An abusive email sent by the Marks & Spencer hackers to the retailer's boss gloating about the hack and demanding payment has been seen by the BBC. The message to M&S CEO Stuart Machin - which was in broken English - was sent on the 23 April from the hacker group called DragonForce using the email account of an employee. The email confirms for the first time that M&S has been hacked by the ransomware group – something that M&S has so far refused to acknowledge. "We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers," the hackers wrote. "The dragon wants to speak to you so please head over to [our darknet website]." The extortion email was shown to the BBC by a cyber security expert. The blackmail message, which includes the n-word, was sent to the M&S CEO and seven other executives. As well as bragging about installing ransomware across the M&S IT system to render it useless, the hackers say they have stolen the private data of millions of customers. Nearly three weeks latercustomers were informedby the company that their data may have been stolen. The email was sent apparently using the account of an employee from the Indian IT giant Tata Consultancy Services (TCS) - which has provided IT services to M&S for over a decade. The Indian IT worker based in London has an M&S email address but is a paid TCS employee. It appears as though he himself was hacked in the attack. TCS has previously saidit is investigatingwhether it was the gateway for the cyber attack. The company has told the BBC that the email was not sent from its system and that it has nothing to do with the breach at M&S. M&S has declined to comment entirely. A darknet link shared in the extortion email connects to a portal for DragonForce victims to begin negotiating the ransom fee. This is further indication that the email is authentic. Sharing the link – the hackers wrote: "let's get the party started. Message us, we will make this fast and easy for us." The criminals also appear to have details about the company's cyber insurance policy too saying "we know we can both help each other handsomely : ))". The M&S CEO hasrefused to sayif the company has paid a ransom to the hackers. DragonForce ended the email with an image of a dragon breathing fire. The email confirms for the first time the link between M&S's hack and theongoing Co-op cyber attack, which DragonForce have also claimed responsibility for. The two hacks - which began in late April - have wrought havoc on the two retailers. Some Co-op shelves were left bare for weeks, while M&S expects its operations to be disrupted until July. Although we now know that DragonForce is behind both, it is still not clear who the actual hackers are. DragonForce offers cyber criminal affiliates various services on their darknet site in exchange for a 20% cut of any ransoms collected. Anyone can sign up and use their malicious software to scramble a victim's data or use their darknet website for their public extortion. Nothing has appeared on the criminal's darknet leak site about either Co-op or M&S but the hackers told the BBC last week that they were having IT issued of their own and would be posting information "very soon." Some researchers say DragonForce are based in Malaysia, while others say Russia. Their email to M&S implies that they are from China. Speculation has been mounting that a loose collective of young western hackers known as Scattered Spider might be the affiliates behind the hacks and also one on Harrods. Scattered Spider is not really a group in the normal sense of the word. It's more of a community which organises across sites like Discord, Telegram and forums – hence the description "scattered" which was given to them by cyber security researchers at CrowdStrike. Some Scattered Spider hackers are known to be teenagers in the US and UK. The UK's National Crime Agency said ina BBC documentaryabout the retail hacks, that they are focusing investigations on the group. The BBCspoke to the Co-op hackerswho declined to answer whether or not they were Scattered Spider. "We won't answer that question" is all they said. Two of them said they wanted to be known as "Raymond Reddington" and "Dembe Zuma" after characters from US crime thriller The Blacklist which involves a wanted criminal helping police take down other criminals on a blacklist. In a message to me, they boasted: "We're putting UK retailers on the Blacklist." There have been a series of smaller cyber attacks on UK retailers since but none as impactful of disruptive as those on Co-op, M&S and Harrods. DragonForce offers cyber criminal affiliates various services on their darknet site in exchange for a 20% cut of any ransoms collected. Anyone can sign up and use their malicious software to scramble a victim's data or use their darknet website for their public extortion. Nothing has appeared on the criminal's darknet leaksite about either Co-op or M&S but the hackers told the BBC they were having IT issues of their own and would be posting information "very soon." Some researchers say DragonForce are based in Malaysia, while others say Russia. Their email to M&S implies that they are from China. In the early stages of the M&S hack, unknown sources told cyber news site Bleeping Computer that evidence is pointing to Scattered Spider. The UK's national cyber-crime unithas confirmed to the BBC that the group is one of their key suspects. As for the hackers I spoke to on Telegram, they declined to answer whether or not they were Scattered Spider. "We won't answer that question" is all they said. Sign up for our Tech Decoded newsletterto follow the world's top tech stories and trends.Outside the UK? Sign up here.
M&S hackers sent abuse and ransom demand directly to CEO
TruthLens AI Suggested Headline:
"Marks & Spencer Confirms Cyber Attack as Hackers Demand Ransom from CEO"
Bbc News
6.7
TruthLens AI Summary
A recent cyber attack on Marks & Spencer (M&S) has revealed alarming details about the extent of the breach, as hackers from the group DragonForce sent an abusive email directly to CEO Stuart Machin. The email, dated April 23, was composed in broken English and confirmed that M&S had been compromised by ransomware. In the message, the hackers claimed to have encrypted M&S's servers and stolen personal data of millions of customers. They also used the email account of an employee from Tata Consultancy Services (TCS), an IT provider for M&S, indicating that the employee's account may have been hacked during the attack. Despite M&S's refusal to publicly acknowledge the breach, the hackers' communication shows the seriousness of the situation, as they demanded payment and provided a darknet link for ransom negotiations, suggesting they are well-versed in cyber extortion tactics.
This incident is part of a broader trend of cyber attacks affecting major retailers in the UK, including the Co-op, which has also faced disruptions due to a similar attack by DragonForce. The email from the hackers not only boasted about their actions but also hinted at knowledge of M&S's cyber insurance policy, indicating a calculated approach to their extortion efforts. While the exact identities of the hackers remain unclear, speculation suggests a connection to a loose collective of young hackers known as Scattered Spider. The UK's National Crime Agency is investigating this group, which is believed to include individuals from various backgrounds, including teenagers from the US and UK. The ongoing investigation highlights the growing threat of cyber crime and the need for retailers to bolster their cybersecurity measures in response to these sophisticated attacks.
TruthLens AI Analysis
The reported incident involving Marks & Spencer (M&S) highlights a significant cybersecurity breach that raises concerns regarding data protection, corporate responsibility, and consumer trust. The hackers, identified as DragonForce, targeted the CEO directly, which indicates a bold approach to extortion and an attempt to create panic and urgency within the company.
Intent Behind the Publication
This news aims to inform the public about a serious security breach within a well-known company, thereby raising awareness about the vulnerabilities that exist even in major corporations. It also seeks to hold M&S accountable by revealing their reluctance to publicly acknowledge the attack, which may prompt them to respond more proactively to consumer concerns regarding data security.
Public Perception
The article is likely designed to create a sense of alarm among consumers regarding their personal data security. By detailing the hackers' abusive language and their threats, it evokes a narrative of corporate incompetence and consumer vulnerability, potentially shaking public confidence in M&S's ability to protect sensitive information.
Possible Concealments
There may be underlying issues or previous incidents that the company wants to keep away from public scrutiny. The hesitance to confirm the breach could indicate a desire to protect the company’s reputation and stock price, as public knowledge of such an incident can lead to a loss of consumer trust and financial repercussions.
Manipulation Analysis
The language used by the hackers, including derogatory terms, is intended to provoke outrage and highlight the severity of the breach. The direct targeting of the CEO serves as a manipulative tactic to amplify the urgency and seriousness of the situation. Overall, this news piece can be considered moderately manipulative, as it emphasizes fear and concern while potentially omitting M&S's perspective or response.
Authenticity of the Report
The incident is substantiated by the hackers' communication and the response from Tata Consultancy Services (TCS), suggesting that the breach is real. The explicit mention of how the attack was executed and the potential data theft enhance the credibility of the report.
Underlying Narrative
The narrative suggests that companies, regardless of their size, are susceptible to cyber threats, challenging the notion of security in the corporate world. The incident could resonate particularly within tech and cybersecurity communities, raising discussions on the need for better protection mechanisms.
Impact on Markets and Economy
Such breaches can influence stock prices, especially if M&S faces scrutiny or legal ramifications following the incident. Consumer confidence can be adversely affected, potentially impacting sales and overall market performance for M&S and other retailers in the sector.
Global Implications
In a broader context, this story reflects ongoing global concerns about cybersecurity and the implications of ransomware attacks. It aligns with current discussions regarding the need for robust cybersecurity measures across industries.
Potential AI Involvement
While it is unclear if AI was used in the drafting of this news piece, the structured presentation of the incident and the analysis could suggest the influence of AI in summarizing complex information. AI models could help highlight key points or analyze data patterns, but the emotional tone and urgency appear to stem more from journalistic practices than machine-generated content.
In summary, the report about M&S's cybersecurity breach effectively raises important issues regarding data security and corporate accountability. The motivations behind the publication and its potential impacts on public perception and market dynamics are significant, emphasizing the ongoing challenges in safeguarding information in an increasingly digital world.