The bank holiday weekend saw continuing disruption from a series of cyber attacks on the UK retail sector that have unfolded over the past fortnight, with gaps appearing on shelves at Marks and Spencer (M&S) and Co-op.
The attacks, which began over the Easter weekend, have been claimed by representatives of the DragonForce ransomware-as-a-service (RaaS) operation. They were first linked to Scattered Spider and The Com, two overlapping English-speaking hacking collectives, acting as a DragonForce affiliate.
In a further update over the weekend, Co-op CEO Shirine Khoury-Haq told customers via email that the cyber criminals behind the attack were “highly sophisticated” and that managing its severity meant multiple services must remain suspended.
Khoury-Haq reiterated that customer data has been impacted in the attack. “This is obviously extremely distressing for our colleagues and members, and I am very sorry this happened. We recognise the importance of data protection and take our obligations to you and our regulators seriously, particularly as a member-owned organisation,” she said.
The impacted data on Co-op members appears to include names, dates of birth and contact information, but not passwords, financial details, or any information on members’ shopping habits or other interactions with the organisation.
DragonForce, the white-label ransomware-as-a-service group claiming responsibility for all three attacks, had previously shared a sample of this data on about 10,000 Co-op members with the BBC and told reporters that other UK retailers were on a blacklist.
Meanwhile, M&S insiders – speaking to Sky News – revealed how IT staff have been forced to sleep over in the office amid the chaos. The employees described how a lack of planning for such a scenario had led to chaos within M&S, and said it could be a significant length of time before things start to return to normal.
The National Cyber Security Centre’s (NCSC) Jonathan Ellison and Ollie Whitehouse, director of national resilience and chief technology officer respectively, said: “The NCSC is working with organisations affected by the recent incidents to understand the nature of the attacks and to minimise the harm done by them, and providing advice to the wider sector and economy.
“Whilst we have insights, we are not yet in a position to say if these attacks are linked, if this is a concerted campaign by a single actor, or whether there is no link between them at all. We are working with the victims and law enforcement colleagues to ascertain that,” they said.
“We are also sharing what we know with the companies involved and the wider sector – through our sector-focused Trust Groups run by the NCSC – and encouraging companies to share their experiences and mitigations with each other,” added Ellison and Whitehouse.
What is DragonForce?
SentinelOne senior threat researcher Jim Walter said DragonForce had started out as a Malaysia-based hacktivist network supporting Palestinian causes, but since its emergence in the summer of 2023 it has pivoted to a hybrid model of political hacktivism and ransomware-enabled extortion.
It has targeted multiple government bodies in Israel, India, Saudi Arabia and the UK, as well as commercial businesses and organisations aligned with specific political causes.
The wave of attacks against UK businesses highlights the ongoing need for strong cyber security practices and policies, along with well-developed incident response procedures Jim Walter, SentinelOne
Walters said that although some components of the attacks had been attributed to an affiliate, there was a lack of strong technical evidence in this regard, although there were clear behavioural and operational characteristics consistent with attacks by Scattered Spider and The Com.
“While DragonForce continues to blur the line between hacktivism and financial motivation, its recent targeting suggests the group is increasingly motivated by financial rewards,” wrote Walters in a blog post.
“Although DragonForce’s large-scale cartel model is not the first of its kind, its current successes and the recent demise of rival operations suggest that it will become increasingly attractive both to orphaned ransomware actors and more resourced groups looking to thrive in an increasingly competitive space.
“The wave of attacks against UK businesses in recent weeks highlights the ongoing need for strong cyber security practices and policies, along with well-developed incident response procedures.”
DragonForce, or its affiliates, typically gain access to their victim environments using a combination of targeted phishing emails and exploitation of known vulnerabilities. They have favoured several ‘hardy perennials’, including Log4j and high-profile Ivanti vulnerabilities.
It is also known to use stolen credentials – this may have been the case in the M&S incident, and or credential stuffing attacks against remote desktop protocol (RDP) services or virtual private networks (VPNs).
Typically, it uses Cobalt Strike and similar tools to run its campaigns, and remote management tools such as mimikatz, Advanced IP Scanner and PingCastle to conduct lateral movement, establish persistence and elevate their privilege. These are all highly typical behaviours for ransomware gangs.
The ransomware payload, which was initially built entirely on the leaked LockBit 3.0/Black locker, has of late evolved into a bespoke branded ransomware with more roots in Conti’s codebase. Its encryption features are a little out of the ordinary – it uses AES for primary file encryption and RSA to secure the keys – although Conti-derived samples encrypt with the ChaCha8 algorithm.
Affiliates can take advantage of various tools to build new payloads and manage campaigns, with targeted variants for platforms such as Linux, VMware ESXi and Windows. The payloads can also be heavily customised in their behaviour, so affiliates can dictate, for example, what extensions they want to append, different command line scripts, and allow and deny lists for file encryption. They can even set up delayed execution if they wish.
For data exfiltration, multiple options are possible, and affiliates can also set up collaborative teams within the ransomware control panel, enabling them to more effectively work together and communicate and coordinate with victims
More recently, DragonForce has introduced a new white-labelling service that lets affiliates wrap the ransomware in their own branding for an additional fee, expanding into a more active cartel type service, explained Walters.
