M&S cyber attackers may have worked with Asia-based DragonForce, MPs hear
Marks & Spencer’s "traumatic" cyber attack was believed to be instigated by hacking group Scattered Spider and a ransomware operation run by former computer gamers named DragonForce, its chairman has said.
Archie Norman, who was quizzed by MPs, refused to say whether or not the retailer paid the group’s ransom money following the hack.
M&S was left unable to take any online orders for more than six weeks when its systems were targeted by hackers at the end of April.
It has estimated the attack would cost it around £300 million in lost profits – but expects to recover as much as half of the impact through cost management, insurance and other reactions.
Norman, speaking at a Business and Trade select committee, said it was "not an overstatement to describe it as traumatic", adding: "We’re still in the rebuild mode and will be for some time to come."
Talking about the nature of the attack, he told MPs that the hackers "never send you a letter signed Scattered Spider, that doesn’t happen".
"The attacker is working through intermediaries too, so we believe in this case there was the instigator of the attack, and then – believed to be DragonForce – who are a ransomware operation based, we believe, in Asia.
"So you’ve got loosely aligned parties working together.
"We took an early decision that nobody at M&S would deal with the threat actor directly – we felt the right thing was to leave this to the professionals who have experience in the matter."
"It is believed that this group were former computer gamers who graduated into cyber – that may not be true, I’m relying entirely on hearsay," Norman said.
The chairman said the so-called "threat actors" also chose to communicate with the media, and were in contact with the BBC following the hack.
Norman stressed that he would not talk about the nature of the discussions that had taken place with the hackers.
However, when asked whether businesses have to pay the ransomware demand following an attack, he said: "No I don’t think you do. That’s a business decision… the question businesses have to ask is when they look at the demand, what are they getting from it?
"Because once your systems are compromised and you’re going to have to rebuild it anyway, maybe they’ve exfiltrated data that you don’t want to publish, maybe there’s something there.
"But in our case, substantially the damage had been done."
