Freelance cyber networks fuel North Korean nuclear ambitions
Read more 
Hooked! #3: Cyberattacks on UK retailers raise questions about food security
It’s been a rough few weeks for UK retailers hit by cyberattacks.
Photo: Alan Alves / Unsplash
Welcome to the third edition of Hooked!, Binding Hook’s new monthly current events newsletter. In Hooked!, we draw on our latest publications and growing archive of expert research, analysis, and commentary to reflect on a recent security and technology event.
It’s been a rough few weeks for UK retailers hit by cyberattacks. On April 25, Marks & Spencer began having issues with online payments. It blamed these issues on a ‘cyber incident’ that turned out to be a ransomware attack. The company subsequently paused hiring and online ordering and saw empty shelves in some stores, losing millions of pounds in the process. Some suppliers turned to pen and paper to manage their M&S orders.
Bleeping Computer reported that the attackers first breached M&S’s servers in February, but only acted to encrypt their data on April 24.
Fellow large retailer and funeral and legal services provider Co-op, meanwhile, shut down IT systems on April 30th but was too late to prevent intruders from accessing customer data. Their grocery stores too saw empty shelves, with rural shops and those on smaller islands particularly affected. Weeks later, the impacts were still visible.
Attackers also tried to hack luxury department store Harrods, but were apparently prevented from doing so by preemptive actions from their IT team, including cutting off internet access to some sites.
Ransomware attacks on food and agriculture generally are on the rise. Such attacks put tight supply chains at risk, forcing grocery stores to reevaluate the costs of just-in-time delivery and complex algorithmic demand prediction methods.
The differing levels of access gained in the three attacks – from M&S’s encryption and total online shutdown to Harrods’ apparent success in fending off the intrusion – provide important insights into how these incidents unfold, and how to combat them.
Co-op initially claimed it had taken proactive measures to defend against the attack, that the impact was small, and that no customer data had been compromised. This led ransomware-as-a-service group DragonForce to reach out to the BBC to claim responsibility and provide evidence of a significant impact: personal information of 10 thousand Co-op members (they claim to have data for 20 million), employee usernames and passwords, and screenshots from internal Co-op meetings. Co-op did apparently manage to prevent their data from being encrypted.
Investigators found the attacks might have been conducted by people associated with the loose network of attackers known as Scattered Spider, which includes young, English speaking members of various forums and social media groups.
The M&S and Co-op attacks reportedly began with hackers impersonating employees asking for IT help and convincing IT staff to reset employee credentials.
In this vein, Chandana Seshadri recently argued in Binding Hook that companies need to take identity management more seriously in order to avoid accidentally hiring hostile actors. These hacks provide yet another reason for organisations to pay more attention to identity verification processes.
Self-described ‘ransomware cartel’ DragonForce said there were more hacks to come (Google says US retailers are now under attack), and reporters obligingly published the group’s criticism of the Co-op response. Around the same time as the initial M&S attack in April, Bleeping Computer reported that DragonForce had recently chosen to move in a new direction, transitioning from pro-Palestine hacktivism to selling themselves as a reliable, financially motivated ransomware-as-a-service partner.
This is a good reminder that media coverage provides free advertising for ransomware groups and extra pressure on targets, and that reporters and researchers should thus be cautious about using information provided by attackers.
While these attacks appear financially motivated, as Binding Hook recently showed, governments are increasingly getting involved in the ransomware ecosystem, targeting political foes, covering up espionage, and even raising funds for nuclear weapons programmes. To learn more about ransomware’s complexities, read Virtual Routes’ recent series of in-depth reports on disrupting ransomware, the ‘ransomware trust paradox’, and state use of ransomware.
Finally, these incidents illustrate yet again that ransomware causes societal as well as economic harms. At a recent roundtable held by Royal United Services Institute (RUSI) on the UK’s response to cyber threats, one participant noted that the food sector as a whole has long been considered critical infrastructure, but no individual retailer has counted as a critical entity and thus they have not been required to adopt additional cybersecurity measures. Such issues highlight challenges facing the incorporation of high street retailers into critical infrastructure categories, in the UK and elsewhere.
Sara Seppanen and Jamie MacColl’s Binding Hook article on the need for more academic research on ransomware as a national security threat provides further insights in this vein.
Outside the UK, Virtual Routes (Binding Hook’s parent organisation) has just extended the Google.org Cybersecurity Seminars program to the Netherlands to help protect local communities from the wider harms caused by ransomware. While the Netherlands has achieved unusual successes in going after ransomware operators, there remains much more to do.
Until next month,
Katharine Khamhaengwong
Binding Hook Editor
