Skip to content
May 7, 2025
3 min read time

UK retail cyber attacks: Isolated incident or warning for other sectors?

The furore surrounding the recent cyber-attacks in the UK retail sector has attracted a great deal of attention and has focused nearly every company to think about their own cyber security posture. But can we say that the major retail giants, Marks & Spencer (M&S), Harrods, and the Co-op who were targeted have poor or limited cyber security measures in place?  The answer is probably no, so why were the attacks so successful?

We know that these targeted attacks were reportedly carried out by a hacking group known as "Scattered Spider," which used DragonForce ransomware to encrypt and effectively lock IT systems, resulting in major outages and significant financial losses (potentially £1Bn for M&S).  Of course, these companies would have invested in market leading IT Security products (Antivirus, firewalls, E-mail and web protection) and Cyber Security services (incident logging, vulnerability management and incident response), but all these extensive services predominantly look for unauthorised or suspicious activity – but from what we have ascertained in these cases this kind of activity was not the case.

The attackers would have planned their attacks over a period of time, choosing their victims carefully, before choosing the right moment to strike. We know that the key attack methods used to gain authorised access to these networks, and thus not arouse suspicion, were:

Social Engineering:

  • Spearphishing via Voice (Vishing): Attackers disguise themselves as IT personnel and manipulate internal help desks into granting them access. This involves making convincing phone calls to employees, tricking them into resetting passwords or installing remote access tools.
  • Phishing via Email or SMS (Smishing): Highly targeted phishing campaigns are sent to employees via received emails or SMS messages that contain malicious links or fake/copycat login portals. These capture sensitive credentials, allowing attackers to gain initial access to the network.

Multi-Factor Authentication (MFA) Fatigue:

  • Attackers bombard employees with repeated MFA notifications. Overwhelmed or confused, some employees unknowingly approve fraudulent login attempts, thereby bypassing the two-factor authentication protections

Credential Abuse and Persistence:

  • Valid Accounts - Cloud Accounts: Using credentials obtained through phishing or help-desk deception, attackers access corporate cloud services and VPNs as authenticated users. This allows them to blend in with normal activity and maintain persistence within the network without triggering alerts

Ransomware Deployment:

  • DragonForce Ransomware: Once inside the network, the attackers deployed ransomware to encrypt key systems. This caused significant operational disruptions, including payment system glitches, website shutdowns, and ultimately empty shelves in stores.

These incidents reinforce the message that cyber security is not just about having the best technological defences in place but must include having robust training, good processes and an understanding of the cyber risks that we face.

What do we do next?

It is important that organisations understand that these types of attack methods are not new and that taking cyber security for granted can often make the attack so much easier for the attacker. At CSA Cyber our team of professionals have been working with our clients to help check or implement the following tasks:

  • Reinforce internal protocols
    • Review and tighten procedures around password resets.
    • Implement strong identity verification processes.
    • Train staff and technical teams on social engineering red flags.
  • Secure critical systems
    • Patch VMware hosts to latest level and segment management access via private VLANs.
    • Enforce MFA and conditional access across all administrative accounts and ensure administrative passwords are secure.
  • Boost detection & response
    • Monitor for “risky logon” alerts.
    • Deploy threat-hunting techniques and custom detections aligned to emerging indicators of compromise

Final Thoughts

These methods highlight the attackers' reliance on exploiting human error and leveraging existing vulnerabilities rather than introducing new ones. The incidents underscore the importance of robust cyber security measures, including working with outsourced providers such as CSA Cyber. At CSA, our experts provide a comprehensive selection of Offensive Security and SOC services, from Social Engineering & Phishing Simulation services to Managed Detection & Response (MDR), to keep you safe from cyber threats. To find out more, get in touch to see how we can secure your organisation.