Back to the Stone Age – UK cyberattacks £ retailers

Iconic UK retailers are facing a spree of unprecedented cyberattacks. Marks & Spencer (M&S), Harrods, and the grocery chain Co-op are dealing with separate, yet equally destructive breaches that have hampered operations, halted online shopping and, in some cases, prevented customers from redeeming vouchers or store credit.

Adding insult to injury, the cyber incidents have played out in the public arena – with intense media scrutiny and disgruntled customers taking to social media to air frustrations. As of writing, M&S have seen their share price slump as the loss of market capitalisation since the crisis started is in danger of hitting the £1 billion mark.

Kordia’s Digital Forensics Lead Consultant Tom Orton, an expert in investigating cybersecurity incidents, says this is a serious breach that may take months to fully recover from.

“We don’t have all the detail on the full impact, but it appears to be a ransomware attack that has catapulted M&S back to the stone age, using pen and paper to trade. I suspect a significant part of their digital systems are encrypted and will need to be rebuilt.”

A ransomware group that goes by the name "DragonForce" told the BBC it was responsible for the attack on M&S and said there would be more attacks soon. However, Orton cautions that DragonForce often acts as an affiliate for other cybercriminal gangs, providing malicious code and “Ransomware as a Service” kits that enable almost anyone to launch a damaging cyber-attack.

Western groups, often composed of young people in their late teens to early 20s, have been using such tactics to great effect.

“We are seeing a blurring of lines between state-sponsored actors and local cybercrime groups. Having English-speaking hackers armed with Russian malware is a deadly combination – it’s a lot easier for social engineering attacks to succeed when perpetrated by someone with native language and context.

“These attackers are using targeted, vicious social engineering techniques. They start off using coercion. A very typical example would see them call the IT helpdesk and try to get password resets actioned by impersonating users. When that fails, they can resort to intimidation and threats of physical violence on end users, such as in the case of cybercriminal group ‘Scattered Spider’.”

Orton says retailers are prime candidates for cyberattacks.

“Retailers tend to work on razor-thin margins. So, it’s not surprising that a lot of traditional outfits have been lacking when it comes to investing into their security posture. Security teams have been underfunded, the technology has been underfunded and now that is catching up with them.”

For boards, decades of under investment presents a risk that can be difficult to identify until it is too late – particularly in the current threat landscape. It’s never been more important for directors to have a role holding executives to account in ensuring security programmes are adequately resourced and systems are regularly audited.

However, in the moment of crisis, the board’s role is to support how the business responds and recovers from the attack. This is where tough conversations for the board come into play, such as whether the organisation will pay a ransom in hopes that the hackers will honour promises to return stolen data and decrypt broken systems or sign off on a costly rebuild.

Says Orton: “Theoretically, it is never ideal to pay a cyberattack extortion demand. A lot of businesses and organisations are quite principled on that.

“But in severe cases, there are different variables that you would have to analyse to ascertain a good direction. How compromised are you? Have the attackers taken data? What kind of data have they taken? Is your network infrastructure completely dead in the water? Are you able to trade?”

In some cases, Orton says boards may need to agree to pay to save their business from total demise. Boards should have a robust decision-making process in place to deal with those situations.

“This is where planning ahead can be a good idea. As part of a tabletop exercise, defining and discussing how the organisation would respond to an extortion demand, the parameters for decision making, what would you decide at the executive level and board level, and the extent of involvement of the board is a good place to start.”