Co-op cyberattack
UK retailer Co-op confirmed that attackers stole the personal data of 6.5 million members during a massive cyberattack in April. The incident shut down key systems and ultimately caused food shortages in its grocery stores.
Co-op (short for the Co-operative Group) ranks among the United Kingdom’s largest consumer co-operatives, as it operates food stores, funeral services, insurance, and legal services. Millions of members own the organization, receive discounts, and participate in company governance.
Today, Co-op’s CEO Shirine Khoury-Haq apologized on the BBC Breakfast show and confirmed that the attackers successfully stole data for all 6.5 million members.
“Their data was copied, and the criminals did have access to it like they do when they hack other organizations. That is the awful part of this unfortunately,” said Khoury-Haq.
Although the attack did not compromise financial or transaction information, the attackers did steal members’ contact information.
Khoury-Haq added that the breach felt like a personal attack—not on herself, but on Co-op’s members and employees who suffered the consequences.
“And it it’s not about me. It was my colleagues. It was personal to me because it hurt them. It hurt my members. They took their data and it hurt our customers and that I do take personally,” she explained in the interview.
How it happened?
The cyberattack took place in April and forced Co-op to shut down several IT systems in an effort to stop the threat actors from spreading across devices and ultimately deploying the DragonForce ransomware encryptor.
Initially, the company downplayed the event as an attempted intrusion. However, it later confirmed that attackers accessed and stole a “significant” amount of data during the breach.
Sources told BleepingComputer that the attack began on April 22, after the threat actors executed a social engineering scheme to reset an employee’s password.
From there, they gained access to the network, moved laterally across devices, and stole the Windows domain’s NTDS.dit file—a database from Windows Active Directory Services that stores password hashes.
Threat actors frequently steal this file to extract and crack passwords offline, which enables further spread throughout the network.
According to BleepingComputer, the attack involved threat actors associated with Scattered Spider—the same group responsible for the Marks & Spencer (M&S) breach, where they deployed DragonForce ransomware.
The BBC later reported that they spoke directly with a DragonForce ransomware operator, who confirmed that one of their affiliates carried out the Co-op attack. The group also provided data samples to the BBC, claiming they had exfiltrated both corporate and customer data from Co-op.
Conclusion
Last week, the UK’s National Crime Agency (NCA) arrested four individuals suspected of involvement in the cyberattacks targeting Co-op, M&S, and an attempted one on Harrods.
Authorities apprehended two 19-year-old males, one 17-year-old male, and a 20-year-old female in London and the West Midlands.
One of the suspects, investigators say, has ties to a 2023 attack on MGM Resorts that led to the encryption of more than 100 VMware ESXi virtual machines.
That MGM attack was also attributed to Scattered Spider, who at the time collaborated with the BlackCat ransomware group.
Source: BleepingComputer, Lawrence Abrams
Read more at Impreza News
