Sources claim M&S was breached in February.
The ongoing cyber incident at M&S is a ransomware attack which has encrypted the company's servers.
According to Bleeping Computer, threat actors are believed to have first breached M&S as early as February, when they reportedly stole the Windows domain's NTDS.dit file - the main database for Active Directory Services running on a Windows domain controller.
Holding password hashes for Windows accounts, it can be extracted and with access gained to associated plain-text passwords, these credentials can be used to laterally spread throughout the Windows domain, while stealing data from network devices and servers.
Sources told BleepingComputer that the threat actors ultimately deployed the DragonForce encryptor to VMware ESXi hosts on April 24th to encrypt virtual machines.
Scattered Spider
M&S has declined to comment further, but it is rumoured that the hacking collective known as Scattered Spider are behind the attack.
Commenting, Robert McArdle, director of forward threat research at Trend Micro, confirmed that Scattered Spider is not a group that is organised in the manner of traditional ransomware groups we associate with Russian-speaking cybercrime. They are a much looser connected network of individuals who assemble together for individual attacks and resemble the structure of Hacktivist groups like past activity of Anonymous.
“Scattered Spider has routinely targeted retail providers – as shown by the domain names registered by the group for use in phishing campaign efforts – so targeting M&S would be ‘on-brand’,” he said.
Deep Social Engineering Expertise
McArdle said that Scattered Spider stands out in the techniques it uses to attack organisations as by drawing on deep social engineering expertise, it leverages helpdesk and phone-based social engineering.
"“Scattered Spider has been active in various incarnations since 2022 until today but is very hard to categorise as their organisation is so loose," he said.
“What this community lacks in professionalism (compared to Russian Speaking counterparts), they more than make up for in brazenness and attacks that often spill over into the physical world.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
