M&S cyber attack mystery culprit gang - and why another retailer falling victim is 'inevitable'

Shoppers have been warned another potentially crippling cyber attack on a British retailer is “inevitable”.

has been plunged into crisis after hackers managed to steal personal details of potentially millions of its shoppers - and hold the high street giant to ransom. was also struck, with the convenience chain “pulling the plug” on IT systems which saved it from the same fate as , but still led to widespread gaps on shelves. Bosses say they hope to have resolved supply issues by this weekend. Upmarket department store Harrods also fell prey to an attack.

Graeme Stewart, head of public sector at security company Check Point, said attempted ‘ransomware’ attacks on UK retailers had surged in the past two months, with the sector going from the twelfth most targeted to fifth. The top four, ominously, are all in the public sector, typically higher education, the , local government and the . Asked if it was inevitable that another retailer would fall prey to cyber attackers, Mr Stewart said: “Yes, because what happens with these sorts of things is that they come in waves.”

READ MORE:

READ MORE:

Mystery surrounds the criminals whose toxic software was used by hackers to target M&S, the Co-op and Harrods.

A gang known as DragonForce has been implicated in the first two of those, but speculation is rife about who - or what - it is. While the gang seems to have first emerged up to two years, experts say they use operate in a similar way to others that specialise in creating ‘ransomware’. It is a form of malicious software designed to burrow into companies’ systems, steal commercially sensitive information, which is then locked, with crooks demanding their victims pay money before handing them the key. Rather than launch attacks themselves, those creating this ‘malware’ - malicious software - offer to sell the know-how to other gangs, who actually carry out the hacking.

Aiden Sinnott, senior threat researcher at the Sophos Counter Threat Unit, says outfits such as DragonForce essentially “rent” the malware to others who “use it to launch attacks. They get the ransom payment and give them 20% of all they make. There are loads of these groups. DragonForce is just one of them. Over the past year we have tracked more than 100 of these different types of groups. Most of them are based out of , that general area, and they will go onto the underground forums and advertise.”

Professor Oli Buckley, a cyber security expert at Loughborough University, said: “When ransomware hits, it’s like setting off a digital bomb: data gets encrypted, systems go dark, and recovery means rebuilding safely from the ground up, not just turning things back on.”

A gang known as Scattered Spider - with members said to be aged as young as 16 - is said to have used DragonForce’s ransomware in the M&S attack.

DragonForce’s rumoured link to Russia has been fuelled by the fact that a number of other ransomware attacks have been launched from the country in the past. Then there is the apparent warning from the group not to attack targets in the Commonwealth of Independent States, a 10-nation bloc centred on Russia and former Soviet republics. Genevieve Stark, head of cybercrime, hacktivism, and information operations intelligence analysis for the Threat Intelligence Group, told the website The Register: “The affiliate rules prohibit attacks on organizations in Commonwealth of Independent States nations and former Soviet Union countries; however, this restriction is extremely common and is not necessarily indicative of location.”

Other reports have linked DragonForce to a pro-Palestinian group located in Malaysia. There has also been speculation about the group’s motives, and that they could be political in some way.

However, most experts believe their motivation is pure and simple. “They are in it for the money,” Mr Stewart claimed.“This is old-school bank heist stuff. This is a gang that, 30 years ago, they would have been in a van knocking off a bank.” The size of the demanded ransoms can differ greatly, but Mr Stewart said it could run into millions or even tens of millions of pounds.

Victims are urged not to pay up, threatening to fuel the crime wave, but the fact the global racket exists means some companies feel they have no choice but to cave in. Payment is almost always in untraceable cryptocurrencies, such as bitcoin.

Mr Sinnott said: “Usually what happens after an attack is that there is a period of negotiation, but you usually don’t know if a ransom has been paid.”

Dr Harjinder Lallie, a reader in cybersecurity at the University of Warwick, told Sky News:“It’s just frightening. I’ve been in cybersecurity for 26 years - I’ve never known a time like this. Tens of thousands of businesses up and down the UK probably have hackers inside their network already and just don’t know about it, I’m afraid. I don’t want to scaremonger, but that is how it is working. They’re sitting in your network, waiting to the point where they can attack.”

M&S is keeping tight-lipped about the source of the attack, which it has described as “sophisticated.” Only online clothing and homeware sales - rather than food - have been suspended, although this is a near £1.3billion a year business. It has said that customers names, email addresses, dates of birth, phone numbers and what they bought online were among personal information that had fallen into the hands of crooks. M&S insisted “useable” payment or card details had not been stolen, and there was no evidence at this stage that the hackers have used any of the information. However, it urged shoppers to change their M&S account password, just in case.

The attack has hammered the retailer’s share price, with more than £1billion wiped off its stock market value. The fall-out, and why it is taking so long to resolve, is likely to be the focus of attention when M&S boss Stuart Machin announces the firm’s annual results on May 21. But the longer it goes on, the more damage is being done to both its coffers and its reputation.