Four arrested in UK over M&S, Co-op, Harrod cyberattacks

The UK’s National Crime Agency (NCA) arrested four people suspected of being involved in cyberattacks on major retailers in the country, including Marks & Spencer, Co-op, and Harrods.

The arrested individuals are two 19-year-old males, one 17-year-old male, and a 20-year-old female, who were apprehended earlier today in their homes in London and the West Midlands. One of them is Latvian, and the rest are English.

The police also confiscated electronic devices to examine them for potential incriminating evidence or information that might lead to co-conspirators.

The four suspects now face charges of Computer Misuse Act offenses, blackmail, money laundering, and participation in organized crime.

The suspects are believed to be linked to cyberattacks on M&S, Co-op, and Harrods between late April and early May, causing massive disruptions and a negative impact on the businesses targeted by the hackers.

Marks & Spencer had to pause online orders soon after the attack, and later confirmed that customer data had been stolen, forcing password resets for all customers. It was later estimated that the incident would cause a $402,000,000 (£300 million) impact on its profits.

During the attacks on Co-op and Marks & Spencer, the threat actors attempted to deploy the DragonForce ransomware. However, the ransomware attack was only successful on M&S, as Co-op shut down its systems before the encryptors could be deployed.

As first reported by BleepingComputer, the cyberattacks were attributed to threat actors classified as Scattered Spider, with associated hackers tied to numerous breaches over the past few years, including MGM, Twilio, Coinbase, DoorDash, Caesars, MailChimp, Riot Games, and Reddit.

“Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the Agency’s highest priorities,” stated NCA’s Deputy Director, Paul Foster.

“Today’s arrests are a significant step in that investigation, but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice.”

Although the NCA did not mention Scattered Spider in its announcement, the ethnicity, social engineering tactics, and ages of the arrested individuals match the typical profile of Scattered Spider members, as has been established from previous arrests in the US, Britain, and Spain.

After targeting retail, the focus of the attackers shifted to U.S. insurance companies, and later to aviation and transportation firms, also suspected of being behind the Qantas breach.

Qantas confirmed yesterday that the incident impacted 5.7 million customers, exposing their sensitive information.

The arrests in Britain could have a chilling effect on Scattered Spiders’ ongoing campaigns, as remaining members may choose to pause and go into hiding for a while.

However, as these threat actors are believed to be part of a larger collective of diverse English-speaking threat actors that congregate on Discord, Telegram, and online forums, it is unlikely to cause a complete halt to attacks.