Marks & Spencer (M&S) Cyberattack
Incident Overview:
In April 2025, M&S experienced a significant cyberattack attributed to the hacking group DragonForce, which gained initial access through a compromised third-party contractor, believed to be Tata Consultancy Services (TCS). The attackers employed social engineering tactics, tricking helpdesk staff into resetting credentials, thereby bypassing multi-factor authentication (MFA) and gaining unauthorised access to M&S’s systems. (The Guardian, Specops Software)
Attack Timeline:
- February 2025: Initial breach occurred, with attackers stealing the NTDS.dit file, containing password hashes for all domain users.
- April 24, 2025: Deployment of DragonForce ransomware on VMware ESXi hosts, encrypting virtual machines and disrupting services.
Impacted Services:
- Online sales and Click & Collect services suspended.
- Contactless payments and gift card transactions disrupted.
- Remote work capabilities limited due to VPN shutdown.
- Stock shortages and increased waste due to manual processing. (computing.co.uk, AP News)
Technical Details:
- Initial Access: Achieved through social engineering of a third-party contractor’s helpdesk staff.
- Lateral Movement: Utilised stolen credentials from the NTDS.dit file to move laterally within the network.
- Ransomware Deployment: DragonForce ransomware encrypted virtual machines on VMware ESXi hosts.
- Exploited Vulnerabilities:
- CVE-2021-44228 – Apache Log4j2 remote code execution.
- CVE-2023-46805 – Ivanti Connect Secure and Policy Secure authentication bypass.
- CVE-2024-21887 – Ivanti Connect Secure and Policy Secure command injection.
- CVE-2024-21893 – Ivanti Connect Secure and Policy Secure path traversal.
Financial and Operational Impact:
- Estimated cost of £300 million, with disruptions expected to continue until July 2025.
- Shares dropped by 11%, erasing over £1 billion from market value.
AI Mitigation Strategies:
- Behavioral Analytics: AI-driven user behavior analytics could detect anomalies in user activities, identifying potential breaches earlier.
- Automated Threat Detection: Machine learning models can identify and respond to ransomware patterns in real-time.
- Third-Party Risk Assessment: AI tools can continuously assess and monitor third-party vendors for potential vulnerabilities.
Co-op Cyberattack
Incident Overview:
In April 2025, Co-op faced a ransomware attack that disrupted its point-of-sale (POS) systems across numerous retail locations. The attack led to operational outages and delayed transactions, though no customer payment data was compromised.
Attack Details:
- Attack Vector: While specific vulnerabilities exploited have not been publicly disclosed, similar attacks have leveraged vulnerabilities in VPN solutions like Pulse Secure VPN and Ivanti Connect Secure.
- Impact: Disruption of POS systems, leading to temporary store closures and operational losses.
AI Mitigation Strategies:
- Endpoint Detection and Response (EDR): AI-powered EDR solutions can detect and isolate ransomware threats before they spread.
- Network Traffic Analysis: Machine learning models can analyse network traffic to identify unusual patterns that indicate an ongoing attack.
- Patch Management: AI can assist in prioritising and automating the patching process for known vulnerabilities, reducing the window of exposure.
Conclusion
The cyberattacks on M&S and Co-op highlight the evolving threat landscape and the importance of robust cybersecurity measures. Integrating AI-driven solutions can enhance an organisation’s ability to detect, respond to, and mitigate such threats effectively.
About the Author
