Co-op confirms data theft after DragonForce ransomware claims attack
The Co-op cyberattack is far worse than initially reported, with the company now confirming that data was stolen for a significant number of current and past customers. In a statement to BleepingComputer, the Co-op stated that "as a result of ongoing forensic investigations, we now know that the hackers were able to access and extract data from one of our systems." The accessed data included information relating to a significant number of their current and past members, including names and contact details.
However, it's worth noting that this data did not include members' passwords, bank or credit card details, transactions, or information relating to any members' or customers' products or services with the Co-op Group. The breach occurred after an attempted intrusion into the company's network, which was detected by the IT systems. Despite the threat actors' best efforts, their defenses prevented them from performing significant damage to the network.
Sources close to BleepingComputer revealed that the attack is believed to have occurred on April 22, with the threat actors utilizing tactics similar to those used in the recent Marks and Spencer breach. The attackers conducted a social engineering attack, resetting an employee's password, which was then used to breach the network. Once inside, they stole the Windows NTDS.dit file, a database for Windows Active Directory Services that contains password hashes for Windows accounts.
The Co-op is now in the process of rebuilding all of its Windows domain controllers and hardening Entra ID with the help of Microsoft DART. KPMG is assisting with AWS support to ensure the company's systems are secure. The breach has left many wondering how this could have happened, especially given the Co-op's supposed robust security measures.
The DragonForce ransomware operation: behind the scenes
In a shocking revelation, the BBC first reported that affiliates for the DragonForce ransomware operation were behind the attack on Co-op. These same hackers breached Marks and Spencer last week, as previously reported by BleepingComputer. The DragonForce operator claimed to have data from 20 million people who registered for Co-op's membership reward program.
The threat actors shared screenshots of the extortion messages with the BBC, contacting Co-op's head of cyber security and other executives using Microsoft Teams messages. After the attack, Co-op sent an internal email to employees warning them to be vigilant when using Microsoft Teams and not to share any sensitive data. It's likely that this was done out of concern that the hackers still had access to the platform.
How DragonForce operates
DragonForce is a ransomware-as-a-service operation where other cyber criminals can join as affiliates to use their ransomware encryptors and negotiation sites. In exchange, the DragonForce operators receive 20-30% of any ransoms paid by extorted victims. The threat actors will breach a network, steal data, and ultimately deploy malware that encrypts the files on all of the servers and workstations.
The threat actors then demand a ransom payment to retrieve a decryptor and promise that stolen data will be deleted. If a ransom is not paid, the ransomware operation typically publishes the stolen data on their dark web data leak site. DragonForce is a relatively new operation but is gearing up to be one of the more prominent ones in the ransomware space.
The Scattered Spider/Octo Tempest connection
The threat actors behind the Co-op breach are believed to be working with English-speaking threat actors that fit a specific set of tactics associated with the name "Scattered Spider" or "Octo Tempest." These threat actors are experts at using social engineering attacks, SIM Swapping, and MFA fatigue attacks to breach networks and then steal data or deploy ransomware.
The Scattered Spider/Octo Tempest connection is an amorphous community of financially motivated threat actors who congregate on the same Telegram channels, Discord servers, and hacking forums. As they are "scattered" throughout the cybercrime landscape, it's difficult to pinpoint individual hackers, but it's clear that new attackers are utilizing the same methods to escalate attacks.
Defending against Scattered Spider attacks
Cybersecurity researcher Will Thomas has put together a recommended guide on defending against Scattered Spider attacks. Top 10 MITRE ATT&CK techniques behind 93% of attacks Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
In conclusion, the Co-op breach highlights the importance of robust cybersecurity measures in place. It's a wake-up call for UK retailers, with many already experiencing cyberattacks. By understanding the tactics used by threat actors like DragonForce and Scattered Spider, organizations can take steps to protect themselves from similar breaches in the future.