M&S confirms social engineering led to massive ransomware attack

M&S confirmed today that the retail outlet’s network was initially breached in a “sophisticated impersonation attack” that ultimately led to a DragonForce ransomware attack.

M&S chairman Archie Norman revealed this in a hearing with the UK Parliament’s Business and Trade Sub-Committee on Economic Security regarding the recent attacks on the retail sector in the country.

While Norman did not go into details, he stated that the threat actors impersonated one of the 50,000 people working with the company to trick a third-party entity into resetting an employee’s password.

“In our case the initial entry, which was on April the 17th, occured through what people now call social engineering. As far as I can tell that’s a euphamism for impersonation,” Norman explained to the MPs.

“And it was a sophisticated impersonation. They just didn’t walk up and say will you change my password. They appeared as somebody with their details. And part of the point of entry also involved a third-party.”

As reported by FT in May, IT outsourcing company Tata Consultancy Services had begun investigating whether it was inadvertantly involved in the attack on M&S. Tata provides help desk support for M&S and is believed to have been tricked by the threat actors into resetting an employee’s password, which was then used to breach the M&S network.

For the first time, M&S referenced the DragonForce ransomware operation as the potential attacker, which he stated was believed to be operating from Asia.

“The instigator of the attack is believed to be DragonForce, who are a ransomware operation based, we believe, in Asia.”

Since the attack, many media outlets have incorrectly linked a hacktivist group known as “DragonForce Malaysia” with the DragonForce ransomware gang. The hacktivists are believed to be a pro-Palestine group operating out of Malaysia, while the DragonForce ransomware operation is believed to be in Russia.

As first reported by BleepingComputer, the attack on M&S was conducted by threat actors linked to Scattered Spider, who deployed the DragonForce ransomware on the network.

This led M&S to purposely shut down all their systems to prevent the spread of the attack.

However, by then, it was too late, with numerous VMware ESXi servers encrypted and sources telling BleepingComputer that approximately 150GB of data was believed to be stolen.

The ransomware operation employs a double-extortion tactic, which involves not only encrypting devices but also stealing data and threatening to publish it if a ransom is not paid.

While BleepingComputer was told that data was stolen in the attack, DragonForce has not made an entry on their data leak site for M&S. This could indicate that the retail chain paid a ransom demand to prevent the leaking of stolen data.

When asked about the ransom demands during the hearings, Norman said they took a hands-off approach when dealing with the threat actors.

“We took an early decision that nobody at M&S would deal with the threat actors directly. We felt that the right thing would be to leave this to the professionals who have experience in the matter,” explained Norman.

Norman is likely referring to ransomware negotiation firms that help companies negotiate with threat actors and obtain access to Bitcoin to facilitate payments.

When explicitly asked if they paid a ransom demand, Norman said they were not discussing these details publicly as they “don’t think it’s in the public interest,” but had fully shared the subject with the NCA and the authorities.

Ransomware gangs rarely do anything for free, and if data was stolen and not leaked by now, then either a payment has been made or the threat actors are still negotiating with M&S.