Marks & Spencer cyber attack
Discussion
It's hard to know currently but as someone working in IT (inc security) for a retail business I'm frustrated by the lack of information being shared 
They're sticking with "cyber incident" but sources like BleepingComputer are saying it's a ransomware attack by Scattered Spider:
https://www.bleepingcomputer.com/news/security/mar...
There was talk of a breach back in February where the Active Directory NTDS.dit file was supposedly taken. This potentially gives someone able to decipher it access to pretty much every account.
M&S have seemingly just isolated as many systems as they can to prevent access so remote workers can't work and distribution hubs etc are cut off from systems and data.
A few years ago M&S outsourced over half of their IT to Tata Consultancy in India.
My assumption based on working with them on other accounts is they've promised the world, and charged accordingly, not delivered and nobody at M&S really checked so disaster recovery hasn't gone to plan.
They're sticking with "cyber incident" but sources like BleepingComputer are saying it's a ransomware attack by Scattered Spider:
https://www.bleepingcomputer.com/news/security/mar...
There was talk of a breach back in February where the Active Directory NTDS.dit file was supposedly taken. This potentially gives someone able to decipher it access to pretty much every account.
M&S have seemingly just isolated as many systems as they can to prevent access so remote workers can't work and distribution hubs etc are cut off from systems and data.
A few years ago M&S outsourced over half of their IT to Tata Consultancy in India.
My assumption based on working with them on other accounts is they've promised the world, and charged accordingly, not delivered and nobody at M&S really checked so disaster recovery hasn't gone to plan.
Edited by thetapeworm on Tuesday 29th April 20:18
Alex Z said:
As above, it looks like a ransomware attack. We won’t know for sure until they share more details, and that won’t happen till they are sure they have everything back under their control.
Lots of the warehouse staff are told to stay home, as are the dev teams.
Imagine being the poor sod running the new M&S store in Madrid yesterday, although it might have been some form of blessed relief not being able to partake in the company's complete fustercluck on an IT infrastructure on account of there being no bleedin' electricity for the store's systems either.Lots of the warehouse staff are told to stay home, as are the dev teams.
Azure tenant compromised through phishing attack, data exfiltrated subject to (time limited) ransom, bunch of next.js devs s
tting themselves. Possibly.
It's weird to me that, AIUI, they closed the checkout functionality themselves but left the site up. I assume they didn't think the actual website was compromised therefore, just the payment processing somehow. Doesn't quite add up to me, unless they've left their customers further exposed. I assume they've got external support in, NCSC have probably offered their advice too, not least on aspects like 2FA or what a Content-Security-Policy header is.
Quite a long time now to have not figured out the mechanism and stood up a fresh stack elsewhere.
tting themselves. Possibly.It's weird to me that, AIUI, they closed the checkout functionality themselves but left the site up. I assume they didn't think the actual website was compromised therefore, just the payment processing somehow. Doesn't quite add up to me, unless they've left their customers further exposed. I assume they've got external support in, NCSC have probably offered their advice too, not least on aspects like 2FA or what a Content-Security-Policy header is.
Quite a long time now to have not figured out the mechanism and stood up a fresh stack elsewhere.
RobB_ said:
Don't TCS have most of UK retail sewn up? King of race to the bottom!
Might be few RFP's coming out
To be fair to TCS, they are pretty good. The top of the India heritage service providers. They aren't cheap and increasingly like IBM (fixed terms, no flexibility). Nobody choose TCS for cost (pick HCL/Wipro if you just want cost arbitrage)Might be few RFP's coming out
Cheap offshore IT as a mechanism from 10-15 years ago, all service providers use India for 60-90% offshore, depending on sector and countries being delivered to.
.:ian:. said:
RobB_ said:
thetapeworm said:
A few years ago M&S outsourced over half of their IT to Tata Consultancy in India.
Don't TCS have most of UK retail sewn up? King of race to the bottom!Might be few RFP's coming out
However, no system is perfect and often it is the human squishy thing that opens a highly targeted payload that breaks the system, regardless of the service being insourced or outsourced.
I've seen some incredible attacks, including one at a major insurer who spent a lot on internal security (not outsourced) and still got breached. They estimated that the development for the package was several $m.
vaud said:
They estimated that the development for the package was several $m.
Sorry, the budget for implementing the breach was $m?What did the hackers do - find an administrator with all of the required credentials, and offer them the choice of $1m in cash in a brown paper bag after handing over the necessary authentication, or having their entire family fed to the pigs?
eharding said:
Sorry, the budget for implementing the breach was $m?
What did the hackers do - find an administrator with all of the required credentials, and offer them the choice of $1m in cash in a brown paper bag after handing over the necessary authentication, or having their entire family fed to the pigs?
Implementing the breach. It was super complex and very, very smart in using compromised updates for a software package to create backdoors. What did the hackers do - find an administrator with all of the required credentials, and offer them the choice of $1m in cash in a brown paper bag after handing over the necessary authentication, or having their entire family fed to the pigs?
I'd share the details, but I need to check if it ever went public.
Franco5 said:
Is there anyone with cyber security knowledge that could guess at the details of what they are currently dealing with?
My speculative guess is that it's a ransomware attack that encrypted their card payments system and all historical data.It's also possible that the fire (ransomware) then spread when the ransom wasn't paid.
asfault said:
However on a more serious note targeting a few big supermarkets like this would cause real problems in the country if more were affected at the same time.
Fortunately, while they often use the same back end systems (e.g. SAP) their individual architectures and security layers will be quite different, so unless the vulnerability is a common one it would be (very) hard to launch a multiple attack. Interestingly a lot of sectors collaborate on security data - as it's not in the interest for the sector to be damaged, and as everyone is always being attacked, it's better to share confidentially - the sharing of attack data among SOCs and competitors is a strategic practice aimed at strengthening cybersecurity defenses across the board...
I'd imagine there's some long hours being put in by the IT department, it would also be interesting to know their rebuild strategy, you'd hope for air gapped backups but I'd imagine they'd be closely working with outside response teams and they may decide to go with a full rebuild.
Worked on two incidents and both avenues were taken by the respective organisations.
Worked on two incidents and both avenues were taken by the respective organisations.
Carl_VivaEspana said:
It's also possible that the fire (ransomware) then spread when the ransom wasn't paid.
Even if there was no widespread impact across different systems it would be cautious to shut everything down to limit potential damage and gradually reinstate. It's possible that the supply chain systems causing warehouse staff to be sent home are not affected but have been isolated as a precaution. The cure could be worse than the disease but for good reason.
Gassing Station | News, Politics & Economics | Top of Page | What's New | My Stuff