The cyberattack that the UK supermarket Co-op faced last month could have been far worse, according to the attackers who claimed responsibility. This is because Co-op took its computer services offline before they were infected with ransomware, meaning it never had the chance to encrypt the systems and lock staff out.
The hackers, who also claimed to be behind the cyber attack on UK retailer M&S a few days prior, sent a letter to the BBC angrily explaining that Co-op’s IT team “yanked their own plug – tanking sales, burning logistics, and torching shareholder value.” This meant that its network “never ever suffered ransomware.”
“The Co-op’s decision to proactively shut down parts of its IT systems following a cyber threat, whilst keeping essential business operations running, is a strong example of an effective containment strategy in action,” Raghu Nandakumara, Head of Industry Solutions at data centre security company Illumio, told TechRepublic in an email. “Unlike many organisations, which are forced to halt operations entirely after attacks, the Co-op appears to have protected its most critical services and maintained business continuity.”
SEE: 3 Ways the UK Government Plans to Tighten Cyber Security Rules with New Bill
Nevertheless, the hackers claimed to have “spent a while seated in (Co-op’s) network” before they were discovered, according to the BBC. During this time, they allegedly stole the data such as names, contact details, and dates of birth, of 20 million customers, but never got the chance to deploy ransomware. Co-op does not believe that passwords, bank or credit card details, transactions, or purchase information were accessed, and has not confirmed the number of impacted customers.
The retailer detected the attempted cyberattack late last month and disclosed it on April 30, noting that data was taken from one of its systems. It subsequently restricted access to more of its systems, which helped “contain the issue and protect our wider organisation,” it said in its cyber attack FAQs. However, the action did impact Co-op’s supply chain, resulting in empty shelves across many stores, while also causing card payment systems to fail and disrupting some customer support services, including call centre operations and order tracking.
M&S reportedly taking months to recover from cyber attack, compared to Co-op’s weeks
A statement from Co-op says “there will be improved stock availability in (its) Food stores and online from this weekend,” and confirmed that card payments are now being accepted in all its shops. While the recovery operation has taken over two weeks, Co-op has fared somewhat better than M&S, which has still not fully recovered after operational disruption began over the Easter weekend.
M&S has only referred to it as a “cyber incident,” but sources told BleepingComputer that the root of its issues was a ransomware attack that started all the way back in February, leading to personal customer data being stolen. Online orders remain suspended, and some outlets are still having problems with stock and contactless payments, showing how the successful deployment of ransomware substantially prolongs the recovery timeline.
Hackers tried to use DragonForce ransomware
The hackers who claim to be behind both the Co-op and M&S hacks told the BBC that they are from the ransomware-as-a-service group DragonForce, and used the DragonForce encryptor in the attacks. Their identities ultimately remain unknown, but BleepingComputer’s sources suggest they are likely Scattered Spider threat actors.
While not a gang in itself, Scattered Spider members are known for their social engineering, phishing attacks, SIM swaps, multi-factor authentication bombing, and other specific tactics. They have been affiliated with high-profile ransomware gangs such as RansomHub and BlackCat. Some members are thought to be teenagers who plan attacks on Discord, Telegram, and hacker forums.
The DragonForce attackers also claim to be behind an attempted hack on Harrods just after the Co-op and M&S operations, according to the BBC, but the London department store suffered minimal disruption. In December, Sainsbury’s and Morrisons, two of the largest supermarket chains in the UK, were impacted by a ransomware attack on their supply chain software provider.
