Kevin BeaumontDragonForce Ransomware Cartel are claiming credit for attacks on Marks and Spencer, Co-op and Harrods and say more victim orgs are coming https://www.bloomberg.com/news/articles/2025-05-02/-dragonforce-hacking-gang-takes-credit-for-uk-retail-attacks
I'm going to make this the new ongoing megathread for DragonForce Ransomware Cartel's attack on UK retailers as they're all connected.
Why it matters: these are some of the UK's largest retailers, think Target or some such in a US sense.
Prior threads
M&S: https://cyberplace.social/@GossiTheDog/114381946765071799
Co-op: https://cyberplace.social/@GossiTheDog/114426688834113446
Harrods:
https://cyberplace.social/@GossiTheDog/114433519351165250
The individuals operating under the DragonForce banner are using social engineering for entry.
Defenders should urgently make sure they have read the CISA briefs on Scattered Spider and LAPSUS$ as it's a repeat of the 2022-2023 activity.
Links: https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf
https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider_0.pdf
I would also suggest these NCSC guides on incident management: https://www.ncsc.gov.uk/collection/incident-management
and effective cyber crisis comms: https://www.ncsc.gov.uk/guidance/effective-communications-in-a-cyber-incident
Co-op Group have now admitted a significant amount of member (customer) information has been stolen by DragonForce Ransomware Cartel, saying they "accessed data relating to a significant number of our current and past members" - around 20 million people. The Membership database, basically. That includes home addresses and phone numbers etc.
Up until now Co-op hadn't even used the words cyber or threat actor, referring to an "IT issue" and "third party" in comms.
New by me - breaking down the attacks on UK highstreet retailers
Regarding IOCs around the UK retailer activity - there’s loads doing the rounds, and they’re almost all not useful.
Eg hundreds of dynamic VPN IPs from 2022. If you google them you’ll find them on vendor blogs from years ago for Scattered Spider - people are recycling in panic and passing around in panic.
Don’t hunt on random IOCs. IP addresses change. Strengthen foundational controls. Review sign in logs for abnormal activity etc.
Bleeping Computer have more on the Co-op breach https://www.bleepingcomputer.com/news/security/co-op-confirms-data-theft-after-dragonforce-ransomware-claims-attack/
One of M&S’ biggest suppliers have said they have reverted to pen and paper for orders due to M&S lacking IT.
Additionally, M&S staff are raising concern about how they will be paid due to lack of IT systems.
M&S are over a week into a ransomware incident and still don’t have their online store working.
By the way, this is absolutely terrible advice for dealing with a major and high visibility ransomware incident.
There's a report on ITV News that Co-op member data is available on the Dark Web(tm), but as far as I know this isn't accurate. DragonForce's portal hasn't been available for over a week.
Here's the ITV News report anyhoo, logline: "ITV News understands the the ongoing cyberattack faced by the supermarket has worsened since Friday, impacting the ordering system, drivers and warehouse staff."
Sunday Times has a piece looking into ransomware incident at Marks and Spencer. It's pretty good, goes into their contain and eradicate focus.
"By shutting down parts of the IT estate, Higham’s team had worked to prevent the attack from spreading, but had also stopped parts of its digital operations from functioning. This was considered a worthy trade-off."
One error in the article - lack of recovery doesn't mean no ransomware paid. Paying is not quick restoration.
https://www.thetimes.com/business-money/companies/article/m-and-s-cyber-attack-ms-klrnxvwq6
A wrote a piece about paying ransoms does not equal quick restoration - in fact, quite often it makes things worse. https://doublepulsar.com/big-game-ransomware-the-myths-experts-tell-board-members-03d5e1d1c4b7
Great NCSC piece by @ollie_whitehouse
I’d add - block by Entra policy specifically High risk logins (below is too FP prone), and SOC monitor them. SOC playbook = account probably compromised. How?
https://www.ncsc.gov.uk/blog-post/incidents-impacting-retailers
Sky News quote a source in M&S head office saying Marks and Spencer have no ransomware incident plan so they are making it up as they go along apparently, with staff sleeping in the office and communicating via WhatsApp.
M&S dispute this, saying they have robust business continuity plans.
BBC News has a look at teenagers phoning helpdesks and pretending to be the CISO. https://www.bbc.com/news/articles/c4grn878712o
One of the points of exploitation of large orgs is they usually outsource their Service Desk to somewhere cheap offshore who don’t know the org staff, and when you call and say your name, they normally put big all caps bold red warning if the person is a VIP, eg C suite, so they get VIP service - ie anything goes.
Co-op Group appear to be trying to course correct with their cyber incident comms.
They’re calling it a cyber incident now, and have put a statement on the front page of their website, along with an FAQ. They haven’t yet emailed members (they should). Edit: they’ve started emailing members.
It sounds like the situation at Co-op has got worse. They’ve stopped taking card payments in some stores, it’s cash only. https://www.telegraph.co.uk/business/2025/05/06/co-op-shops-stop-taking-card-payments-amid-cyber-attack/
People are also taking to social media to post pictures of apparently emptying store shelves.
The Co-op website claims it is down to "technical issues".
Contactless payment has been fixed at all Co-op Group stores.
One thing for media covering the Co-op thing - attackers are not impersonating IT help desks to gain access. They’re impersonating *staff* calling in to the IT help desks - they’re different things.
Co-op Group are redirecting supplies from their urban stores to remote and island locations due to stock shortages.
The article mentions their EDI platform is suffering “technical issues”. https://www.retailgazette.co.uk/blog/2025/05/co-op-reroutes-stock/
I just did a Shodan Safari on Co-op - basically all their Windows and Linux systems in their core DCs at network boundary are down, it's not just EDI. It's been like that for just under a week, prior to that things were still online.
I feel really bad for them as it's a great org. Also their CEO is basically the only one who stood up like this for trans people.
https://www.telegraph.co.uk/business/2025/05/04/ill-protect-trans-people-to-the-end-vows-co-op-boss/
If you're wondering about Marks and Spencer - I just did a Shodan Safari of their network boundary, Palo-Alto GlobalProtect VPN remote access access is still offline, 15 days later.
Online orders are still not working, and the store stock checker is disabled now.
Co-op have paused all non-essential products in stores https://www.retailgazette.co.uk/blog/2025/05/co-op-non-essential/
Every detail in this article is wrong. The M&S incident had nothing to do with hybrid working.
Marks and Spencer’s online shopping is still offline 3 weeks later. It is thought they have lost around £63m so far, excluding IR, BCP and ransom payment costs. https://www.drapersonline.com/news/ms-online-shopping-outage-enters-third-week
M&S had a significant amount of data stolen btw, but they’ve opted not to tell customers or staff.
The Grocer reports 4 regional Co-ops, who aren’t part of Co-op Group, are suffering stock shortages as they are supplied by Co-op Group.
They expect customers to start to see availability issues on shelves in the coming days.
For orgs looking for defence tips for the attacks on UK retailers, this blog from 2022 about the UK teenagers in LAPSUS$ has relevance.
As a plot twist - not documented anywhere online, but LAPSUS$ first attacks in 2021 were against UK high street retailers.
DEV-0537 criminal actor targeting organizations for data exfiltration and destruction | Microsoft Security Blog
The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads.
For anybody wondering what 'dial into the incident response bridge' means, it means they'll literally Teams call into cyber IR bridges as themselves and just extort you to your face. They'll also call CISOs etc. Bad Times at the El Royale.
Marks & Spencer bureau de change staff are being forced to use pen and paper to serve customers as a result of the cyber attack on the retailer and cannot accept card payment. https://www.thisismoney.co.uk/money/markets/article-14696595/Hack-rocks-Marks-Spencer-bureau-change.html
Co-op Group have provided some more detail about what it’s doing about remote lifeline stores (ones where they’re the main/only retailer on an island):
“From Monday, 12 of the most remote lifeline stores will receive treble the volume of available product, and another 20 lifeline stores will get double the volume.” https://www.bbc.com/news/articles/c071e7x80djo
DragonForce Ransomware Cartel’s portal is back online after a multi week outage. No sign of M&S or Co-op’s data.
All M&S recruitment is still stopped, 19 days in. https://jobs.marksandspencer.com/
I think Co-op may have stopped recruitment too, they’re a big employer so usually have hundreds of open positions - currently they have 17, and most close today and the rest in a few days.
The Record quotes a Co-op worker as saying they are operating at well below 20% of their normal capacity in depots. https://therecord.media/co-op-cyberattack-uk-company-fears-hackers-still-in-system
Allianz supplies Marks and Spencer's cyber insurance, and will apparently suffer a full tower loss (i.e. it's going to be expensive) https://www.insuranceinsider.com/article/2esiwg4yv6p38pcf2pgxs/lines-of-business/cyber/allianz-leads-cyber-cover-for-m-s-ransomware-attack
People in Machynlleth are apparently turning up at local farms in search of food due to lack of produce at Co-op https://www.cambrian-news.co.uk/news/cyber-attack-people-turning-up-at-farms-as-machynlleth-co-op-shelves-remain-bare-792434
Co-op stores in Sheffield, Badenoch, Dunfermline and many other places are apparently running out of produce - it's not possible to keep up with the local media reports but they're basically bored reporters get sent out to photograph half empty fridges.
This ITV News report linking the Co-op and M&S breaches to SIM swapping is not accurate, no source given. https://www.itv.com/news/2025-05-12/sim-swap-fraud-rises-by-1000-as-criminals-exploit-two-factor-authentication
They also have a report today saying Co-op stores are restocked, which is also not accurate - that one is sourced from Co-op, but obviously doesn’t stack up to looking in Co-op stores.
If anybody is wondering, all of Marks and Spencer's Palo-Alto GlobalProtect VPN boxes are still offline, 3 weeks later. Pretty good containment method to keep attackers out.
Co-op's VDE environment is still down, too.
https://cyberplace.social/@GossiTheDog/114399017367179104
M&S confirm my toot from 3 days ago that a significant amount of customer and staff data was stolen. They’ve known for weeks but opted not to tell anybody. https://www.bbc.com/news/articles/c62v34zv828o
Re the Co-op Group breach, Co-op say home addresses of customers were exfiltrated (it was the membership database). This one dates back to my May 2nd toot upthread re home addresses - at the time, they didn't specify home addresses.
Dave 🐶@GossiTheDog I wonder if the M&S and Co-op PR departments are constantly waiting for the other to announce something so that they themselves can push out an announcement and hope theirs goes under the radar?
Everyday.Human Derek@GossiTheDog Oh no, which was this Kevin?
greem
@GossiTheDog Incident response specialists the world over wince into their keyboards.
This is another object lesson in how not to do it. It'll be taught to students in future.
Gary Parker 
@greem @GossiTheDog meanwhile, Co-Op are still sending me emails apologising for the lack of products on shelves, with no almost no mention of data loss/appropriation
Darran Lofthouse@GossiTheDog Makes me wonder if this is where my credit card number leaked from a few weeks back.
Andy Herd 🏳️🌈🌳@GossiTheDog I can only hope this data breach is the kick up the arse needed to abolish the common practice of using date of birth as an (immutable!) security password. Once it’s public knowledge it’s beyond useless… it’s a liability. Especially in banks.
I will not be holding my breath on this one.
Alexander Dyas"Importantly, there is no evidence that the information has been shared," he added.
That's fine then, because that will never happen.
Mike Spooner@GossiTheDog Today they apparently emailed all customers that have ever purchased items from their online store. I received two such emails, an apologetic one from Stuart (CEO), and a slightly more explanatory one from Jayne Wall (Customer Services).
shoaibusman88@GossiTheDog Hey Kevin, How can we connect on message?
Dr. David McBride (dwm)
Neil Brutalist@GossiTheDog when I temped at M&S I had to find some documents in the microfiche archive. Even better way to keep attackers out.
David Penfold 
@GossiTheDog
It would end not with a bang but with a hamper.
It would end not with a bang but with a hamper.
@GossiTheDog [Random villager running off with a pig under their arm] "I've always been an advocate for 'Direct Farm to Fork'"
Simon ZerafaTo be fair a lot of small producers do have farm shops, not just Jeremy flippin' Clarkson 😆🤷♂️
raspberryswirl@GossiTheDog its prob fraud, why you need an cyber insurance? to increase the manager bonuses, with the salaries of the workers ... it must be fraud
w00p
@GossiTheDog Did someone take their portal down, saying that they shouldn't "do crime"?
d4rkshell @Cyberoutsider that was the LockBit portal.
Riley S. Faelan@GossiTheDog Perhaps they were on vacation.
Julia Rez(treasonable talk about why can't these people fuck up a newspaper or two?)
Damien@GossiTheDog surely they're limited at the volume of available product; how to can any store receive a multiple of what's available? 🤔
Fish Id Wardrobe@damien @GossiTheDog of the available product, they will receive treble of what they usually would
Jennifer Moore 😷I'm guessing they mean that instead of dividing supplies equally among all the stores, those ones will get triple or double what's sent to "the average store".
Samofhearts@GossiTheDog That's the ballerest thing I've ever heard. Call into the IT bridge for the bridge trying to mitigate your attack.
Carsten@GossiTheDog Mmh I don’t understand. Could you explain a bit more please?
AnneH
Interpipes 💙@GossiTheDog why do firms do this
Paul Chambers🚧@GossiTheDog Not sure if it is related, but M&S shuttered a flag-ship store without notice and earlier than planned on May 7th.
🔗 Marks and Spencer suddenly closes Aberdeen’s flagship St Nicholas branch after more than 80 years in city centre https://www.pressandjournal.co.uk/fp/news/aberdeen-aberdeenshire/6750909/marks-and-spencer-shuts-st-nicholas-branch/
Dave Dustin@GossiTheDog That value feels low or are M&S not huge online like other properties?
groff@venzann @GossiTheDog
AFAIK M&S mainly sell online through Ocado (who they partly own), for food, and they've only had shortages of limited items. For clothing sales the vast majority of their customers still shop in store.
AFAIK M&S mainly sell online through Ocado (who they partly own), for food, and they've only had shortages of limited items. For clothing sales the vast majority of their customers still shop in store.
Ghostrunner@GossiTheDog ah yes, the new corollary to Rumsfeld's 'never let a crisis go to waste' - 'never miss an opportunity to lie to push your agenda'
Paul_IPv6maybe by hybrid, they mean a workforce consisting of vastly overpaid & mostly useless execs, and grossly understaffed, underpaid, & unappreciated workers trying to keep the wheels from falling off?
Anthropy@GossiTheDog you don't understand, I lost at least 700 million to the drugs I had to buy to help my paranoia because I can't watch my wageslaves Imean workers do their job 
Frank Endrullat 🌻@GossiTheDog Meanwhile, some other organisations have learned how to implement zero trust properly. Yes, it’s sometimes annoying, but it does work pretty well overall. 🤷♂️
How many of those who own that alleged newspaper own commercial property?
@simonzerafa @GossiTheDog Never let the actual facts of a story get in the way of a good spin.
Clearly these retailers wouldn't have fallen victim to these attacks if they'd been using MORE artificial intelligence.
@GossiTheDog Management's view on the importance of office-based work and IT remote access:
Neil Craig