A few times a year, a cyber security incident will occupy headlines for a few days, the organisation will either handle it well or they won't, and journalists will struggle to relay rapidly-developing complex news with clarity and accuracy. The reporting often leaves much to be desired.
With the recent incident at M&S, we've seen the National Cyber Security Centre (NCSC) step in to help, and behind the scenes there has been a ton of cooperation in the retail space as attacks at the Co-op and Harrod's followed soon after. In this post, I'll clarify what we do and don't know at this stage, and what you can do to ready yourself for a similar incident.
Who is responsible for the attack?
The group that appears to be responsible for attacking M&S is known as Scattered Spider. It is not a formally organised group of criminals like some other ransomware gangs, but comes together ad hoc, making its Tactics, Techniques and Procedures (TTPs) a bit harder to pin down.
Many of the previously dominant ransomware organisations have been successfully taken down by law enforcement agencies in the last year, creating a void for an organisation like Scattered Spider to enter. Scattered Spider members are associated with "The Comm", a larger/looser community of attackers that have sometimes been associated with direct threats of physical violence.
Co-op now also appears to have been targeted by the same group.
Scattered Spider is known to specialise in creating brand impersonation assets as part of their phishing toolkit, which evolves pretty rapidly. The development of their phishing toolkit is outsourced, so the assets look much more persuasive than what your ordinary hacker would create solo. These branded assets impersonate login pages and service provider communications, then combine these deceptive techniques (focused on stealing a password) with attacks on MFA like SIM swapping and MFA bombing (fatiguing a user with multiple MFA requests in succession) in order to also steal your second factor. These phishing and identity attacks are focused on gaining an initial foothold in the network, so they can find higher value assets.
Scattered Spider is known to use the Spectre Remote Access Trojan (RAT), which can be used for lateral movement and exfiltration of data.
In both cases, the attackers appear to have stolen the Active Directory database (NTDS.dit) for offline password hash cracking. This is a slow, expensive operation, but if the target is lucrative enough it can be worthwhile (as it appears to have been in these cases).
The ransomware used in the attack is from a Ransomware-as-a-Service vendor, DragonForce. They handle negotiations, and the encryption technology used in the ransomware itself. Their service is offered for a fixed 20% of the takings. Seen from DragonForce's perspective, Scattered Spider are an affiliate.
The ransomware has been used to encrypt VMware ESXi clusters, so all those virtualised assets are offline. This is the cause of operational disruption.
How to handle a ransomware threat
All told, we are in a very different world than a couple of years ago, when major malware gangs would have training manuals and clearly identifiable patterns, or a few years before that when attackers were scarcely distinguishable from "script kiddies".
Now, we have specialist outsources developer teams, use of specialist tools for moving inside a network and stealing data, and specialist vendors keeping ransomware up to date for anyone who wishes to carry out an attack. They will even handle payments and negotiations. All of this is on top of an increasingly commodified Initial Access Broker (IAB) marketplace in which the first stage of the attack has already been identified, exploited and offered to the highest bidder.
It's important to note that in the M&S attack, no customer data appears to have been stolen. Co-op initially asserted the same thing, but we now know this isn't true. But what does this mean in the context of a ransomware attack? Co-op will be held to ransom for two distinct things: the stolen customer data and their encrypted infrastructure assets. For M&S it will only be the latter. Hopefully this makes it clear why ransomware attacks need to be considered in business continuity planning - not just data protection.
So what should you do if you are specifically concerned about Scattered Spider? In the first instance, we'd encourage you not to become overly focused on one group. It is important to align your defensive priorities with your threat model. But having said that, the techniques in use here should be broadly concerning, and all the defensive recommendations for these TTPs are solid elements of a defence-in-depth strategy.
- Prioritise Detection and Response and Threat Intelligence services if you aren't already taking them.
- Make sure you have advanced email protections such as those in Microsoft Defender for Office 365 or Mimecast protective technologies.
- Run phishing simulations.
- Run authentication method campaigns to move SMS to stronger, phishing-resistant authentication methods.
- Deploy Microsoft Defender for Identity if you haven't already. It offers detections for "Data exfiltration over SMB" (this would alert if the Active Directory database was stolen) and lateral movement detections that would generate many alerts before the Domain Controller could be compromised. This is one of the strongest Active Directory protections you can consider. Both the M&S and Co-op attacks relied on this stage of the attack.
- Use Windows Defender Application Control to block vulnerable drivers.
- Consider pre-engaging Incident Response capabilities (we recently launched a Data Forensics and Incident Response partnership).
- Model ransomware and other attacks in business continuity plans.
This will remain an evolving, complex, and concerning space. Organisations will mature, defences will evolve, and attackers will find new ways to circumvent these measures. Exploiting vulnerabilities is so lucrative that it has become a revenue stream for the North Korean government. But the threat actors aren't all governments and Russian organised crime. Scattered Spider is a loose group of native English speakers who can consume specialist offerings from criminal technology markets (often out of reach of Western law enforcement agencies) that are becoming increasingly sophisticated and commoditised.
We advocate for a focus on security fundamentals and a defence-in-depth orientation because the weakest link will be found. Once those foundations are in place, more specific adaptations can be aligned to changes in the threat landscape.