U.K. authorities are urging organizations to remain vigilant following a series of cyberattacks against three leading retail companies, including the famed Harrods department store based in London.
Harrods confirmed it was the target of an attempted hack, which took place days after a threat actor stole data from the retailer Co-op and a separate attack disrupted operations at Marks & Spencer.
The U.K. National Cyber Security Centre said it has been working closely with organizations that reported attacks to the agency to develop a better understanding of the intrusions and issue advice to the wider sector.
“These incidents should act as a wake-up call to all organisations,” NCSC CEO Richard Horne said in a statement last week. “I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively.”
In a blog post published late Sunday, senior NCSC officials explained how the sector should take steps to mitigate potential ransomware attacks.
“Whilst we have insights, we are not yet in a position to say if these attacks are linked, if this is a concerted campaign by a single actor or whether there is no link between them at all,” wrote NCSC Director of National Resilience Jonathon Ellison and Chief Technology Officer Ollie Whitehouse.
They urged security teams to use multifactor authentication, check for risky logins in Microsoft Entra ID Protection and review help desk login procedures, among other steps.
It is not yet clear whether one or more groups are responsible for the hacks, but Bloomberg reported that a group calling itself DragonForce has claimed credit.
DragonForce operates as a ransomware-as-a-service operation that provides tools and a dark-web site, while contracted hackers perform the attacks, according to threat researchers at GuidePoint Security. Bleeping Computer in late April linked the M&S hack to a reconstituted Scattered Spider, the group behind the 2023 MGM Resorts attacks.
“Both Alphv and RansomHub have since disbanded, which could mean that Scattered Spider has sought out DragonForce as a new home for their ransomware activities,” Justin Timothy, a GuidePoint threat intelligence consultant, told Cybersecurity Dive via email.
A Co-op spokesperson confirmed that hackers obtained names and contact information from a “significant amount” of current and past members. The stolen information did not include passwords, bank details or credit card data.
“We are continuing to experience sustained malicious attempts by hackers to access our systems,” the spokesperson said via email. “This is a highly complex situation, which we continue to investigate in conjunction with the NCSC and the NCA.”
Harrods is continuing to serve customers at its Knightsbridge location, its airport stores, its H beauty locations and Harrods.com, according to a spokesperson.
Marks & Spencer did not respond to a request for comment, but the company said in an April 23 statement that it had moved some of its operations offline and was not processing contactless payments. The company also paused the collection of Click & Collect orders in stores and warned of delays in online order delivery. On April 25, the company paused taking orders via Marks & Spencer websites and mobile apps.