Full Report
The UK’s Cyber Monitoring Centre (CMC) assessed the incident as a Category 2 systemic event, based on the significant economic impact
Analysis Summary
# Incident Report: Combined Cyber Attack on UK Retailers M&S and Co-op
## Executive Summary
The cyber incidents affecting UK retailers Marks & Spencer (M&S) and The Co-op, disclosed in late April 2025, have been officially linked by the Cyber Monitoring Centre (CMC) as a single, coordinated cyber event attributed to the threat actor Scattered Spider. The attacks utilized similar Tactics, Techniques, and Procedures (TTPs), primarily involving social engineering and the potential exploitation of IT helpdesk processes for initial access. The estimated combined financial impact for M&S and Co-op alone is significant, ranging up to £270 million.
## Incident Details
- **Discovery Date:** Late April 2025 (Date of disclosure for both incidents)
- **Incident Date:** Occurred around or shortly before late April 2025
- **Affected Organization:** Marks & Spencer (M&S) and The Co-op
- **Sector:** Retail
- **Geography:** United Kingdom (UK)
## Timeline of Events
### Initial Access
- **Date/Time:** Occurred prior to late April 2025 disclosure.
- **Vector:** Social engineering is the believed initial access vector.
- **Details:** Reports suggest compromised credentials and the potential abuse of IT helpdesk processes were used to gain entry.
### Lateral Movement
- **Details:** While specific details are not provided, the similarity in TTPs suggests the same methods were applied across both environments after initial compromise.
### Data Exfiltration/Impact
- **Details:** Focus was significant enough to warrant an estimated financial impact of up to £270 million for the two companies combined. The nature of the data exfiltrated is not specified.
### Detection & Response
- **How it was discovered:** Incidents were publicly disclosed in late April 2025.
- **Response actions taken:** Attribution analysis was conducted by the CMC; further response actions are not detailed in this context.
## Attack Methodology
The CMC assessed the attacks based on similarities in TTPs attributed to the likely threat actor, Scattered Spider.
- **Initial Access:** Social engineering, likely involving compromised credentials and abuse of IT helpdesk procedures.
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified, though implied by the success of the operations.
- **Credential Access:** Implied via phishing or social engineering leading to credential compromise.
- **Discovery:** Not specified.
- **Lateral Movement:** Implied use of similar methods across both victims.
- **Collection:** Not specified.
- **Exfiltration:** Implied data theft leading to significant financial impact assessment.
- **Impact:** Significant financial cost estimated (£270m+).
## Impact Assessment
- **Financial:** Estimated total financial impact for M&S and The Co-op ranges from £270 million.
- **Data Breach:** Type and volume of data not specified, but significant enough to cause major financial consequences.
- **Operational:** Not specified, but implied disruption given the scale of the estimated financial damage.
- **Reputational:** Incidents received high-profile media coverage, linking major UK retailers to a single threat actor.
## Indicators of Compromise
*(Note: No specific IoCs were provided in the text, hence this section is left blank based on instructions.)*
- **Network indicators - defanged:**
- **File indicators:**
- **Behavioral indicators:**
## Response Actions
- **Containment measures:** Not specified.
- **Eradication steps:** Not specified.
- **Recovery actions:** Not specified.
## Lessons Learned
- The importance of robust IT helpdesk security protocols, as this was identified as a likely point of failure leveraged by the attacker.
- Threat actor attribution and linkage across multiple victims can be complex but, when successful, provides a clearer picture of coordinated activity (CMC assessment).
- The operational success of threat actors like Scattered Spider in leveraging relatively low-resource initial access methods (social engineering/credential abuse) against large retailers.
## Recommendations
- Implement multi-factor authentication (MFA) across all sensitive systems and enforce strict credential hygiene.
- Review and audit IT helpdesk access and verification procedures to prevent abuse by malicious actors impersonating employees or exploiting weak verification policies.
- Enhance monitoring capabilities targeted at detecting post-compromise activity consistent with known TTPs of threat actors known to target UK retail sectors.