ANALYSIS: Cyber threat exposures for the retail industry

By Jay Vinda, Group CISO & Risk Engineering Lead, Cyber

Following recent cyberattacks on Marks & Spencer, Co-op, and Harrods, here’s a look at why the retail industry is frequently targeted by cyber threats, along with insights on relevant threat-actor groups and a few related tips. It’s too early to describe the points of compromise and techniques used in these specific attacks, while retailers continue to respond and recover in collaboration with incident response firms such as the NCSC, CrowdStrike, Microsoft, and others. As further knowledge is understood, lessons will be identified and applied by the cyber insurance industry to help prevent future attacks.

The UK retail industry has faced recent three high-profile cyberattack—on Marks & Spencer, Co-op, and Harrods—all attributed to the same threat actor: Scattered Spider. There is currently not enough evidence to suggest this is a coordinated attack against the retail industry, or against a single point of failure.

The main motivation for attacking the retail industry is driven by financial incentives. Retail companies have a trove of PII and financial information collected from their customers who trust them to ensure they adequately protect their data from misuse and abuse. This allows threat actors to extort retail companies to pay ransom demands in return for providing them with decryption keys to resume business services and delete stolen data. Previous efforts from law-enforcement actions against threat-actor groups has shown criminals do not always delete stolen data, even if the impacted company has paid a ransom. The stolen PII can also be used by the threat actor for further social engineering and identity abuse attacks or sold on to other threat-actor groups for the same purposes.

Typically, we see retail organizations attacked during holiday seasons, their busiest time of the year:

• Attacks based on abusing network traffic (e.g. Distributed Denial of Service) is common. During holiday seasons, network traffic peaks, making it more difficult to determine which traffic is legitimate and which is malicious
• Staff are working longer hours and are under more pressure to meet deadlines. This can make it easier to sneak in phishing emails
• Staff take holidays. This can leave IT and security teams thinner during holiday seasons, allowing gaps to be more easily exposed and exploited

Who is Scattered Spider?

Scattered Spider is a financially motivated, highly skilled cybercriminal group known for its expertise in social engineering, identity-based attacks, and abusing Cloud environments. They are also tracked by other threat-intelligence firms as part of UNC3944 (name used by Google) or Octo Tempest (name used by Microsoft). Intelligence suggests they have been active since 2022 and have been associated with major well-known cyber security attacks against MGM Resorts, Caesars Entertainment and Okta. They are believed to be English-speaking and based in the UK or US.

They are especially well known for abusing cloud services, including identity and access management platforms like Okta, Entra ID (Azure AD), and cloud-hosted infrastructure, often exploiting misconfigurations, overly permissive access, or stolen session tokens to move laterally and escalate privileges in hybrid environments.

Who is DragonForce?

Members of the DragonForce cybercriminal syndicate have claimed to be behind the cyber-attacks on M&S, Co-op, and Harrods. Originally known as DragonForce Malaysia, this group originated as a pro-Palestinian hacktivist group that gained popularity for launching cyberattacks based on political agendas against governments and corporations perceived as aligned with Israel or India. They have been attributed to two operations named OpsIsrael and OpsPatuk. Recently their motivations have shifted towards financial gains through ransomware operations. DragonForce’s operators recently claimed takeover of RansomHub’s tooling, which was previously attributed with attacks used by the Scattered Spider group.

This year, DragonForce launched a white-label service named “RansomBay” which allows threat-actor affiliates to rebrand ransomware under different names. Affiliates pay a 20-percent cut of any ransom haul and keep the rest. This is being described as a ransomware-cartel model, where DragonForce can develop a scalable operation, allowing individual threat actors, threat-actor groups, and ransomware-as-a-service operators to launch seemingly unique campaigns, while leaning on DragonForce to develop the code, provide tooling, infrastructure, technical support and leak-site hosting.

Expert tips:

A few tips include:

• Measure your security ROI by how difficult you are making yourself to be attacked through a focus on vulnerability and exposure management and attack-path mapping with threat modelling
• Include assumed AD breaches in your incident-response planning and testing exercises
• Review helpdesk password reset procedures, prioritizing how the helpdesk authenticates staff members before resetting passwords, with additional checks and balances for those accounts with escalated privileges
• Verify your highly privileged admin accounts for legitimacy and ownership, paying attention to Domain Admin, Enterprise Admin, Cloud Admin, Backup Admin accounts as well as service accounts with these roles
• Enhance identity abuse-monitoring capabilities, particularly looking for ‘risky logins,’ implementing conditional access policies to high-risk resources, and frequently failed sign-in attempts followed by successful attempts

Further support is offered by Google Mandiant: https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations

The NCSC has also published a guide on mitigating malware and ransomware attacks: https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks#actionstotake

Jay Vinda is Group CISO & Risk Engineering Lead, Cyber, at Mosaic. He focuses on cyber-risk quantification and development of proactive cyber services to support our underwriting teams and clients.