In recent weeks, a series of coordinated cyberattacks have disrupted operations at several prominent UK retailers, including Marks & Spencer (M&S), the Co-op Group, and Harrods. The cybercriminal group known as DragonForce has claimed responsibility for these breaches, which have led to significant operational challenges and financial losses. This article provides an in-depth analysis of the attacks, the tactics employed by the perpetrators, and the broader implications for the retail sector.
Marks & Spencer: A High-Profile Target
Marks & Spencer, a cornerstone of British retail, was among the first to be targeted. The attack, which began in late April 2025, severely impacted the company’s online operations. M&S was forced to halt online clothing and home orders, a move that disrupted sales during a period of high consumer demand due to unusually warm weather. The company’s CEO, Stuart Machin, issued an apology to customers, stating that efforts were ongoing to restore normal operations, though a specific timeline remained unclear. The disruption also affected food product availability and led to the removal of job postings from the M&S website. Analysts estimate that the financial impact could be substantial, with ongoing losses of around £15 million weekly. The recovery process is expected to take weeks, as rebuilding networks is a complex endeavor.
The Co-op Group: Data Breach and Operational Challenges
The Co-op Group also fell victim to a cyberattack, with hackers accessing and extracting customer names and contact information. The company confirmed that no passwords, bank details, or transaction records were compromised. However, the breach led to operational challenges, including shortages in stores as the company worked to resume deliveries. Internal communications revealed that Co-op employees were instructed to keep cameras active during virtual meetings and verify participant identities, suggesting that attackers had breached internal communication channels.
Harrods: Swift Response to Cyber Threat
Luxury department store Harrods reported a cyber threat and took precautionary measures, including limiting internet access across its sites. Unlike M&S and the Co-op, Harrods managed to contain the breach swiftly, ensuring that all stores and online operations continued to function normally. The company’s proactive approach highlights the importance of rapid response in mitigating the impact of cyberattacks.
DragonForce Ransomware: Tactics and Techniques
DragonForce, initially emerging as a hacktivist group in Malaysia in August 2023, has evolved into a sophisticated Ransomware-as-a-Service (RaaS) operation. The group’s ransomware employs strong encryption algorithms, including AES-256 and RSA, with newer variants utilizing the ChaCha8 algorithm for faster encryption. Initial access is typically gained through phishing emails, exploitation of vulnerabilities, or stolen credentials. Once inside a network, the attackers use tools like Mimikatz, Advanced IP Scanner, and PingCastle to maintain persistence and elevate privileges. The malware attempts to escalate access to SYSTEM-level by exploiting Access Token Manipulation, using functions such as DuplicateTokenEx() and CreateProcessWithTokenW(). DragonForce ransomware supports multiple command-line options, including parameters for file-system search mode, ESXi discovery, and scheduled execution. The group has been linked to exploiting several vulnerabilities, including the notorious Log4Shell vulnerability (CVE-2021-44228).
The Role of Scattered Spider
Security experts have attributed some of the UK retail attacks to Scattered Spider, a loosely organized network of young, English-speaking hackers. These operators leverage DragonForce’s infrastructure while paying the group a percentage of any ransoms collected. In early 2025, DragonForce introduced a white-label service, allowing affiliates to disguise attacks under different ransomware brands. This move positions DragonForce as a Ransomware Cartel, providing infrastructure and malware while affiliates conduct operations.
Implications for the Retail Sector
The recent attacks underscore the growing vulnerability of the retail sector to cyber threats. Retailers are attractive targets due to their vast customer data, real-time operations, and reliance on legacy systems. The UK’s National Cyber Security Centre has urged all retailers to strengthen their cybersecurity measures. The agency has issued guidance to help companies protect against such exploits, emphasizing the need for heightened cyber precautions and advocating for cybersecurity to be treated as an absolute priority.
Conclusion
The DragonForce ransomware attacks on major UK retailers serve as a stark reminder of the evolving cyber threat landscape. As cybercriminals become more sophisticated, it is imperative for organizations to bolster their cybersecurity defenses, implement robust incident response plans, and foster a culture of security awareness among employees. The retail sector, in particular, must remain vigilant to protect sensitive customer data and ensure the continuity of operations in the face of increasingly complex cyber threats.
