Full Report
The incident follows a spree of ransomware and extortion attacks targeting multiple U.S.- and U.K.-based retailers, including grocery stores. The logistics company said its operations are impacted. The post United Natural Foods, distributor for Whole Foods Market, hit by cyberattack appeared first on CyberScoop.
Analysis Summary
# Incident Report: UNFI Operational Disruption Due to Cyberattack
## Executive Summary
United Natural Foods (UNFI), a major food distributor for retailers including Whole Foods Market, experienced a cyberattack that led to significant operational disruptions. The company detected unauthorized activity and took systems offline, temporarily impacting its ability to fulfill and distribute customer orders. Response involved immediate investigation with forensic experts and law enforcement notification, aiming to restore systems safely.
## Incident Details
- **Discovery Date:** Last week (prior to Monday, June 9, 2025 filing)
- **Incident Date:** Detected on Thursday (prior to Monday, June 9, 2025 filing)
- **Affected Organization:** United Natural Foods (UNFI)
- **Sector:** Food Distribution/Logistics
- **Geography:** Rhode Island-based (US)
## Timeline of Events
### Initial Access
- **Date/Time:** Last week (Exact time unknown, discovery occurred Thursday)
- **Vector:** Unauthorized activity on IT systems.
- **Details:** Unknown specific vector, but follows a pattern observed in attacks targeting retailers by groups like Scattered Spider (UNC3944).
### Lateral Movement
- **Details:** Not explicitly detailed in the report, but the impact suggests successful internal movement leading to operational disruption.
### Data Exfiltration/Impact
- **Details:** Operations were "temporarily impacted," specifically affecting the company’s ability to fulfill and distribute customer orders. The scope/nature of data loss is under investigation.
### Detection & Response
- **How it was discovered:** The company became aware of unauthorized activity on its IT systems last week, leading to systems being taken offline on Thursday.
- **Response actions taken:** Initiated an investigation with leading forensics experts and notified law enforcement. Implemented workarounds for certain operations where possible.
## Attack Methodology
- **Initial Access:** Circumstance bears strong similarities to activities linked to associates of Scattered Spider (UNC3944), though attribution is not yet confirmed.
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** The targeting of logistics companies suggests movement to high-impact systems.
- **Collection:** Unspecified, but data integrity/exfiltration potential is being assessed.
- **Exfiltration:** Not confirmed, but extortion is a likely goal given the context of similar attacks.
- **Impact:** Temporary disruptions to business operations, severely impacting order fulfillment and distribution capabilities.
## Impact Assessment
- **Financial:** Expected to cause continued temporary disruptions to business operations. An interest in pressuring victims to pay extortion demands is noted.
- **Data Breach:** Scope and type of data compromised are under investigation.
- **Operational:** Significant, resulting in "temporary disruptions to the company’s business operations" and impacting the ability to fulfill/distribute customer orders.
- **Reputational:** Association with Whole Foods Market increases public profile of the disruption.
## Indicators of Compromise
- *No specific IoCs (IPs, domains, hashes) were provided in the source text.*
- **Behavioral indicators:** Unauthorized activity detected on IT systems, leading to proactive system shutdowns.
## Response Actions
- **Containment measures:** Took some IT systems offline immediately upon discovery of unauthorized activity.
- **Eradication steps:** Investigation initiated with forensics experts to assess unauthorized activity.
- **Recovery actions:** Working to safely restore systems; implementing workarounds for certain operations.
## Lessons Learned
- **Key takeaways:** Logistics and distribution sectors are actively targeted by threat actors seeking maximum disruption.
- **What could have been done better:** Not applicable based on available information, as the organization reacted by engaging experts and law enforcement quickly.
## Recommendations
- Review and test incident response playbooks specific to operational technology and logistics systems.
- Enhance monitoring and detection capabilities targeting known TTPs utilized by threat groups specializing in ransomware/extortion against supply chains.
- Ensure detailed business continuity plans include non-IT dependent methods for high-priority functions like order fulfillment, given the high value placed on disruption by threat actors.