Marks & Spencer (M&S) chairman Archie Norman has confirmed the attack on the retailer’s systems in April was ransomware-related, but declined to say whether a payment was made to the threat actors.
Norman made the comments during oral evidence to a Business and Trade Sub-Committee on Economic Security, Arms and Export Controls Committee hearing at the UK Parliament on July 8.
He explained that dealing with the attack, which has been linked to the Scattered Spider hacking collective using DragonForce ransomware infrastructure, was like nothing he had ever experienced in his years working in business and retail.
“It’s very rare to have a criminal actor in another country or in this country seeking to stop customers shopping at M&S – essentially trying to destroy your business for purposes that are not entirely clear but partly undoubtedly ransom and extortion,” Norman commented.
He also confirmed the attack was perpetrated by the ransomware operator DragonForce, working in cohesion with other “loosely aligned” actors.
Inside DragonForce, the Group Tied to M&S, Co-op and Harrods Hacks
Norman was directly asked whether M&S had paid a ransom demand to the attackers, but did not provide a clear answer on this point, stating that making such a payment is a “business decision.”
“The question you have to ask is when you get a demand, what are you getting for it? Because once your systems are compromised you have to rebuild anyway. Maybe they’ve exfiltrated data you don’t want published, but in our case, substantially the damage had been done,” he said.
No Direct Communication with Attackers
Norman revealed that M&S was not contacted by the threat actor until around a week after initial access was achieved on April 17.
A decision was made by the retailer to not directly communicate with the attackers, instead relying on professional intermediaries to do so. Norman also noted that a lot of the attacker demands came through media channels, most commonly the BBC.
“It was sometimes an unusual experience to be brushing your teeth in the morning when somebody comes onto the BBC with a communication from the people allegedly attacking our business,” he commented.
In regard to how the attackers gained access into M&S networks, Norman explained that the attack occurred through a “sophisticated” social engineering attack, involving a third party.
This ties into reports that Scattered Spider leveraged compromised credentials from Tata Consultancy Services (TCS), a major IT outsourcing firm, to infiltrate M&S.
“We have a very wide attack surface – we have 50,000 people, colleagues in the stores, contractors working for us, some outsourced in India, who are working on our systems,” Norman noted.
He also acknowledged that M&S has a large number of legacy systems, making segmentation difficult. This meant large swathes of M&S systems had to be shut down to prevent further lateral movement, heavily affecting areas such as online shopping.
“Part of the reason the attack has been so business impairing for us is that we closed down the systems as part of the defense,” Norman admitted.
The retailer is still in the process of bringing these systems back up securely.
In contrast, representatives from the Co-op, who also provided evidence at the hearing about the incident it experienced shortly after the M&S attack, on April 25, revealed the retailer was able to the limit the effects as it had heavily segmented systems.
Read now: M&S and Co-op Hacks Classified as Single Cyber Event
“Our systems are heavily segregated which means that this is very much focused on one specific zone and our online business managed to operate normally and our retail stores and payment systems are segmented so therefore they weren’t part of this attack,” commented Robert Elsey, chief digital and information officer at the Co-op.
Dominic Kendal-Ward, group secretary and general counsel at the Co-op, acknowledged that the attackers were able to access member information during the time they were in the system, but this was limited to names, addresses and dates of birth.
The Co-op was not aware of the attack on M&S when attackers first accessed its systems, but subsequently shared information via the National Cyber Security Centre (NCSC), Elsey revealed.
Large Number of Attacks Going Unreported
During the hearing, M&S’ Norman expressed support for mandatory reporting for “material” cybersecurity incidents, noting that he is aware of a large number of serious attacks that do not get reported in the UK.
“In fact, we have reason to believe that two major cyber-attacks on two large British companies in the last four months have gone unreported,” said Norman.
“We think that’s a big deficit in our knowledge,” he continued.
No tags.
