Direct Threat: M&S Hackers Sent Abusive Ransom Demand to CEO
In a brazen escalation of the cyberattack targeting Marks & Spencer, the hacking group known as DragonForce sent an abuse-filled email containing a direct ransom demand to the retailer’s CEO, Stuart Machin, according to reports from BBC News.
The message, written in broken English, was dispatched on April 23rd, gloating about the breach and confirming DragonForce’s responsibility for the major cyberattack – a fact M&S had previously not publicly acknowledged.
Contents of the Ransom Email
The email’s aggressive tone left little to the imagination regarding the hackers’ actions and demands. Extracts revealed include disturbing boasts such as:
“We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers.”
A directive to the CEO: “The dragon wants to speak to you so please head over to [our darknet website].”
This message, shown to the BBC by a cybersecurity expert, was sent not only to Machin but also to seven other M&S executives. Alongside bragging about encrypting the retailer’s IT systems, the hackers claimed to have stolen the private data of millions of customers. M&S later notified customers about potential data theft, nearly three weeks after the hackers’ initial claim.
The email also included a darknet link, presented as a portal for victims to negotiate the ransom fee, with the hackers urging, “let’s get the party started. Message us, we will make this fast and easy for us.” Adding another layer, the criminals indicated knowledge of the company’s cyber-insurance policy, suggesting mutual financial benefit. M&S’s CEO has not confirmed whether the company paid any ransom.
Impact and Origin of the Attack
The cyberattack has caused significant damage to M&S, with estimated costs reaching £300 million. More than six weeks after the initial breach, the retailer was reportedly still unable to process online orders, with disruptions expected to continue until July.
Intriguingly, the extortion email appears to have been sent using the account of an employee from Tata Consultancy Services (TCS), the Indian IT giant providing services to M&S for over a decade. The London-based TCS employee, who holds an M&S email address, was seemingly compromised in the attack. TCS has stated it is investigating if its systems were a gateway but denies the email originated from its network or that it’s linked to the M&S breach. M&S has declined to comment on the incident entirely.
DragonForce and Suspected Affiliates
The email confirms the link between the M&S hack and the simultaneous cyberattack on Co-op, both claimed by DragonForce. These parallel attacks, beginning in late April, severely disrupted both retailers, leaving some Co-op shelves bare and impacting M&S operations for months.
While DragonForce takes credit, the identity of the actual individuals carrying out the attacks remains unclear. DragonForce operates a Ransomware-as-a-Service (RaaS) model, offering malicious software and darknet infrastructure to affiliates in exchange for a cut of ransoms (reportedly 20%). Anyone can potentially sign up to use their tools.
Speculation is mounting that a loose collective of young, western hackers known as Scattered Spider might be the affiliates behind the M&S, Co-op, and a separate Harrods hack. Scattered Spider is described by cybersecurity researchers like CrowdStrike not as a formal group but a community organizing across platforms like Discord and Telegram, potentially including teenagers in the US and UK.
Both the UK’s National Crime Agency (NCA) and the national cyber-crime unit have identified Scattered Spider as a key suspect in their investigations. Alleged Co-op hackers who spoke to the BBC refused to confirm if they were part of Scattered Spider, instead using aliases from the crime thriller ‘The Blacklist’ and boasting about adding UK retailers to their ‘Blacklist’. Early reports from cyber news sites also pointed towards Scattered Spider for the M&S attack.
Despite the growing suspicion around Scattered Spider, the specific individuals behind the DragonForce attacks on M&S and Co-op have not been definitively identified.
References
- https://www.imdb.com/title/tt0022100/
- https://en.wikipedia.org/wiki/M
