Full Report
Individuals allegedly linked to the DragonForce cybercriminal syndicate have claimed the attack on the three UK retailers
Analysis Summary
# Threat Actor: DragonForce / Scattered Spider (Potential Overlap)
## Attribution & Identity
Anonymous individuals claiming to be members of the **DragonForce** cybercriminal syndicate claimed responsibility for recent UK retail hacks.
DragonForce originated as a pro-Palestine hacktivist group, allegedly based in Malaysia (as **DragonForce Malaysia**), active since August 2023.
DragonForce is believed to have expanded into ransomware operations. Previous operators seemed to be non-native English speakers.
The group is suspected to have strong operational overlap or affiliation with **Scattered Spider** (also tracked as **Octo Tempest** by Microsoft and **UNC3944** by Google Cloud), who are financially motivated and primarily native English speakers, likely including UK or US-based individuals affiliated with the ‘The Com’ collective. Evidence from the M&S breach investigation suggests association with Scattered Spider.
## Activity Summary
DragonForce claimed responsibility for cyber-attacks against major UK retailers: **Marks & Spencer (M&S), Co-op, and Harrods**, infiltrating their IT networks and stealing large amounts of customer and employee data. They specifically claimed the Co-op breach was more extensive than admitted publicly.
Historical activities attributed to the broader DragonForce entity include attacks on Honolulu OTS (Oahu Transit Services), the Government of Palau, Coca-Cola (Singapore), the Ohio State Lottery, and Yakult Australia.
Scattered Spider is known for high-profile attacks against **Caesars Entertainment** and **MGM Resorts International** in mid-2023, and subsequent targeting of financial services (late 2023) and food services (May 2024).
## Tactics, Techniques & Procedures
- Exploiting critical unpatched vulnerabilities in internet-facing services (e.g., Log4Shell in Apache Log4j2, bugs in Ivanti Connect Secure).
- Phishing emails employing malicious links or attachments.
- Credential stuffing and brute-forcing against Remote Desktop Protocol (RDP) and VPN portals using leaked credentials.
- Deployment of commercial red-team frameworks like **Cobalt Strike** for C2 establishment post-initial foothold.
- Installation of the **SystemBC backdoor**.
- Use of ransomware based on leaked **LockBit Black** builder code (LockBit 3.0).
- In the M&S incident, an **encryptor** (attributed to DragonForce or affiliates) was used to target **VMware ESXi hosts** to encrypt virtual machines.
- Operational characteristic consistent with Scattered Spider: waves of attacking prominent brands in specific sectors to gain media attention.
## Targeting
- Sectors: Retail (M&S, Co-op, Harrods), Transit Services, Government, Beverage, Lottery, Casino, Financial Services, Food Services.
- Geography: Primarily associated with attacks leading to current media attention in the **UK**. Earlier DragonForce activity noted in the **Asia-Pacific region** and the **US**.
- Victims: Marks & Spencer, Co-op, Harrods, Honolulu OTS, Government of Palau, Coca-Cola (Singapore), Ohio State Lottery, Yakult Australia, Caesars Entertainment, MGM Resorts International.
## Tools & Infrastructure
- **Malware families used:** DragonForce encryptor, Cobalt Strike, SystemBC backdoor, ransomware derived from LockBit Black builder.
- **Infrastructure:** Claimed takeover of **RansomHub** RaaS tooling (after it ceased operations in March). Launched "RansomBay," a white-label service acting as a "ransomware cartel" providing underlying infrastructure and leak-site hosting for affiliates.
- **Defanged Infrastructure:** None explicitly mentioned in terms of C2 domains/IPs for the UK retail hacks.
## Implications
The reported connection between DragonForce and Scattered Spider suggests a convergence between ideologically motivated hacktivism (or groups presenting as such) and highly organized, financially motivated crime syndicates (like those associated with The Com). DragonForce is aggressively scaling its operations by moving from smaller-scale exploitation to providing sophisticated Ransomware-as-a-Service (RaaS) support ("RansomBay" cartel model), lowering the bar for affiliates while increasing attack volume and professionalizing the underlying ransomware technology. The focus on prominent UK retailers indicates a move toward high-impact, high-visibility extortion campaigns, possibly as a marketing tool, mirroring Scattered Spider's historical methodology.
## Mitigations
- Harden perimeter defenses against common initial access vectors: implement rigorous phishing training, strictly patch internet-facing services (especially VPNs/gateways), and enforce multi-factor authentication on RDP/VPN portals.
- Proactively hunt for initial footholds and lateral movement by looking for signs of Cobalt Strike or SystemBC beaconing.
- Secure virtualization environments, specifically **VMware ESXi hosts**, against known encryption tactics, ensuring robust, segmented backups (immutable if possible).
- Monitor for behavior consistent with Scattered Spider activity, including potential credential-stuffing attempts or unusual access patterns matching typical initial compromise chains.
- Review security posture related to data exfiltration, particularly customer and employee PII/financial data storage.