M&S confirmed today that the retail outlet's network was initially breached in a "sophisticated impersonation attack" that ultimately led to a DragonForce ransomware attack.
M&S chairman Archie Norman revealed this in a hearing with the UK Parliament's Business and Trade Sub-Committee on Economic Security regarding the recent attacks on the retail sector in the country.
While Norman did not go into details, he stated that the threat actors impersonated one of the 50,000 people working with the company to trick a third-party entity into resetting an employee's password.
"In our case the initial entry, which was on April the 17th, occured through what people now call social engineering. As far as I can tell that's a euphamism for impersonation," Norman explained to the MPs.
"And it was a sophisticated impersonation. They just didn't walk up and say will you change my password. They appeared as somebody with their details. And part of the point of entry also involved a third-party."
As reported by FT in May, IT outsourcing company Tata Consultancy Services had begun investigating whether it was inadvertantly involved in the attack on M&S. Tata provides help desk support for M&S and is believed to have been tricked by the threat actors into resetting an employee's password, which was then used to breach the M&S network.
For the first time, M&S referenced the DragonForce ransomware operation as the potential attacker, which he stated was believed to be operating from Asia.
"The instigator of the attack is believed to be DragonForce, who are a ransomware operation based, we believe, in Asia."
Since the attack, many media outlets have incorrectly linked a hacktivist group known as "DragonForce Malaysia" with the DragonForce ransomware gang. The hacktivists are believed to be a pro-Palestine group operating out of Malaysia, while the DragonForce ransomware operation is believed to be in Russia.
As first reported by BleepingComputer, the attack on M&S was conducted by threat actors linked to Scattered Spider, who deployed the DragonForce ransomware on the network.
... continue reading