Harrods becomes latest UK retailer to fall victim to cyber attack

Three major attacks

Further details on the incident affecting Harrods are yet to be made public.

However, the incident comes barely 48 hours after Co-op first disclosed it was experiencing a similar cyber attack that it also took proactive steps to mitigate, and less than a fortnight after M&S was forced to suspend multiple online services following an incident.

This lends weight to growing speculation that all three attacks may share a common link. The most plausible scenario would suggest the three attacks originated through an unidentified third-party retail services partner in a supply chain attack.

There must be a common thread across these retailers that has put them firmly in the crosshairs of cyber criminals. These aren’t isolated events, they are a wake-up call

Earlier this week, it emerged that the M&S attack may have been the work of the cyber criminal collective Scattered Spider, which allegedly deployed a white-label ransomware called DragonForce on its VMware servers.

A compromise orchestrated through a third-party supplier would align with Scattered Spider’s modus operandi – the gang famously extorted multiple victims, including two high-profile Las Vegas casino operators, having exploited Okta identity services.

Tim Grieveson, chief security officer at attack surface discovery specialist ThingsRecon, said: “There must be a common thread across these retailers that has put them firmly in the crosshairs of cyber criminals. These aren’t isolated events, they are a wake-up call. The action and initiative we have seen from the Co-Op and Harrods should be a blueprint for others, not just in retail, but across all sectors.”

Toby Lewis, head of threat analysis at Darktrace, said: “With the information publicly available, we can see two other likely scenarios: either a common supplier or technology used by all three retailers has been breached and used as an entry point to big-name retailers; or the scale of the M&S incident has prompted security teams to relook at their logs and act on activity they wouldn’t have previously judged a risk.

“It’s a lesson again in the growing difficulty large organisations have in securing against threats in their supply chain, particularly as those threats grow in volume and sophistication.”

Copycat hackers

Jake Moore, global cyber security advisor at ESET, highlighted a third possibility, saying that even if the same threat actor was not responsible for all three incidents, it was not uncommon for related targets in similar sectors to fall victim to attacks in quick succession.

Moore said that in the case of ransomware like DragonForce, which is openly sold on the cyber criminal underground via a ransomware-as-a-service (RaaS) model, it can be easily deployed by other threat actors motivated by the first attack to seek out similar vulnerabilities.

“Other hacking groups are also able to attempt their luck on similar businesses and start demanding ransoms where possible,” added Moore.

“Attacks involving the DragonForce ransomware most commonly start by targeting known vulnerabilities, such as attacking systems that have not been kept up to date with the latest security patches, so businesses need to be extra vigilant and improve how quickly they update their networks,” he said.