UK NCA Arrests Four People Over M&S, Co-op Cyberattacks

The UK's National Crime Agency (NCA) has arrested four individuals in connection with a series of cyberattacks that targeted Marks & Spencer (M&S), Co-operative Group (Co-op), and Harrods. The arrests, made on July 10, were part of an ongoing investigation into the attacks, which are believed to have caused significant disruptions and financial losses to the affected businesses.

According to the NCA, the four suspects – three males aged 17-20 and a 20-year-old female – were apprehended in London and West Midlands. Their electronic devices were seized for digital forensic analysis as part of the investigation. The suspects are now facing charges of Computer Misuse Act offenses, blackmail, money laundering, and participating in organized crime.

The cyberattacks on M&S, Co-op, and Harrods were carried out by a group known as DragonForce, which was described as a "ransomware" group that uses social engineering tactics to breach companies' internal systems. The attackers accessed the company's Teams platform, leaked staff credentials, and stole 10,000 customer records containing sensitive information.

The attacks had a significant impact on both M&S and Co-op, with online sales losses reaching £1.3 million per day before limited service resumed. Consumer spending dropped by 22% at M&S and 11% at Co-op, while rural areas reliant on the Co-op saw notable disruption. The attack exposed retail supply chain and IT fragility, leading to supplier strain and costly IT rebuilds.

The Cyber Monitoring Centre (CMC) labeled the cyberattacks as a Category 2 systemic event, estimating losses between £270 million and £440 million. The CMC also noted that the attacks were carried out by the same threat actor, using shared techniques, tactics, and procedures.

Investigation Continues

"Today's arrests are a significant step in that investigation, but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice," said Deputy Director Paul Foster, head of the NCA's National Cyber Crime Unit.

"Cyber attacks can be hugely disruptive for businesses. I'd like to thank M&S, Co-op, and Harrods for their support to our investigations. Hopefully this signals to future victims the importance of seeking support and engaging with law enforcement as part of the reporting process. The NCA and policing are here to help," Foster added.

Cybercrime Affiliate Service

The DragonForce group is also believed to run a cybercrime affiliate service, allowing affiliates to use their tools to launch attacks and extort victims. The group manages both Telegram and Discord channels, with cybersecurity experts suggesting it is composed of English-speaking teenagers.

Importance of Cybersecurity Awareness

"Cyber attacks can have devastating consequences for businesses and individuals alike," said Foster. "It's essential that everyone takes steps to protect themselves from cyber threats. We urge anyone who has been affected by these attacks to report them to the authorities and seek support. The NCA and policing are here to help."

Follow us on Twitter: @securityaffairs and Facebook for the latest updates on this developing story.