Threat Event Timeline
- 22 April 2025 – Marks & Spencer released a cyber incident update on the London stock exchange website. The incident resulted in the organisation having to pause online clothing orders for six days.
- 30 April 2025 – Co-op confirmed a cyber attack which resulted in their “back office” and call center services being impacted.
- 1 May 2025 – Harrods stated that attackers attempted to gain unauthorised access to their systems, hinting towards the attacks being unsuccessful, but still causing the organisation to restrict access to their sites.
- 2 May 2025 – A spokesperson for DragonForce did an interview with Bloomberg news, claiming responsibility for the attacks.
Summary
Between April and May 2025, several large UK retailers were impacted by security incidents which resulted in the disruption of their operations.
- Some of this activity had been attributed to Scattered Spider, a threat actor group known to conduct sophisticated phishing campaigns to compromise targeted organisations.
- In an interview with Bloomberg, a spokesperson for the DragonForce ransomware group claimed responsibility for the recent ransomware attacks on UK retailers.
- DragonForce acts as a ransomware-as-a-service (RaaS) operator, providing access to encryptor malware, a leak site, and other infrastructure. In this model, independent affiliate groups such as Scattered Spider are typically responsible for gaining initial access to victim organisations, as well as carrying out hands-on-keyboard intrusion and extortion work.
- An uptick is expected in ransomware intrusions attributed to DragonForce in the coming weeks and months as the group seeks to establish its notoriety further and attract more affiliates.
Arctic Wolf is monitoring the threat landscape for new indicators of compromise related to Scattered Spider and DragonForce, and will alert Managed Detection and Response customers if any malicious activity is observed.
Scattered Spider Initial Access Techniques
The Scattered Spider group utilises a number of social engineering techniques to gain initial access into a victims network. These techniques include:
- Posing as IT or helpdesk staff to convince employees to share sensitive information such as their multi-factor authentication (MFA) code as well as passwords.
- Repeatedly sending MFA notification prompts leading to employees accepting those prompts reflexively (also known as MFA fatigue).
- Convincing cellular carriers to transfer control of a victim’s phone number to a SIM card controlled by the group.
- Conducting extensive phishing campaigns using registered domains with varying lures, such as helpdesk-companyname.com.
More information on techniques used by the group can be found in an advisory released by CISA.
In early April 2025, a report was published with details on phishing campaigns conducted by the group. These phishing campaigns targeted specific organisation’s login portals by registering domains which contain company names, affixing terms like “sso”, “corp”, and “vpn” to provide a false sense of security to users.
Recommendations
Proactively Implement Defensive Measures
While public details about the ransomware threat activity allegedly targeting UK retailers are limited at this time, organisations are encouraged to take a defense-in-depth approach. This includes the following:
- Deploy phishing-resistant MFA standards such as FIDO2/CTAP2 tokens where possible to defend against SIM swapping and MFA fatigue.
- Apply endpoint monitoring and detection (especially for critical assets such as Domain Controllers exploited in known cases).
- Apply the latest available patches for ESXi/Hyper-V hypervisors and limit access to trusted accounts to defend against mass-encryption of virtual machines.
- Apply network segmentation where possible.
- Implement Secure Email Gateway solutions to combat inbound phishing emails.
- Deploy security awareness training and simulated phishing attacks so that staff are trained to recognise and guard against phishing attempts.
