It’s a story straight out of a cybercrime thriller. The hackers who crippled Marks & Spencer, costing the retailer an estimated £300 million, sent an incredibly brazen email directly to the CEO, Stuart Machin. The message, written in broken English, was full of insults and boasts about their attack, and it included a racist term.
“We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers,” the hackers wrote, claiming to have stolen data from millions of M&S customers.
This email, from the group DragonForce, confirms for the first time that M&S was hit by a ransomware attack, something the company had previously refused to acknowledge.
The email was sent using the account of an employee from Tata Consultancy Services (TCS), a company that provides IT services to M&S. TCS has denied any involvement in the breach, saying the email didn’t originate from their systems.
But the email, which also includes a link to a darknet portal for negotiating ransom payments, appears to be genuine. The hackers even seem to know about M&S’s cyber-insurance policy, writing, “we know we can both help each other handsomely : ))”.
This email also links M&S’s hack to a nearly simultaneous attack on the Co-op, which DragonForce has also claimed responsibility for. Both attacks, which began in late April, have caused major disruptions for the retailers.
While it’s now clear that DragonForce is behind both attacks, the actual hackers remain a mystery. DragonForce operates on the darknet, offering cyber-criminal affiliates a variety of services in exchange for a cut of the ransom. Anyone can join and use their tools to scramble a victim’s data or use their darknet website for extortion.
Some researchers believe DragonForce is based in Malaysia, while others point to Russia. The email to M&S hints at a Chinese origin.
There’s growing speculation that a loose group of Western hackers known as Scattered Spider might be behind the attacks, including one on Harrods. Scattered Spider isn’t a traditional group, more like a community that operates across platforms like Discord, Telegram, and online forums. The UK’s National Crime Agency is focusing its investigation on this group.
The Co-op hackers, when asked if they were Scattered Spider, simply replied, “We won’t answer that question.” They even adopted the names “Raymond Reddington” and “Dembe Zuma,” characters from the crime thriller “The Blacklist,” adding another layer of mystery to this case.
The M&S hack is a stark reminder of the growing threat of ransomware attacks, and the devastating impact they can have on businesses and consumers alike. As the investigation continues, the question remains: who are the hackers behind these attacks, and will they ever be caught?
Leave a comment