Information from BleepingComputer indicates that Scattered Spider was most likely behind the hack on Marks & Spencer. The store was hit by a hack on Easter Monday, the aftermath of which is still being felt by British and Irish customers.
BleepingComputer refers to “ongoing outages” at M&S, although these only affect the retail chain’s operations in the United Kingdom and Ireland. According to Sky News, 200 warehouse workers have been told to stay at home, which indicates that the consequences will continue to be felt for some time.
Hack already in February
Until now, it was not widely known when the hack took place—however, new information points to an infiltration in February. The attackers are believed to have gained access via a stolen NTDS.dit file, the main database for Active Directory Services running on a Windows domain controller. Password hashes allowed attackers to move laterally through the network, but it was not until April that the infiltration was exploited.
On April 24, a DragonForce encryptor was reportedly used to lock files. This emphasizes that M&S acted quickly after the attack, which is a positive sign. In fact, the encryption took place after the initial announcement of the cyber incident. This is quite odd, and we are curious to see if more information will become available from security experts or M&S itself. Typically, we’d say this timeline doesn’t actually make all that much sense.
Scattered Spider is now a well-known hacker group. It featured prominently in CrowdStrike’s most recent security report and is already being targeted by authorities worldwide, including in the US.
Context
Read the full article here: What the Marks & Spencer cyberattack can teach retailers
On Easter Monday, April 21, Marks & Spencer was hit by a cyberattack. Contactless payments were down for at least 72 hours; click-and-collect, gift cards, and remote sessions went dark, and all online orders in the UK and Ireland—accounting for a third of sales in those countries—were paused. While the site appeared to be “accessible” again, phishers cleverly capitalized on the chaos with fake discount emails, causing customers to lose tens to hundreds of pounds.
Holidays are popular times for attackers: security teams are understaffed and newly discovered vulnerabilities have not yet been patched everywhere. It remains unclear whether customer or employee data was stolen. M&S announced the incident on April 21; CEO Stuart Machin spoke of “minor changes” a day later, but in reality, invoices could not be viewed, orders could not be completed, and remote staff could not log in. A full recovery is still pending, a week later.
On a positive note, M&S quickly informed the UK’s NCSC, ICO, and NCA and called in an independent forensic team. The impact was geographically limited to the UK and Ireland, and the stock market value fell by “only” about five percent.
The most important lesson for others is that processes must “crash gracefully” when IT fails. A store must be able to continue selling, if necessary with pen and paper, to secure revenue and customer satisfaction. The incident shows how vulnerable omni-channel retail is during the holidays, how eager phishers are to piggyback on the action, and how crucial fast, transparent communication and robust emergency procedures are to limit reputational damage.