Hacker group Scattered Spider linked to M&S cyber attack

The Scattered Spider hacker group has been linked to a cyber attack on British multinational retailer Marks & Spencer that forced the company to take its systems offline.

 

In a data security incident notice filed with the London Stock Exchange on April 22, M&S said it suffered a significant cyber security incident and immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the same.

 

“It was necessary to make some minor, temporary changes to our store operations to protect customers and the business and we are sorry for any inconvenience experienced. Importantly, our stores remain open and our website and app are operating as normal,” reads the notice.

 

While details of the incident weren’t mentioned in the notice, M&S said it has taken necessary actions to further protect its internal network to avoid a similar situation in the future.

 

M&S was able to keep its stores, website, and app operational, however, the cyber attack has affected its daily operations, including the Click and Collect order system because of which customers were asked to wait for an email confirming their order is ready for pick up before visiting the store.

 

Recently, BleepingComputer reported that a group of threat actors going by the name “Scattered Spider” is responsible for the ransomware attack. According to sources contacted by the publication, the group first breached M&S’s network in February, and stole the Windows domain’s NTDS.dit file.

 

An NTDS.dit file serves as the central database for Active Directory, storing essential information that powers authentication and authorisation throughout the company’s network. This file also contains password hashes for Windows accounts, which, if extracted by threat actors, can be used to gain access to associated plain-text passwords.

 

Using these credentials, a threat actor can then laterally spread throughout the Windows domain, while stealing data from network devices and servers.

 

Finally, the threat actors compromised the retailer’s virtual servers on April 24 by deploying the DragonForce encryptor to VMware ESXi hosts.

 

An M&S spokesperson said that the company currently “cannot share the details of this cyber incident.”