- Marks & Spencer’s £300M Ransomware Fallout: A sophisticated supply chain attack—likely involving phishing and social engineering—crippled operations, wiped £750M off market value, and disrupted food store logistics.
- Innocent Insiders Amplify Risk: Social engineering tricked a supplier’s IT staff into granting access, spotlighting how well-meaning employees can unintentionally open doors to attackers.
- Preventive Security Must Be Proactive: Multi-factor authentication, employee training, phishing simulations, and securing the supply chain are critical steps in reducing exposure and speeding recovery.
As more details of the April ransomware attack on UK retailer Marks and Spencer are made public, we are directly witnessing the cascading repercussions that organizations face when victimized by a well-thought-out and properly executed attack.
In the specific case of M&S, the UK retailer is dealing with a supply chain attack, as M&S CEO Stewart Machin confirmed in a published report.
Machin noted that the unnamed M&S supplier itself was accessed when the IT staff was tricked into changing passwords and resetting authentication processes through a social engineering attack.
The end result, according to the news report, is operations are still being hampered; it is expecting a £300 million hit to operating profits, the attack wiped almost £750 million off its market capitalization, and the retailer has shut down some operations and leaving it unable to stock shelves in its food stores, according to the same news report.
Unfortunately, the complexity and opacity of modern supply chains leave businesses exposed to significant risks, all of which M&S is now experiencing.
While the attack was certainly well-conducted by a well-known threat group, Scattered Spider, multiple precautions can be put in place by organizations to mitigate any damage an attack might cause, allowing a business to recover quickly.
Let's run through each issue M&S is facing.
The Attack
Scattered Spider used an entire arsenal of tools to finally gain access to and cripple its target, but let's look at the primary methods seemingly used to conduct this attack and a few mitigation recommendations:
- Phishing (unconfirmed)
- Insider threat
- Social engineering
- Supply chain
- Ransomware
Supply chain attacks often target weaker links within an organization's supply network. In software supply chains, for example, attackers can compromise software distributed by a legitimate vendor, affecting end users of that software. In the M&S case, the attacker convinced a supplier's IT team to make access management changes that allowed it to gain access and privileges.
This was likely instigated through a phishing attack, as the FBI has noted email is the top attack vector, responsible for 90% of phishing incidents. This means that a robust email security strategy, which includes a layered defense and a secure email gateway, is essential to protect against evolving phishing threats.
Top Email Security Recommendations:
- Enable Multi-Factor Authentication (MFA) on accounts wherever possible to invalidate credential account attacks. Microsoft found that 99% of the compromised Microsoft accounts they observed did not have MFA.
- Have a second form of verification and validation before changing bank details or sending payments over email.
- Provide annual security refreshers for the whole organization. Covering phishing and overall security awareness will educate employees about the types of attacks they may encounter and provide them with a plan of action.
- Use a secure email gateway (SEG) like Trustwave MailMarshal, optimized for your organization.
The email attack, as Machin noted, was helped by the social engineering scheme the attacker used to con a supplier employee into doing something that damaged their organization, turning the person into an "innocent insider". Innocent Insiders, also known as the Well-Intentioned Misguided Person (WIMP), present an entirely different problem than those intentionally trying to do damage.
In many cases, innocent insiders are individuals who demonstrate an interest in solving complex issues or strive to become good corporate citizens. However, they often don't recognize that the request is coming from outside their organization or from a compromised account. In their attempt to contribute to the organization's success, they often share files or offer access to people who lack the necessary permission, or provide access to certain systems and resources by sharing passwords.
Preventative measures should include:
- Continuous and Engaging Training
- Phishing Simulations
- Follow the Principle of Least Privilege
- Data Loss Prevention (DLP) Solutions
- Network Segmentation
Since the M&S attack originated in its supply chain, a quick review of how to harden this attack surface is in order.
- Know your suppliers. This includes the data they hold, their access permissions, and their criticality to your business operations.
- Supply chain resilience. Assess your suppliers and vendors from every angle, particularly their security maturity and supply chain risk management practices.
- Bring suppliers into your security program. This includes cybersecurity awareness, training, and participation in red team targeting events.
- Understand that suppliers aren't the enemy. Supply chain security needs to be collaborative.
- Ensure the proper systems and tools are in place. This includes comprehensive endpoint detection and response capabilities, the capacity to ingest threat intelligence from suppliers, and streamlined, centralized management of your ecosystem.
- Ask for help. The right partner can make a considerable difference, providing you with the resources, expertise, and guidance for a safer and more stable supply chain.
Ransomware and Recovery
According to M&S, the attacker did inject ransomware into its network, resulting in all the above-mentioned ongoing issues. At this stage, it's too late to stop the ransomware, so the best that can be done is to halt its spread and eliminate it from your system.
After exploitation, efforts should focus on hunting for malware that may be sitting dormant, waiting for the right time to activate and causing further issues.
Having network segmentation and even microsegmentation in place will help limit the malware from spreading. Break your network into smaller, isolated segments (VLANs, firewalls, software-defined networking) based on function, department, or sensitivity.
Robust Backup and Recovery Strategy:
Maintain multiple copies of your data, with one copy stored off-site or in an isolated environment (e.g., an immutable cloud storage service).
- Regular Testing: Periodically test your backup restoration process to ensure it works properly and can be restored quickly.
- Offline/Immutable Backups: Crucially, ensure your backups are not continuously connected to your network. Ransomware often targets backups to prevent recovery. Offline or immutable backups are essential.
