Over the Easter Weekend, the UK Based Food & Clothes Retailer M&S experienced a sophisticated cyber attack that originated as a phishing attack on one of the retailer’s partners. The Attack allowed the Pro-Palestine Hacktivist Group, DragonForce, to use the partner to infiltrate highly trusted access panels for the company which allowed for the retailer themselves to become infected.
Soon after the attack a post was made on the retailer’s corporate digital press release site, letting customers know of the breach, stolen data and next steps. The Post made by Operations Director, Jayne Wall, announced that data that could have leaked were Contact Details, Date of Birth, and Online Order History but that payment details and account passwords were NOT included in the leak.
On the 23rd of April, M&S Would Release a 2nd Post stating that all new Click & Collect Orders would be paused and that processing contactless payments would be temporarily stopped. Later, on the 25th, M&S would announce all online order coming to a halt and all existing orders would be paused or cancelled.
During May, The Co-Op Group would end up under the spell of these same hackers, having customer data leaked onto the dark web however this was after the hackers laid dormant on Co-Op systems until the attack at which the hackers attempted a ransomware attack to lockdown Co-Op Systems but was narrowly avoided as “They (The Co-Op Group) yanked their own plug - tanking sales, burning logistics, and torching shareholder value” the criminals told the BBC.
Additionally, It was later Revealed that the luxury department store Harrods was also hit by this attack. Spokespeople from Harrods are offering no information as to how big the impact of the attack was but they have asked that customers “do nothing differently” and in almost all quotes state that it was an attempt to access system.
The Group behind the attacks is the Hacktivist Group, DragonForce. DragonForce is a Malaysian based Pro-Palestine Group of Hackers. They are the same Hackers involved with the 2023 Attacks on the Two Largest US Casinos, MGM Resorts and Caesars Entertainment
According to SentinelOne, the Group uses a mix of Phishing Emails and Attacks against Internet-Facing Services. DragonForce have been known to use and exploit critical flaws such as the Log4Shell Exploit in the Apache Log4j software, multiple bugs in Ivanti Connect Secure and Credential Stuffing using Leaked Username-Password pairs in Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) Portals.
In The Attacks, DragonForce appears to use a piece of software called SystemBC as a backdoor to create a SOCKS5 Proxy Connection between DragonForce Servers and the Victims Servers, giving DragonForce the equivalent network access as being directly connected to the device. This allows for DragonForce to regain access should Anti-Virus and Defender Software remove other DragonForce Malware.