The cyber incident at British retailer Marks & Spencer (M&S) resulted from a ransomware attack, suspected to be executed by the hacking group ‘Scattered Spider’, BleepingComputer has reported, quoting multiple anonymous sources.
M&S, which operates over 1,400 stores worldwide, confirmed last week that it had been targeted by a cyberattack. The incident caused significant issues, notably impacting the company’s contactless payment systems and online order processing. Although the company’s physical stores continue to operate, M&S temporarily suspended accepting online orders through its website and mobile applications on Friday (25 April).
The disruptions continued this week, with M&S instructing approximately 200 employees at its Castle Donington clothing and homewares logistics centre in the East Midlands to remain home, reported Sky News. The company is yet to provide specific details about the attack or a timeline for when normal operations might resume.
Cyberattack compromises M&S server security
The disruptions have been traced back to a ransomware attack that encrypted M&S’s servers. The breach may have occurred as early as February, with attackers reportedly accessing the NTDS.dit file, a critical component of the Windows domain. This file contains password hashes, enabling unauthorised access to the network.
According to the BleepingComputer report, attackers allegedly deployed the DragonForce encryptor on VMware ESXi hosts, targeting virtual machines. In response, M&S has engaged cybersecurity firms CrowdStrike, Microsoft, and Fenix24 to assist in the investigation and response efforts.
Scattered Spider is known for employing advanced social engineering techniques, including phishing and multi-factor authentication fatigue attacks, to gain unauthorised network access.
It reportedly comprises young, English-speaking individuals who coordinate via hacker forums and messaging platforms like Telegram and Discord. Initially involved in financial fraud and social media hacks, the group has advanced to execute more complex social engineering attacks targeting corporations for extortion and cryptocurrency theft.
In a notable incident in September 2023, the group reportedly breached MGM Resorts through social engineering. Scattered Spider is also known to collaborate with other ransomware entities such as RansomHub and Qilin.
Law enforcement agencies have intensified efforts to dismantle the group, resulting in several arrests in the US, the UK, and Spain over the past two years. However, the decentralised nature of Scattered Spider poses challenges in effectively tracking and apprehending its members.
Read more: Credential theft outpaces ransomware as cyber threat landscape evolves, report claims
