Full Report
The incident follows a spree of ransomware and extortion attacks targeting multiple U.S.- and U.K.-based retailers, including grocery stores. The logistics company said its operations are impacted. The post United Natural Foods, distributor for Whole Foods Market, hit by cyberattack appeared first on CyberScoop.
Analysis Summary
# Incident Report: UNFI Cyberattack Disrupts Grocery Supply Chain
## Executive Summary
United Natural Foods (UNFI), a primary food distributor for Whole Foods Market, experienced a cyberattack resulting in unauthorized activity on its IT systems last week, leading to a declaration of operational disruption. The company proactively took systems offline to contain the threat, which temporarily impacted its ability to fulfill and distribute customer orders across its extensive North American network. UNFI has launched a forensic investigation with external experts and notified law enforcement, though the specific threat actor remains unconfirmed, bearing similarities to recent attacks targeting the retail sector.
## Incident Details
- Discovery Date: Last week (Prior to Monday, June 9, 2025)
- Incident Date: Last week
- Affected Organization: United Natural Foods (UNFI)
- Sector: Food Distribution / Logistics
- Geography: Rhode Island-based (Operations across North America)
## Timeline of Events
### Initial Access
- Date/Time: Not specified, discovered "last week."
- Vector: Unauthorized activity on IT systems. (Specific vector unknown, suspected correlation with Scattered Spider tactics).
- Details: Company staff became aware of unauthorized activity.
### Lateral Movement
- Details: Not explicitly detailed in the provided text, but typical for impact on core operational systems like fulfillment/distribution.
### Data Exfiltration/Impact
- Details: The attack "temporarily impacted the company’s ability to fulfill and distribute customer orders."
### Detection & Response
- Date/Time: Systems taken offline on Thursday (of the week prior to the June 9 filing).
- Detection: Awareness of unauthorized activity on IT systems.
- Response actions taken: Took some systems offline; initiated an investigation with leading forensics experts; notified law enforcement; implementing workarounds for certain operations.
## Attack Methodology
- Initial Access: Unauthorized system access (Vector unspecified).
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Not detailed, implied by operational disruption.
- Collection: Not detailed.
- Exfiltration: Not detailed, the primary measurable impact was operational disruption.
- Impact: Disruption of core business operations (order fulfillment and distribution).
*Note: The attack bears strong similarities to recent ransomware/extortion activity linked to the Scattered Spider group (UNC3944) targeting retailers, though attribution is not confirmed.*
## Impact Assessment
- Financial: Expected to "continue to cause, temporary disruptions to the company’s business operations." (Specific costs not available).
- Data Breach: Unknown scope; investigation is in early stages.
- Operational: "Temporarily impacted the company’s ability to fulfill and distribute customer orders." UNFI services 30,000 customer locations.
- Reputational: Potential concern due to reliance by major retailers like Whole Foods Market.
## Indicators of Compromise
- Network indicators: No specific IOCs provided.
- File indicators: No specific IOCs provided.
- Behavioral indicators: Unauthorized activity on IT systems leading to operational shutdown.
## Response Actions
- Containment measures: Took some IT systems offline upon discovery.
- Eradication steps: Investigation ongoing; working to restore systems safely.
- Recovery actions: Implementing workarounds for certain operations where possible.
## Lessons Learned
- Key takeaways: Cyberattacks targeting logistics and distribution sectors are an increasing threat vector. Rapid assessment and engagement of external forensics experts is critical. The need for robust operational redundancy given the reliance on digital systems for supply chain fulfillment.
- What could have been done better: Not determined, as the investigation is still early.
## Recommendations
- Enhance monitoring and segmentation around critical supply chain and order fulfillment systems.
- Review and practice business continuity/disaster recovery plans specifically for IT system failures to minimize order disruption.
- Maintain strong defense posture against emerging ransomware and extortion tactics targeting the retail/grocery sector.