Co-op and M&S cyberattackers tricked IT workers into resetting passwords

6 May 2025, 10:59

IT help desk workers at the Co-op and Marks & Spencer were tricked into giving hackers access to their companies' systems to allow them to carry out the recent cyberattacks, experts have said.

Recent reports suggest Cybercriminals from the Scattered Spider network were able to reset an employee's password to breach the Co-op's network and conduct the “social engineering” attack.

Sources told the BleepingComputer website that a similar tactic was used by the hackers to breach M&S.

The National Cyber Security Centre (NCSC), part of GCHQ, has issued new guidance to combat the techniques used by the group, which include impersonating an employee and tricking an IT help desk into resetting their password.

Writing in a blog post, the NCSC’s national resilience director Jonathon Ellison and Ollie Whitehouse, its chief technology officer, said in a blog post: “Criminal activity online - including, but not limited to, ransomware and data extortion - is rampant.

"Attacks like this are becoming more and more common. And all organisations, of all sizes, need to be prepared."

Organisations have now been advised to "review help desk password reset processes - how IT desk authenticates staff members credentials before resetting passwords, especially those with escalated privileges".

Particular attention should be paid to "admin" accounts, which have privileges to go to secure parts of the networks.

Hackers often use social media to gather information about employees, before they carry out a "Sim swap".

Read more: Sir Keir Starmer updates UK’s top secret ‘homeland defence plan’ after threats from Moscow

Read more: UK planning on 'restricting visa applications from certain nationalities most likely to claim asylum'

This is where they gain access to their phone number after convincing or bribing a mobile operator to issue the same number to a different Sim card.

Once this has been obtained, they impersonate the employee and call the company IT desk asking for their password to be reset.

Because they have the employee's phone number, the criminals can get the authentication codes needed to set a new password.

The NCSC added: "Preparation and resilience does not mean just having good defences to keep out bad actors. No matter how good your defences are, sometimes the attacker will be successful.

"It also means being able to detect threat actors when they are using your employees’s legitimate access, are on your network, in your cloud services whilst being able to contain attackers to prevent damage and being able to respond and recover when an attack has got through your defences."

Co-Op said the hackers that attacked them were able to extract the names and contact details for Co-op members but not their passwords, or details of bank, credit cards or transactions.

Shortages have been seen in both retailers as a result of the attack, with M&S forced to pause online orders and suffer from empty shelves in some stores.

Some items on Ocado, which is part-owned by M&S, have been paused too.

Hackers may also have encrypted the company's back-up data, but M&S says it currently has access to this.

Experts say this may shorten the potential timeline to full recovery although it could still take months.

This retrieval will see M&S isolate and “clean” parts of the affected network and devices to make sure they are rid of the attackers.

They will then start to rebuild the applications and data that has been lost.

Paul Cashmore, chief executive of Solace Cyber, a cybersecurity consultancy, told the Times: "They’ve got to make sure that all of those points of sale and all of those other network or internet connected supply chains are safe and clean and the threat has been eradicated. So that’s a big milestone.”

The Scattered Spider network, made up of young men based in the UK and United States, specialise in “breaking down the front door” of networks.

They then hand this over the access to a more specialised “ransomware” gang, who cripple the network and extort its owner.

Tyler Buchanan, 23, was alleged to be one of the group's ringleaders. He was recently arrested and extradited to the US after being charged with attempting to hack into dozens of companies.

The Scattered Spider network appeared to be colluding with the ransomware “cartel” DragonForce.

Originating in Malaysia as a pro-Palestine “hacktivist-style” operation, DragonForce emerged as a major threat in August 2023 and has successfully hacked 136 victims as of March.

It's leaders say the cartel offers tools and support to hackers, taking a cut of the ransoms in return.

The group advertises encryption and ransom negotiation tools, a file storage system and support services, on the dark web.

A Co-op spokesperson said: “All our stores are open and trading however, due to the sustained malicious attempts by hackers to access our systems, we have taken proactive steps to keep our systems safe, which is temporarily impacting our colleagues’ ability to perform their roles and how many deliveries we can make to our stores.

"This means that some of our stores might not have all of their usual products available and we would like to say sorry to our members and customers if this is the case in their local store.

"We are working around the clock to reduce disruption and resume deliveries. We would like to thank our colleagues, members, customers, and suppliers for their understanding during this time."

M&S did not comment.