The DragonForce ransomware group says it orchestrated the disruptive cyberattacks that hit UK retailers Co-op, Harrods, and Marks & Spencer (M&S).
The attacks began roughly two weeks ago, with M&S hit first. The retailer has suspended online purchases and is still struggling to bring all systems back to normal operations. A spokesperson for M&S refrained from sharing additional information on the incident.
Both Co-op and Harrods confirmed being targeted last week. Harrods said hackers attempted to access its systems, and that it immediately took proactive measures, including restricting internet access at its sites.
In a notice on harrods.com, the retailer notified users that its website and stores are operating normally.
Co-op said last week that the attack impacted its back office and call center services, and confirmed today the hackers’ sustained attempts to access its systems, and that customer data was stolen during the incident.
“As a result of ongoing forensic investigations, we now know that the hackers were able to access and extract data from one of our systems. The accessed data included information relating to a significant number of our current and past members,” a spokesperson for Co-op told SecurityWeek.
The compromised information includes names and contact details, the spokesperson said, adding that passwords, financial information, and transaction information was not stolen.
“We have implemented measures to ensure that we prevent unauthorized access to our systems whilst minimizing disruption for our members, customers, colleagues and partners,” the Co-op spokesperson said.
The retailer’s confirmation of data theft comes after a member of the DragonForce group told BBC that the stolen information pertains to 20 million Co-op members, and that the hackers attempted to extort Co-op.
The UK National Cyber Security Centre (NCSC) last week urged all organizations in the country to review their cybersecurity posture and ensure they have the appropriate protections to prevent attacks.
“The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers and the public. The NCSC continues to work closely with organizations that have reported incidents to us to fully understand the nature of these attacks and to provide expert advice to the wider sector based on the threat picture,” the NCSC said.
Active since August 2023, DragonForce initially engaged in hacktivist-style operations, but its goals shifted to financial gain and extortion, targeting government institutions, commercial entities, law firms, medical practices, and political organizations.
DragonForce, cybersecurity firm SentinelOne explains, relies on phishing emails, the exploitation of known vulnerabilities, and stolen credentials for initial access.
The hacking group uses various tools for reconnaissance, remote access, lateral movement, and payload delivery, including the Cobalt Strike framework, mimikatz, Advanced IP Scanner, and PingCastle. It was also seen using the SystemBC backdoor.
In previous attacks, the hackers were seen exploiting vulnerabilities in Apache Log4j2 (CVE-2021-44228), Windows (CVE-2024-21412), and Ivanti VPNs (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893).
The DragonForce ransomware was developed using leaked LockBit and Conti code, and affiliates can build samples targeting Windows, Linux, ESXi, and NAS-specific platforms.
This year, the group started offering a ‘white-label’ branding service to affiliates, and began branding itself as a “ransomware cartel”, which “illustrates the group’s desire to raise its profile in the crimeware landscape by enabling an ecosystem,” SentinelOne says.
Related: UK Retailers Co-op, Harrods and M&S Struggle With Cyberattacks
Related: Canadian Electric Utility Hit by Cyberattack
Related: Oregon Agency Won’t Say If Hackers Stole Data in Cyberattack
Related: Conduent Says Names, Social Security Numbers Stolen in Cyberattack
