Recent Ransomware Attacks Have Focused On Identity Gaps

Cyber threats have evolved beyond the British government's ability to keep pace, a Parliamentary committee has said in a report highlighting lack of prioritisation and a deficiency in government cyber skills.

The recently major UK retailers, Marks and Spencer (M&S), Co-Operative Group (Co-op) and Harrods, have all been hit by cyber ransomware attacks, with the criminal group  DragonForce, working in conjunction the more diverse hacking collective, Scattered Spider, having claimed responsibility.

Dragon Force uses uses similar Tactics, Techniques & Procedures (TTPs) as Scattered Spider, and they are known to use phishing emails, exploit known vulnerabilities, and leverage stolen credentials to gain initial access to victim networks.

Dragon Force typically  start with the most vulnerable link in any security chain -  humans - and they have mastered the techniques of social engineering, crafting convincing phishing campaigns, executing SIM swaps to hijack phone numbers, and launching Multi-Factor Authentication (MFA) attacks where they bombard users with authentication requests until someone simply gives in and approves one.

MFA fatigue refers to the frustration and annoyance users experience when constantly entering additional login credentials, such as one-time passwords sent via text message or an authentication app. MFA fatigue often leads users to disable MFA controls, creating security risks.

As cyber attacks become more sophisticated, MFA has become crucial for account security. However, entering codes each time a user logs in or performs sensitive actions can be tedious and disruptive. This repetitious process causes MFA fatigue and leads users to perceive MFA as an obstacle rather than a safeguard.

Dragon Forcs have a special talent for targeting helpdesk staff, manipulating them into resetting passwords and providing that crucial first foothold. Once inside, they move methodically. They look for accounts protected by just a username and password, using these to move through networks. These incidents are not isolated, or coincidental. Indeed they are setting a a trend that is rapidly expanding

Recovery often demands draconian measures just to regain control, but teams aim to to restore normal operations, giving people back the tools to do their jobs, and keeping the shelves stocked and the tills running.

The recent retail breaches can act as a catalyst for identity management and security teams to revisit and accelerate key initiatives, especially those that may have already faced pushback from teams focused on operational efficiency.

Building Retail-Specific Identity Defences

1. Protect Initial Access Points 

  • Enforce comprehensive MFA: Verify that all external access points to systems are secured with MFA, including VPNs, SaaS applications, and other internet-facing systems.
  • Implement phishing-resistant MFA: Move to number matching at minimum (remember to remove non-phishing-resistant factors too) and consider “unphishable” FIDO2 authenticators for prime targets, like IT and security teams. 
  • Secure password reset processes: Harden helpdesk procedures with strict identity verification protocols. Consider temporarily implementing in-person resets for your most critical accounts.
  • Protect MFA management: Ensure second factors can only be added or changed with appropriate identity verification, not just with username and password.

2. Prevent Lateral Movement Post-Compromise

  • Extend MFA coverage internally: MFA must extend beyond the perimeter to internal systems and infrastructure access, especially Active Directory environments that are prime targets for threat actors and ransomware groups. Protecting RDP alone is not enough, this must be on all protocols (PowerShell, for example, is favoured by attackers).
  • Protect non-human identities (NHIs): Implement strict controls on service accounts, limiting where they can be used and alerting on any unusual activity patterns that could indicate compromise. 
  • Contain vulnerable legacy protocols: Restrict legacy authentication protocols like NTLMv1 to the applications that absolutely require them.
  • Implement identity segmentation: Create security boundaries between different parts of the retail environment to contain breaches; for example, by disallowing server authentication from your retail sites.

3. Monitor for Identity Threats

  • Deploy Identity Threat Detection & Response (ITDR): Implement ITDR to identify anomalous behaviours like lateral movement attempts and equip your SOC to respond.
  • Focus on service account activity: Create detailed baselines of normal service account behavior and alert on deviations.
  • Monitor privilege accounts usage: Track admin account activity with particular attention to cross-tier usage where high-privilege accounts access lower-security environments.

The UK has experienced a series of stinging cyber attacks over the last few years including a July 2024 attack on London Hospitals'  pathology laboratory services provider that resulted in thousands of postponed medical appointments and a blood shortage. In  2023 a ransomware incident at the British Library has cost roughly £7million pounds to remediate. The government in December 2023 accused a Russian intelligence agency of running a year's long campaign to interfere in British politics and in May, a sequence of large scale attacks on the  British retail sector, including M&S, Co-op, Harrods and Adidas.

All of these attacks are an opportunity to shift mind-sets, both within and around the industry.

Conclusion

Identity is not just about keeping auditors happy or shelves stocked. It’s about stopping real threats, protecting real people, and ensuring operational resilience. Treat identity as a core part of the organisation’s security strategy, not an efficiency play, and take control against identity-first attackers. 

As ransomware attacks become more targeted and disruptive, industry experts agree that the stakes have never been higher. 

The convergence of cyber threats with essential services highlights the urgent need for organisations to bolster their defences, invest in preparedness, and ensure rapid containment strategies are in place to prevent catastrophic consequences.

Silverfort     |     Silverfort     |   SC World    |     Gov Info Security  |   Security Brief     |   Cyber Magazine

Image: stuartmiles99

You Might Also Read:

Understanding Identity & Access Management:


If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« China Introducing Strict Controls On AI Data Centres
Crypto Company Hit For $400m »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Tubitak

Tubitak

Tubitak is the scientific and technological research council of Turkey. Areas of research include information technology and security.

IAR Systems

IAR Systems

IAR Systems are a frontrunner in a changing industry, and a future-proof software supplier enabling the IoT.

Cyber Security & Cloud Expo

Cyber Security & Cloud Expo

The Cyber Security & Cloud Expo is an international event series in London, Amsterdam and Silicon Valley.

Forgepoint Capital

Forgepoint Capital

ForgePoint Capital is a premier venture investor for early stage cybersecurity companies.

Bradley-Morris

Bradley-Morris

Bradley-Morris is a leading recruiting firm specializing in transitioning military and veteran talent into civilian careers including Cybersecurity.

Leidos

Leidos

Leidos is a recognized leader in cybersecurity across the federal government, bringing more than a decade of experience defending cyber interests globally.

AnaVation

AnaVation

AnaVation is a trusted partner delivering high-value, cost-effective solutions that solve the most complex technical and analytical problems for our customers.

Nitrokey

Nitrokey

Nitrokey is the world-leading company in open source security hardware. Nitrokey develops IT security hardware for data encryption, key management and user authentication.

FortifyIQ

FortifyIQ

FortifyIQ's mission is to advance maximum security against side-channel attacks across the entire computing spectrum.

Tetrate.io

Tetrate.io

Tetrate Service Bridge provides enterprises with a consistent, unified way to connect and secure services across an entire mesh-managed environment.

VectorRock

VectorRock

Save Your Business From Cyber Criminals. We specialize in uncovering cyber risks which threaten your organization and fixing them.

Beround

Beround

Beround is an IT consultancy firm specialized in software testing.

Data Computer Services

Data Computer Services

Data Computer Services provides professional tailored IT Support and IT Services for businesses throughout Edinburgh and the Lothians.

SignalRed

SignalRed

SignalRed provides the cutting edge next-generation penetration testing and secure development solutions to startups and large enterprises.

Kali Linux

Kali Linux

Kali Linux is an open-source, Debian-based Linux distribution geared towards various information security tasks, such as Penetration Testing.

SafetyDetectives

SafetyDetectives

SafetyDetectives' mission is to give our readers accurate and valuable information so they can make informed decisions about staying safe, secure and protected on the internet.