A wave of cyberattacks targeting major UK retailers has prompted the National Cyber Security Centre (NCSC) to issue an urgent advisory, warning of increasingly sophisticated social engineering tactics and stressing the importance of resilience beyond perimeter defenses.
The announcement comes in the wake of serious incidents involving Marks & Spencer, Co-op, and Harrods. While attribution remains under investigation, early indicators suggest the attacks share hallmarks of the DragonForce ransomware cartel, which has claimed responsibility and allegedly exfiltrated sensitive data from at least two of the affected organizations.
The NCSC confirms it is actively supporting the impacted companies and liaising with law enforcement to establish whether the intrusions form part of a coordinated campaign. Notably, the advisory points to tactics previously used by groups like Scattered Spider and LAPSUS$, where attackers exploit IT helpdesks to bypass multi-factor authentication (MFA) by impersonating employees — a technique that proved effective in several high-profile breaches over the past two years.
Retail giants under fire
Marks & Spencer, one of the UK's most prominent retailers serving over 30 million customers annually, suspended all online transactions following a breach that began disrupting operations in mid-April. The attackers reportedly extracted Active Directory data and deployed the DragonForce ransomware payload on internal VMware systems, forcing the company to convert its online storefront into a static product catalog.
Shortly after, Co-op Food disclosed a separate attack affecting internal operations, including call center and VPN access. Despite initially downplaying the severity, it later emerged through BBC verification that the attackers had gained access to the membership database, exfiltrated large volumes of customer data, and even sent extortion messages via Microsoft Teams to senior IT staff.
Harrods, the luxury department store, confirmed similar intrusion attempts days later, prompting immediate restrictions on internal internet access, although its retail operations remain functional.
These attacks come at a time when the UK retail sector is increasingly reliant on cloud services, remote work platforms, and virtualized infrastructure — all of which have been leveraged by attackers who “walk through the front door” by masquerading as insiders.
DragonForce ransomware and the “White-Label Cartel”
Security researcher Kevin Beaumont, who has been closely tracking the incidents, emphasizes that DragonForce operates more as a loosely organized cartel offering ransomware-as-a-service, enabling less technically adept actors to execute advanced campaigns using prebuilt toolkits and social engineering playbooks. The group claims to have already compromised additional targets and signaled intentions to leak stolen data.
Beaumont also underscores the threat's low barrier to entry, likening the threat actors to “advanced persistent teenagers” rather than traditional state-backed groups. These adversaries blend in by exploiting overlooked operational weaknesses — such as lax verification at helpdesks, unmonitored login activity, and insufficient segmentation of administrative accounts.
NCSC's strategic guidance
In response, the NCSC is urging UK businesses — particularly those in the retail sector — to adopt a defense-in-depth posture that anticipates successful intrusions rather than solely focusing on prevention. Their guidance includes:
- Enforcing comprehensive multi-factor authentication, especially for privileged accounts.
- Monitoring for “Risky Logins” in Microsoft Entra ID, using threat intelligence enrichment.
- Reviewing helpdesk procedures for password resets and identity verification.
- Strengthening monitoring of administrator accounts across cloud and domain infrastructure.
- Detecting anomalous logins from residential VPN services or atypical geolocations.
- Ensuring security teams can rapidly integrate and respond to emerging TTPs from threat intelligence feeds.
The NCSC also encourages participation in its sector-specific Trust Groups to facilitate intelligence sharing and collaborative defense strategies.
For organizations outside the current spotlight, the situation serves as a pressing reminder to audit internal controls and incident response maturity. Helpdesks, in particular, should implement strict identity validation procedures for any request involving credential changes or MFA resets. Employees must be educated to challenge suspicious MFA prompts and validate identities in internal communications, especially over tools like Teams.
Administrators should also ensure that compromised user sessions are fully revoked — not just passwords reset — and that exfiltration attempts are detectable through outbound traffic monitoring.
The coordinated nature and public claims surrounding these incidents suggest the campaign is ongoing. All UK organizations are advised to remain on high alert and to assume their defenses may be tested next.
Leave a Reply