M&S and Co-Op: BBC reporter on chatting with the hackers

Almost day-to-day, my telephone pings with messages from hackers of all stripes.

The excellent, the unhealthy, the not-so-sure.

I’ve been reporting on cyber safety for greater than a decade, so I do know that lots of them like to discuss their hacks, findings and escapades.

About 99% of those conversations keep firmly locked in my chat logs and do not result in information tales. But a up to date ping used to be inconceivable to forget about.

“Hey. This is Joe Tidy from the BBC reporting on this Co-op news, correct?” the hackers messaged me on Telegram.

“We have some news for you,” they teased.

When I cautiously requested what this used to be, the folk at the back of the Telegram account – which had no identify or profile image – gave me the news on what they claimed to have completed to M&S and the Co-op, in cyber assaults that led to mass disruption.

Through messages back-and-forth over the following 5 hours, it changed into transparent to me that those obvious hackers have been fluent English audio system and even if they claimed be messengers, it used to be obtrusive they have been carefully connected to – if now not in detail serious about – the M&S and Co-op hacks.

They shared proof proving that they’d stolen an enormous quantity of personal buyer and worker data.

I looked at a pattern of the information they’d given me – after which securely deleted it.

They have been obviously pissed off that Co-op wasn’t giving in to their ransom calls for however would not say how much cash in Bitcoin they have been not easy of the store in trade for the promise that they would not promote or give away the stolen knowledge.

After a dialog with the BBC’s Editorial Policy workforce, we determined that it used to be within the public hobby to record that they’d supplied us with proof proving that they have been answerable for the hack.

I temporarily contacted the click workforce on the Co-op for remark, and inside mins the company, who had to begin with downplayed the hack, admitted to staff, shoppers and the inventory marketplace concerning the vital knowledge breach.

Much later, the hackers despatched me an extended offended and offensive letter about Co-op’s reaction to their hack and next extortion, which published that the store narrowly dodged a extra critical hack by way of intervening within the chaotic mins after its pc techniques have been infiltrated. The letter and dialog with the hackers showed what mavens within the cyber safety international have been pronouncing since this wave of assaults on outlets started – the hackers have been from a cyber crime provider referred to as DragonForce.

Who are DragonForce, you may well be asking? Based on our conversations with the hackers and wider wisdom, we’ve got some clues.

DragonForce provides cyber felony associates more than a few products and services on their darknet web page in trade for a 20% reduce of any ransoms accrued. Anyone can join and use their malicious device to scramble a sufferer’s knowledge or use their darknet web page for his or her public extortion.

This has turn into the norm in organised cyber crime; it is referred to as ransomware-as-a-service.

The maximum notorious of new instances has been a provider referred to as LockBit, however that is all however defunct now in part as it used to be cracked by way of the police final 12 months.

Following the dismantling of such teams, an influence vacuum has emerged. Cue a tussle for dominance on this underground international, main to a few rival teams innovating their choices.

DragonForce not too long ago rebranded itself as a cartel providing much more choices to hackers together with 24/7 buyer toughen, for instance.

The crew have been promoting its wider providing since a minimum of early 2024 and has been actively concentrated on organisations since 2023, consistent with cyber mavens like Hannah Baumgaertner, Head of Research at Silobeaker, a cyber possibility coverage corporate.

“DragonForce’s latest model includes features such as administration and client panels, encryption and ransomware negotiation tools, and more,” Ms Baumgaertner mentioned.

As a stark representation of the power-struggle, DragonForce’s darknet web page used to be not too long ago hacked and defaced by way of a rival gang referred to as RansomHub, ahead of re-emerging a few week in the past.

“Behind the scenes of the ransomware ecosystem there seems to be some jostling – that might be for prime ‘leader’ position or just to disrupt other groups in order to take more of the victim share,” mentioned Aiden Sinnott, senior danger researcher from the cyber safety corporate Secureworks.

DragonForce’s prolific modus operandi is to put up about its sufferers, because it has completed 168 instances since December 2024 – a London accountancy company, an Illinois metal maker, an Egyptian funding company are all integrated. Yet to this point, DragonForce has remained silent concerning the retail assaults.

Normally radio silence about assaults signifies {that a} sufferer organisation has paid the hackers to stay quiet. As neither DragonForce, Co-op nor M&S have commented in this level, we do not know what may well be going down at the back of the scenes.

Establishing who the individuals are at the back of DragonForce is difficult, and it isn’t recognized the place they’re positioned. When I requested their Telegram account about this, I did not get a solution. Although the hackers did not inform me explicitly that they have been at the back of the hot hacks on M&S and Harrods, they showed a record in Bloomberg that spelt it out.

Of direction, they’re criminals and may well be mendacity.

Some researchers say DragonForce are based totally in Malaysia, whilst others say Russia, the place many of those teams are considered positioned. We do know that DragonForce has no particular goals or schedule rather then making a living.

And if DragonForce is simply the provider for different criminals to make use of – who’s pulling the strings and opting for to assault UK outlets?

In the early phases of the M&S hack, unknown resources informed cyber information web page Bleeping Computer that proof is pointing to a unfastened collective of cyber criminals referred to as Scattered Spider – however this has but to be showed by way of the police.

Scattered Spider isn’t in point of fact a bunch within the customary sense of the phrase. It’s extra of a group which organises throughout websites like Discord, Telegram and boards – therefore the outline “scattered” which used to be given to them by way of cyber safety researchers at CrowdStrike.

They are recognized to be English-speaking and most certainly in the United Kingdom and the USA and younger – in some circumstances youngsters. We know this from researchers and former arrests. In November the USA charged 5 males and boys of their twenties and youths for alleged Scattered Spider job. One of them is 22-year-old Scottish guy Tyler Buchanan, who has now not made a plea, and the remainder are US based totally.

Crackdowns by way of police appear to have had little impact at the hackers’ choice, even though. On Thursday, Google’s cyber safety department issued warnings that it used to be beginning to see Scattered Spider-like assaults on US outlets now too.

As for the hackers I spoke to on Telegram, they declined to reply to whether they have been Scattered Spider. “We won’t answer that question” is all they mentioned.

Perhaps in a nod to the immaturity and attention-seeking nature of the hackers, two of them mentioned they sought after to be referred to as “Raymond Reddington” and “Dembe Zuma” after characters from US crime mystery The Blacklist which comes to a sought after felony serving to police take down different criminals on a blacklist.

In a message to me, they boasted: “We’re putting UK retailers on the Blacklist.”