Marks & Spencer hackers appear to protect ‘former Soviet states’ from attacks

Hackers who bragged about crippling Marks & Spencer’s systems and breaching Co-op Group databases appeared to have vowed to protect “the former Soviet Union” from the technology used in the attacks.

The DragonForce cybercrime group appeared to use a dark web forum to issue a threat to “punish any violations” by fellow hackers planning to use its ransomware in Russia or the former Soviet states – the first indication of any allegiance.

The group, which licenses its ransomware to other hacking gangs for a fee, claimed responsibility for an attack that has left shelves at some branches of M&S bare and has forced the company to suspend online orders.

A separate attack on the Co-op led to a data breach and customer details being stolen, and the group has also been linked to an attempt to hack systems at Harrods.

“Any attack by our software on critical infrastructure, hospitals where critical patients, children, and the elderly are kept, or on the countries of the former Soviet Union, is a PROVOCATION by unscrupulous partners,” read a statement which claimed to be from the group, released at the end of last month.

“We, as regulators, are doing our best to counteract this, and we will punish any violations, as well as assist in solving the problems of the affected parties.”

DragonForce is considered distinctive because of its business model – offering “white label” ransomware for other hackers to use once they have gained access to a target’s systems.It is believed that both successful hacks involved calls to IT teams by hackers posing as employees, further stoking suspicion that initial access to the network would have been carried out by a disparate group of English-speaking hackers referred to as Scattered Spider, who then would have used the DragonForce software.

The group also stands out because of a forward-facing attitude and willingness to discuss its attacks.“We are not here to kill; we are here to make money and do business with corporations that have gotten their hands dirty,” the statement added.

The Observer uncovered the statement through dark web researchers from the US cybersecurity company Secureworks, on a forum popular with hackers. Its monitoring of DragonForce has identified a total of 167 alleged victims across 32 countries, including the US, 87; UK, 17; Australia eight; Italy, eight, and Canada, five.

When the group was approached for comment about the statement, a spokesperson said: “We’re not providing any comments at this time, but thank you for reaching out.”

Photograph by Chris Ratcliffe/Bloomberg via Getty