UK Retailers Are Under Attack: Here’s What You Need to Know

Phil Muncaster investigates what exactly is going on with three serious cyber-attacks on leading UK retailers

There are few sights guaranteed to alarm the populace more than empty supermarket shelves. Yet that’s what customers of some Marks & Spencer stores have witnessed in recent days, as the storied retailer battles a sophisticated cyber-attack. Within days, the Co-op was forced to hit the incident response button after it too was targeted. In the same week as that, another incident struck Harrods.

At first sight, the cases appear to be unrelated. But they tell us much about the challenges facing CISOs in the retail sector today.

What happened to M&S?

The first case appears to be the more serious of the two. M&S first revealed news of a cyber incident on April 21. At the time, it was praised for its transparency, with a short message from boss Stuart Machin notifying customers that it had been “managing a cyber incident” over the previous few days, and that it would make some “small changes” to operations temporarily in response.

Unfortunately for M&S, it was subsequently forced to suspend contactless payments in store, pause Click & Collect, and then temporarily halt all online orders. Reports emerged of “pockets of limited availability” across some of the retailer’s 1400 stores, with staff at a major logistics hub told not to come into work. Sure enough, the incident appears to have evolved into a full-blown breach.

“The M&S ‘incident’ appears to have evolved into a full-blown breach.”

Reports suggest that sophisticated threat actors associated with the sprawling “Scattered Spider” collective have encrypted some of the company’s servers with the DragonForce ransomware variant. It’s unclear what the initial access vector was, but adversaries apparently managed to get hold of a key NTDS.dit file, giving them access to the company’s Active Directory Services running on Windows. After extracting and cracking password hashes for Windows accounts, they were able to access privileged accounts to move laterally through the M&S network – stealing data and then deploying ransomware to its VMware ESXi hosts.

What’s the story with the Co-Op?

The Co-Op’s case, at the time of writing at least, is more straightforward. According to an internal letter sent to staff on April 29 and seen by The Guardian, the UK’s seventh largest retailer said it had taken the decision to shut down part of its IT network due to unauthorised access attempts.

“We have taken proactive steps to keep our systems safe, which has resulted in a small impact to some of our back office and call centre services,” it claimed. “We are working hard to reduce any disruption to our services and would like to thank our colleagues, members, partners and suppliers for their understanding during this period.”

It remains to be seen what impact this has operationally, with one source telling the paper that a number of back-end functions requiring head office support had been impacted, including stock updates. That could soon affect high street stores or online deliveries.

Like M&S, the retailer is not asking customers to do anything proactively, indicating that it doesn’t believe personal data has been taken, although this could change. The firm is leaving nothing to chance. A recent report claiming that it has asked all virtual meeting attendees to keep their cameras on, and not to record or transcribe Teams calls, indicates it’s concerned that hackers may already be inside the network.

At the time of writing, there’s little to be said of the Harrods “incident” aside from a brief statement that it has “restricted internet access at our sites” after an unauthorized access ‘attempt’.

“Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result we have restricted internet access at our sites today,” a statement noted.

“Currently all sites including our Knightsbridge store, H beauty stores and airport stores remain open to welcome customers. Customers can also continue to shop via harrods.com.”

Why retailers are at risk

Attacks on retailers are nothing new. Their low tolerance for outages and processing of customers’ financial data make them a prime target. Over a decade ago, US chain Target was famously breached via a third party, leading to the compromise of over tens of millions of customer cards. In general, cyber-attacks – especially those in the US – used to focus on theft of card data from point of sale (POS) machines. The advent of chip and PIN, and the growth of the typical retail attack surface, has led threat actors to change tack since.

“Retailers’ low tolerance for outages and processing of customers’ financial data make them a prime target.”

“The physically distributed environments in which they operate complicates consistent enforcement of security. Their operations span shops, warehouses, and distribution, each with their own IT solutions. This expands the attack surface that the attackers can target. An attack on one area has a knock-on impact on another, much like a traditional supply chain attack, but one which impacts the internal process and operations of the retailer,” Trend Micro director of cyber strategy, Jonathan Lee, tells Assured Intelligence.

“Talking of the supply chain, they often have many third-party supply chain dependencies, such as for e-commerce, processing of payments etc., which further expands the attack surface that the attackers can go after.”

Locking the doors

Assured CISO, Nick Harris, is a former CISO at Holland & Barrett. He argues that it’s too soon to be second-guessing what the current trio of under-fire retailers might be doing behind the scenes to respond. However, he has published advice on how to combat the threat from Scattered Spider in particular.

“Scattered Spider threat actors are exceptionally skilled at social engineering and differ from other threat groups by being largely English speaking,” he tells Assured Intelligence. “Credited for the M&S attack, as well as MGM previously, there are still actionable steps CISOs can take to mitigate many of their known TTPs, like improving email security, disabling RDP on endpoints and auditing password reuse.”

His recently published how-to guide to tabletop exercises could also help security leaders better plan their response to events such as this.

“Scattered Spider threat actors are exceptionally skilled at social engineering.” Nick Harris

Martin Riley, CTO at consultancy Bridewell, argues that keeping advanced actors like Scattered Spider from penetrating the corporate network simply isn’t possible 100% of the time

“The objective is to be able to identify the fingerprints of an attacker within the environment as early as possible,” he tells Assured Intelligence. “Systems such as Active Directory, and Identity as a whole should be considered the crown jewels and critical assets and should therefore be covered with highly capable security monitoring, detection and response to help contain and evict threat actors as quickly as possible.”

For Adaptavist field CTO, Matt Saunders, zero trust approaches can help to mitigate even the most sophisticated attacks. But this “gets doubly hard in an older company with a lot of legacy systems that weren’t designed to manage modern, sophisticated hacking threats and techniques,” he tells Assured Intelligence.

“Everything has to be interconnected. For example, supplier relationships indirectly affect stock levels and availability to customers, but making the best use of network segmentation and the policy of ‘least privilege’ means that when an inevitable cyberattack comes, the intrusion can be isolated and dealt with without having to take everything down,” he adds.

“Cyber attackers may infect a network over time by leaving agents running inside the infrastructure. Having easily replaceable infrastructure using short-lived containers and functions to run code helps prevent a hacking incursion from spreading.”

Ultimately, retail CISOs must assume it’s a case of “when” not “if” and plan accordingly, he argues.

“Given the threat of more sophisticated attacks, including those using emergent AI techniques, architecting according to good security principles while having proper intrusion detection and disaster recovery processes is absolutely essential now,” Saunders concludes.

“If someone gets in, you need to know about it as soon as possible to mitigate it with the least amount of damage, both technical and reputational.”

The final word goes to Time Grieveson, CSO at ThingsRecon.

“There must be a common thread across these retailers that has put them firmly in the crosshairs of cybercriminals,” he argues. “These aren’t isolated events, they are a wake-up call.”