The recent Marks & Spencer (M&S), Co-op Group and Harrods cyber attack (reported in May 2025) involved a sophisticated ransomware attack that disrupted operations, including online orders, warehouse logistics, and customer service systems. Below is a deep technical analysis along with key lessons learned from the incident.
Attack Timeline and Methodology
- Initial Breach (February 2025): The attackers reportedly infiltrated M&S’s systems as early as February, exfiltrating the NTDS.dit file—a critical component of Windows Active Directory that contains hashed credentials. This allowed them to crack passwords offline and gain elevated access across the network .
- The attack is attributed to the hacking collective known as Scattered Spider, also referred to as UNC3944, Octo Tempest, and Muddled Libra. This group is known for sophisticated social engineering techniques, including phishing, SIM swapping, and multi-factor authentication (MFA) fatigue attacks. Such methods likely facilitated initial access to M&S’s systems.
- Extraction of NTDS.dit File: Once inside the network, the attackers reportedly exfiltrated the NTDS.dit file, which contains Active Directory data, including user account information and password hashes. By obtaining this file, the attackers could perform offline password cracking, enabling them to escalate privileges and move laterally within the network.
- Lateral Movement and Reconnaissance: With administrative credentials, the attackers moved laterally within M&S’s IT environment, identifying key assets and systems.
- Deployment of DragonForce Ransomware: After establishing a foothold, the attackers deployed DragonForce ransomware on April 24, 2025, targeting M&S’s VMware ESXi servers. This action encrypted virtual machines, disrupting various services, including online orders and contactless paymentsnal disruptions
Impact on Operations
- Online Services: M&S suspended online orders and click-and-collect services, affecting a significant revenue stream, as online sales accounted for over £1.27 billion in the previous year .
- In-Store Operations: Contactless payments were temporarily disabled, and gift card transactions were disrupted.
- Workforce: Approximately 200 agency workers at the Castle Donington distribution center were instructed to stay home due to operational slowdowns .
- Financial Repercussions: The company’s market valuation dropped by nearly £700 million in the days following the attack .
Lessons Learned
1. Importance of Proactive Threat Detection
The attackers maintained a presence within M&S’s systems for an extended period before deploying ransomware. This underscores the need for continuous monitoring and advanced threat detection capabilities to identify and mitigate threats before they escalate.
2. Strengthening Authentication Mechanisms
The exploitation of MFA fatigue and social engineering tactics highlights the necessity of robust authentication protocols. Implementing phishing-resistant MFA methods, such as hardware tokens or biometric verification, can enhance security.
3. Regular Auditing and Credential Management
The theft of the NTDS.dit file emphasizes the critical need for regular auditing of privileged accounts and the implementation of stringent credential management practices, including the use of unique, complex passwords and regular rotation.
4. Network Segmentation and Least Privilege Access
Limiting lateral movement through network segmentation and enforcing the principle of least privilege can contain breaches and prevent attackers from accessing critical systems.
5. Incident Response Planning and Communication
M&S’s response involved collaboration with cybersecurity firms and notification of relevant authorities. However, some customers expressed dissatisfaction with the communication regarding the incident . This highlights the importance of transparent and timely communication during cybersecurity incidents.
🛡️ Recommendations for Organizations
- Implement Advanced Threat Detection: Utilize behavioral analytics and anomaly detection tools to identify suspicious activities promptly.
- Enhance Employee Training: Conduct regular training sessions to educate employees about phishing, social engineering, and other common attack vectors.
- Regularly Update and Patch Systems: Ensure all systems and applications are up-to-date with the latest security patches to mitigate known vulnerabilities.
- Develop Comprehensive Incident Response Plans: Establish and routinely test incident response protocols to ensure preparedness for potential cyber incidents
- Engage in Threat Intelligence Sharing: Participate in information-sharing initiatives to stay informed about emerging threats and attack methodologies.
Conclusion
The May 2025 cyberattack on British retail stores is a stark reminder of the evolving threat landscape and the necessity for organizations to adopt a proactive and comprehensive approach to cybersecurity.
If I had to speculate based on Scattered Spider’s historical behaviour:
- Spear phishing of privileged users is a strong candidate — they’ve pulled this off successfully before, often using LinkedIn scraping and MFA fatigue.
- The exfiltration of the NTDS.dit file suggests they were able to achieve Domain Admin privileges early — possibly via misconfigured identity federation, legacy auth protocols like NTLM, or exploiting hybrid AD/Entra ID misconfigurations.
- If VMware ESXi servers were targeted again, it may also hint at vCenter exposure, especially if it’s not behind a hardened management plane or VPN.
- We shouldn’t rule out ZeroLogon-like exploitation or even vulnerabilities in endpoint agents with elevated privileges.
Until details emerge, I’d say it’s vital for other orgs to:
- Conduct AD tiering audits,
- Enforce Privileged Access Workstations (PAWs),
- Review MFA enrollment methods (and ban SMS-based and push-only setups),
- And implement credential guard and LSASS hardening where feasible.
Credit & Sources
.The Sun+4BleepingComputer+4Bloomberg+4
The Guardian+2Techzine Global+2The Standard+2
Silicon Republic+17The Independent+17Latest news & breaking headlines+17