: Marks & Spencer (M&S) has confirmed that personal customer data was stolen during the cyberattack that disrupted its retail operations last month, escalating a previously opaque incident into a confirmed data breach.
  • The Register - Security: Marks & Spencer admits cybercrooks made off with customer info
  • ComputerWeekly.com: M&S is instructing all its customers to change their account passwords after a significant amount of data was stolen in a DragonForce ransomware attack.
  • www.cysecurity.news: Marks & Spencer is facing prolonged disruption after falling victim to a large-scale cyberattack. Experts warn that restoring normal operations could take months, highlighting a growing trend of sophisticated breaches targeting major retailers. This incident follows a wave of cyber intrusions, including those at Co-op and Harrods, allegedly orchestrated by the same hacking collective — Scattered Spider.
  • Tech News | Euronews RSS: M&S warned that there could be security risks as a result of stolen data. Here’s what you should do to protect yourself from future scams.
  • The Register - Security: Here's what we know about the DragonForce ransomware that hit Marks & Spencer
  • techxplore.com: Customer data stolen in Marks & Spencer cyberattack
  • ComputerWeekly.com: M&S is instructing all its customers to change their account passwords after a significant amount of data was stolen in a DragonForce ransomware attack.
  • techhq.com: Hackers behind M&S breach may target US next. Google warns US retailers may be next in line for ransomware attacks. A cyberattack that hit UK retailer Marks & Spencer is raising alarms in the US
  • BleepingComputer: Bleeping Computer reports M&S data stolen
  • Cybersecurity Blog: UK Retailers Cyber Attack Saga; Is USA next for Scattered Spider?
  • www.itpro.com: The British retailer has confirmed the theft of customer data in the cyberattack.

Mayura Kathir@gbhackers.com //
Scattered Spider, a sophisticated hacking collective known for its social engineering tactics, has allegedly breached Marks & Spencer by targeting the company's IT help desk. The cybercriminals reportedly duped an IT help desk employee into resetting a password, which then granted them access to internal networks. This breach is said to have disrupted M&S's online operations, leading to the temporary suspension of online orders, as reported between April and May 2025. Scattered Spider, also known as UNC3944, Octo Tempest, and Muddled Libra, has become prominent for using social engineering to exploit corporate service desks.

This attack on Marks & Spencer is part of a broader trend impacting UK retailers. The National Cyber Security Centre (NCSC) has issued warnings to organizations, urging them to be wary of phony IT helpdesk calls. Other retailers such as Co-op and Harrods have also been linked to attacks resulting in stolen member data and crippled payment systems. Any organization with a service desk is theoretically vulnerable to these low-tech, high-impact tactics employed by Scattered Spider and similar groups.

Scattered Spider is believed to be composed of young US and UK citizens who are part of a collective known as "The Comm," an underground community of English-speaking criminals that communicates and coordinates using social media platforms like Discord or Telegram. While five users associated with Scattered Spider, including the alleged leader, were detained in the first half of 2024, the complete composition of the group remains undetermined. After a period of relative silence following these arrests, Scattered Spider has resurfaced with this latest string of attacks on UK retail brands, prompting renewed cybersecurity concerns.

Recommended read:
References :
  • cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
  • specopssoft.com: Scattered Spider service desk attacks: How to defend your organization
  • Cybersecurity Blog: The Marks and Spencer Cyber Attack: Everything You Need to Know
  • www.exponential-e.com: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked
  • www.cysecurity.news: M&S Hackers Conned IT Help Desk Workers Into Accessing Firm Systems
  • bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked. https://www.exponential-e.com/blog/ncsc-warns-of-it-helpdesk-impersonation-trick-being-used-by-ransomware-gangs-after-uk-retailers-attacked
  • gbhackers.com: Cyberattackers Targeting IT Help Desks for Initial Breach
  • Delinea Blog: M&S and Co-op Breaches: Lessons in Identity Security
  • Malware ? Graham Cluley: Smashing Security podcast #416: High street hacks, and Disney’s Wingdings woe
  • BleepingComputer: M&S says customer data stolen in cyberattack, forces password resets
  • ComputerWeekly.com: M&S forces customer password resets after data breach
  • www.itpro.com: M&S confirms customer personal data was stolen in recent attack
  • BleepingComputer: Hackers behind UK retail attacks now targeting US companies
  • ComputerWeekly.com: Scattered Spider retail attacks spreading to US, says Google
  • www.cysecurity.news: Marks & Spencer Cyberattack Fallout May Last Months Amid Growing Threat from Scattered Spider

Mandiant@Threat Intelligence //
UNC3944, a financially motivated cyber threat actor also known as Scattered Spider, has evolved from primarily conducting SIM swapping operations to focusing on ransomware and data extortion. Initially, UNC3944 targeted telecommunications organizations to facilitate SIM swaps, but since early 2023, they have shifted their focus to a broader range of industries, deploying ransomware and stealing data for extortion purposes. This transition marks a significant escalation in their tactics and impact, affecting sectors such as technology, financial services, business process outsourcing (BPO), gaming, hospitality, retail, and media & entertainment. The group has been observed conducting targeted waves of attacks against specific sectors, indicating a strategic and adaptable approach to their operations.

Despite law enforcement actions in 2024 that led to a temporary decline in UNC3944's activity, experts caution that their established connections within the cybercrime ecosystem suggest a strong potential for rapid recovery. This could involve forming new partnerships, adopting new tools to evade detection, or shifting strategies to circumvent security measures. Recent reports have indicated the use of tactics consistent with Scattered Spider in attacks against UK retail organizations, involving the deployment of DragonForce ransomware. Furthermore, the operators of DragonForce have reportedly taken control of RansomHub, a ransomware-as-a-service (RaaS) platform where UNC3944 was previously an affiliate after the shutdown of ALPHV (Blackcat) RaaS.

The retail sector has emerged as an increasingly attractive target for threat actors like UNC3944. Data from tracked data leak sites (DLS) reveals that retail organizations accounted for 11% of DLS victims in 2025, a notable increase from 8.5% in 2024. This trend is attributed to the large quantities of personally identifiable information (PII) and financial data typically held by retail companies, combined with their susceptibility to business disruption. The potential for significant financial losses resulting from ransomware attacks further incentivizes these companies to pay ransom demands, making them lucrative targets for financially motivated cybercriminals.

Recommended read:
References :
  • gbhackers.com: UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion
  • cyberpress.org: UNC3944 Hackers Transition from SIM Swapping to Ransomware and Data Extortion

@Talkback Resources //
The Co-op has confirmed a significant data breach following a cyberattack carried out by the ransomware group DragonForce. The attackers claim to have stolen sensitive data from current and former Co-op members, including names and contact details. While financial information and passwords were not compromised, the breach impacts a substantial number of individuals signed up for the Co-op's membership scheme, with DragonForce claiming access to the private information of around 20 million people. The NCSC is working with The Co-op to understand the full scope of the incident and provide expert advice.

DragonForce gained initial access to Co-op's IT networks by exploiting a vulnerability in internal communication systems, such as Microsoft Teams. They then exfiltrated large volumes of customer and employee data, using the stolen information to demand a ransom payment. Screenshots of extortion messages sent to Co-op's head of cyber security via an internal Microsoft Teams chat were shared with the BBC as proof of the breach. In response, the Co-op has implemented immediate security measures, including verifying meeting participants and requiring cameras to be turned on during calls.

The attack on Co-op is believed to be part of a broader campaign targeting major UK retailers, with similar incidents recently affecting Marks & Spencer and Harrods. These attacks are linked to affiliates of the DragonForce ransomware group, believed to be part of the Scattered Spider cybercrime community. This group is known for employing aggressive extortion tactics and sophisticated entry methods such as SIM swapping and MFA fatigue. The Co-op is currently rebuilding its Windows domain controllers and strengthening its defenses in collaboration with Microsoft DART and KPMG.

Recommended read:
References :
  • Talkback Resources: DragonForce hackers claim responsibility for cyberattack on Co-op, stealing major customer and employee data and targeting other companies with ransomware tactics.
  • Rescana: Detailed Report on the DragonForce Cyber Attack on Co-op Introduction: The DragonForce cyber attack on Co-op has emerged as a significant...
  • securityaffairs.com: DragonForce group claims the theft of data after Co-op cyberattack
  • Delinea Blog: M&S and Co-op Breaches: Lessons in Identity Security
  • phishingtackle.com: Co-op has revealed that its recent breach was far more serious than initially reported, with a significant amount of data from current and former customers stolen.

@cyble.com //
UK retailers have been targeted by a series of cyberattacks, prompting a national alert from the National Cyber Security Centre (NCSC). These attacks involved ransomware tactics and social engineering, leading to system disruptions and data breaches at several high-profile retail chains. The NCSC has issued a wake-up call to organizations, urging them to bolster their cybersecurity posture amid the growing threats. Attackers have also been impersonating IT helpdesks, tricking employees into handing over login credentials and security codes to gain access to company systems.

Marks & Spencer, Co-op, and Harrods have all been targeted recently, with DragonForce, an infamous ransomware group, claiming responsibility for the disruptions. The initial breach occurred at M&S, followed by an attempted hack at Harrods just days after the Co-op breach. Co-op revealed that its recent breach was more serious than initially reported, with a significant amount of data from current and former customers stolen. Attackers stole names and contact information in the Co-op breach but did not access passwords, payment data, or transaction histories. M&S has suspended online orders and is working to restore affected systems.

Mandiant has linked the DragonForce ransomware attacks on UK retailers to UNC3944 tactics, highlighting links to RansomHub. UNC3944, also known as Scattered Spider, is a financially motivated threat actor known for its persistent use of social engineering and bold interactions with victims. DragonForce operates under a ransomware-as-a-service (RaaS) model, where affiliates carry out the attacks, keeping most of the ransom, while the group provides the tools and hosts leak sites. The NCSC warns organizations to remain vigilant, with DragonForce hinting at more attacks in the near future.

Recommended read:
References :
  • www.sentinelone.com: DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists
  • doublepulsar.com: DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door
  • securityaffairs.com: DragonForce group claims the theft of data after Co-op cyberattack
  • BleepingComputer: Co-op confirms data theft after DragonForce ransomware claims attack
  • Resources-2: Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
  • DataBreaches.Net: Co-op hackers boast of ‘stealing 20 million customers’ data’ – as retailer admits impacts of ‘significant’ attack
  • www.bbc.co.uk: BBC News reports on the Co-op cyberattack, confirming the theft of a 'significant' amount of data by the DragonForce hackers.
  • Rescana: Detailed Report on the DragonForce Cyber Attack on Co-op Introduction: The DragonForce cyber attack on Co-op has emerged as a significant...
  • cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
  • arcticwolf.com: Uptick in Ransomware Threat Activity Targeting Retailers in the UK
  • cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
  • arcticwolf.com: Uptick in Ransomware Threat Activity Targeting Retailers in the UK
  • CyberInsider: Co-op has officially confirmed that hackers accessed and exfiltrated member data in a recent cyberattack, marking a significant escalation in a wave of coordinated intrusions targeting UK retail giants.
  • cyberinsider.com: Cyber Insider reports on Co-op Confirms Member Data Breach Following Cyberattack Incident
  • bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked.
  • industrialcyber.co: Mandiant links DragonForce ransomware attacks on UK retailers to UNC3944 tactics, highlighting links to RansomHub
  • phishingtackle.com: Rise In Cyberattacks On UK Retailers Sparks National Alert
  • www.cysecurity.news: UK Retail Sector Hit by String of Cyberattacks, NCSC Warns of Wake-Up Call

@cyble.com //
Following a series of cyberattacks targeting major UK retailers including Marks & Spencer, Co-op, and Harrods, the National Cyber Security Centre (NCSC) has issued an urgent alert, urging organizations to bolster their defenses. The attacks, which involved ransomware and data theft, have caused significant operational disruptions and data breaches, highlighting the increasing risk faced by the retail sector. The NCSC anticipates that similar attacks are likely to escalate and emphasizes that preparation is key to ensuring business continuity and minimizing financial losses.

The NCSC advises businesses to take immediate and proactive measures to mitigate risks. A key recommendation is to isolate and contain threats quickly by severing internet connectivity immediately to prevent malware from spreading further across networks. It's equally important to ensure that backup servers remain isolated and unaffected by the attack, so they can be used for disaster recovery. The security agency is also calling on firms to review their password reset policies, and in particular how IT help desks authenticate workers when they make a reset request, especially in the case of senior employees with escalated privileges.

To enhance cyber resilience, the NCSC stresses the importance of implementing multi-factor authentication (MFA) across the board. The agency also warns organizations to be constantly on the lookout for ‘risky logins’ within Microsoft Entra ID Protection, where sign-in attempts are flagged as potentially compromised due to suspicious activity or unusual behaviour. The Information Commissioner's Office (ICO) has similar advice warning organizations to make sure that accounts are protected by a strong password, and that passwords aren't being reused across multiple accounts. While attacks against UK retailers have rocked the industry in recent weeks, the NCSC's guidance aims to help businesses avoid falling victim to similar incidents.

Recommended read:
References :
  • DataBreaches.Net: Marks & Spencer breach linked to Scattered Spider ransomware attack
  • Davey Winder: Harrods is the latest major U.K. retailer to confirm a cyberattack as M&S continues to struggle with ransomware strike fallout.
  • securityaffairs.com: Luxury department store Harrods suffered a cyberattack
  • The Register - Security: British govt agents step in as Harrods becomes third mega retailer under cyberattack
  • www.itpro.com: Harrods hit by cyber attack as UK retailers battle threats
  • Graham Cluley: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a attack. No organisation is 100% safe.
  • techcrunch.com: UK retail giant Co-op warns of disruption as it battles cyberattack
  • Bloomberg Technology: DragonForce hacking gang takes credit for UK retail attacks
  • NCSC News Feed: NCSC statement: Incident impacting retailers
  • Resources-2: Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
  • Zack Whittaker: Bloomberg reporting that DragonForce ransomware gang "and its partners" were behind cyberattacks targeting U.K. retail giants Marks & Spencer, Co-op and Harrods. The gang also claimed to have stolen customer data.
  • doublepulsar.com: DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door
  • Metacurity: Harrods becomes the third top UK retailer to fend off a cyberattack
  • hackread.com: UK Retailer Harrods Hit by Cyber Attack After M&S, Co-op
  • NPR Topics: Technology: Harrods, the iconic luxury department store, has become the latest British retailer to fall victim to a cyberattack.
  • bsky.app: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a #ransomware attack.
  • www.bbc.co.uk: The BBC reports on DragonForce's attacks on Co-op, details data theft.
  • www.thetimes.com: The Sunday Times article details the DragonForce attack on Marks & Spencer.
  • BleepingComputer: Cybersecurity firm BleepingComputer reported the Co-op's confirmation of significant data theft, contrasting with previous downplayed assessments of the incident.
  • Help Net Security: The Co-op hack is detailed with an update of stolen data and the impact on the company's systems.
  • DataBreaches.Net: BleepingComputer reports on the escalation of the Co-op cyberattack, with hackers boasting about stealing data from millions of customers.
  • arcticwolf.com: Threat Event Timeline 22 April 2025 – Marks & Spencer released a cyber incident update on the London stock exchange website.
  • Rescana: Detailed Report on the DragonForce Cyber Attack on Co-op Introduction: The DragonForce cyber attack on Co-op has emerged as a significant...
  • Tech Monitor: The Co-op Group has acknowledged a substantial data breach in a cyberattack that was reportedly perpetrated by the DragonForce group.
  • arcticwolf.com: Threat Event Timeline 04/22/2025 – Marks & Spencer released a cyber incident update on the London stock exchange website. The incident resulted in the organization having to pause online clothing orders for six days.
  • www.techradar.com: Hackers claim to have stolen private information on 20 million Co-op shoppers
  • cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
  • cyble.com: Multiple cyberattacks have recently struck some of the UK’s most iconic retailers, prompting concern from industry leaders and cybersecurity authorities.
  • www.cybersecurity-insiders.com: NCSC issues alert against more ransomware attacks on retailers
  • www.itpro.com: In an official statement, addressed the situation, saying: “The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers, and the public.
  • cyberinsider.com: Cyber Insider reports on Co-op Confirms Member Data Breach Following Cyberattack Incident
  • Check Point Research: Three major UK retailers – Co-op, Harrods and Marks & Spencer (M&S) – were hit by cyberattacks that disrupted operations and compromised sensitive data.
  • www.bleepingcomputer.com: Marks and Spencer breach linked to Scattered Spider ransomware attack
  • cyberinsider.com: NCSC Issues Urgent Guidance After Major UK Retailers Breached by Hackers
  • www.cybersecurity-insiders.com: New Cyber threats emerge from Cyber Attacks on UK Companies.
  • TechInformed: Recent retail cyber attacks have highlighted growing vulnerabilities in the UK sector.
  • techinformed.com: A recent spate of retail cyber attacks has highlighted growing vulnerabilities in the UK sector, with high street names including M&S, the Co-op and Harrods…
  • Cybersecurity Blog: The Marks and Spencer Cyber Attack: Everything You Need to Know
  • www.exponential-e.com: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked
  • Phishing Tackle: Co-op has revealed that its recent breach was far more serious than initially reported, with a significant amount of data from current and former customers stolen.
  • bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked.
  • www.cysecurity.news: The United Kingdom’s National Cyber Security Centre (NCSC) has issued a stark warning following a wave of cyberattacks targeting some of the country’s most prominent retail chains.