Four people have been arrested by police investigating the devastating cyber-attacks that brought chaos to major British retailers M&S, Co-op and Harrods, causing hundreds of millions in losses and leaving supermarket shelves bare for weeks.
The National Crime Agency arrested a 20-year-old woman in Staffordshire and three males aged between 17 and 19 in London and the West Midlands during early morning raids on Thursday.
The suspects were detained on suspicion of Computer Misuse Act offences, blackmail, money laundering and participating in the activities of an organised crime group, with electronic devices seized from their homes for forensic analysis.
Paul Foster, head of the NCA’s National Cyber Crime Unit, said: “Today’s arrests are a significant step in that investigation but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice.
Retailers Under Siege
The cyber-attacks, which began in mid-April, wreaked havoc across Britain’s retail sector, with M&S chairman Archie Norman telling MPs this week that it felt like the hack was an “attempt to destroy the business”.
The luxury retailer expects its operations to be affected until late July, with some IT systems not fully operational until October or November, whilst estimating the attack will cost it £300 million in lost profits.
The attacks have been linked to the DragonForce ransomware-as-a-service operation, with the notorious Scattered Spider hacking collective believed to be acting as an affiliate deploying the malicious software.
“When this happens you don’t know who the attacker is, and in fact they never send you a letter signed Scattered Spider, that doesn’t happen,” Norman told lawmakers, adding that M&S didn’t hear from the threat actor for about a week after it penetrated the retailer’s systems.
Devastating Impact
M&S was the first to be breached, with a huge amount of private data belonging to customers and staff stolen before criminals deployed ransomware that scrambled the company’s IT networks, making them unusable unless a ransom was paid.
The BBC revealed that the hackers had sent an offensive email to the M&S boss demanding payment, whilst the retailer was forced to stop taking online clothing orders for 46 days and suspend click-and-collect services.
Some Co-op shelves were left bare for weeks as the retailer struggled to manage supply chains after being targeted days after the M&S breach. Millions of customers and staff had their private data stolen in the attack.
The Co-op was forced to admit that the data breach had happened after hackers contacted the BBC with proof that the firm was downplaying the cyber attack, with the broadcaster later discovering that the company disconnected the internet from IT networks in the nick of time to stop the hackers from deploying ransomware.
Sophisticated Attack Methods
The Cyber Monitoring Centre (CMC), a UK-based independent body set up by the insurance industry, has classified the M&S and Co-op incidents as a “single combined cyber event” – a Category 2 systemic event with estimated total financial impact ranging from £270 million to £440 million.
“Given that one threat actor claimed responsibility for both M&S and Co-op, the close timing, and the similar tactics, techniques, and procedures (TTPs), CMC has assessed the incidents as a single combined cyber event,” the organisation said.
Security experts revealed that DragonForce affiliates frequently rely on social engineering techniques for initial access, particularly credential theft through phishing emails and phone-based social engineering targeting IT help desks.
Graham Cluley, a cyber security expert, told ITV News: “Attacks involving the DragonForce ransomware usually start with exploitation of known vulnerabilities – often involving corporate systems that have not been kept up-to-date with the latest security patches, or because they have not been configured properly.
Emergency Response
Co-op CEO Shirine Khoury-Haq told customers via email that the cyber criminals behind the attack were “highly sophisticated” and that managing its severity meant multiple services must remain suspended.
This is obviously extremely distressing for our colleagues and members, and I am very sorry this happened,” she said, confirming that customer data had been impacted in the attack.
An internal Co-op memo obtained by journalists revealed that VPN access was suspended for all staff and employees were cautioned to be extremely vigilant on email and Microsoft Teams, with staff advised to verify all attendees on camera during meetings.
Harrods Also Targeted
Luxury retailer Harrods said it too had been targeted shortly after Co-op announced its breach, forcing the department store to disconnect IT systems from the internet to keep the criminals out.
Whilst the attack on Harrods had less operational impact, the timing and similarity to the other cases raised speculation of a coordinated campaign against major British retailers.
The National Cyber Security Centre’s Jonathan Ellison and Ollie Whitehouse said: “The NCSC is working with organisations affected by the recent incidents to understand the nature of the attacks and to minimise the harm done by them, and providing advice to the wider sector and economy.
Criminal Enterprise
DragonForce originated as a pro-Palestine hacktivist group allegedly based in Malaysia that has been active since August 2023, before shifting goals and expanding to ransomware operations.
The group is believed to be behind notable cyber-attacks in the Asia-Pacific region and the US, including on Honolulu OTS, the Government of Palau, Coca-Cola Singapore, the Ohio State Lottery and Yakult Australia.
SentinelOne senior threat researcher Jim Walter said DragonForce had pivoted to a hybrid model of political hacktivism and ransomware-enabled extortion, targeting multiple government bodies and commercial businesses aligned with specific political causes.
The ransomware operation works on a franchise model, with core developers building and maintaining the ransomware codebase whilst leasing access to affiliates who carry out attacks and share a percentage of ransom payments.
Ongoing Investigation
The arrests represent a major breakthrough in what the NCA describes as one of its “highest priorities”, though investigators stressed their work continues alongside partners in the UK and overseas.
Analysis by Fable Data showed M&S experienced a 22 per cent reduction in average daily spend during the period online shopping was unavailable, whilst Co-op saw an 11 per cent fall in daily spend in the first 30 days.
M&S insiders speaking to Sky News revealed how IT staff have been forced to sleep in the office amid the chaos, describing how a lack of planning for such a scenario had led to chaos within the company.
The wave of attacks against UK businesses highlights the ongoing need for strong cyber security practices and policies, with experts warning that retailers remain prime targets for sophisticated criminal operations.
Follow for more updates on Britannia Daily
