M&S head Archie Norman won’t say if he authorized DragonForce ransomware hacker  payday.

Moral Hazard Ahoy

What’s the craic? Lorenzo Franceschi-Bicchierai reports: Marks & Spencer chair refuses to say if retailer paid hackers

“Company is still dealing with recovery efforts”
The chairman of UK retail giant Marks & Spencer declined to tell a panel of lawmakers whether the company paid a hacking group following a ransomware attack earlier this year. “We’ve said that we are not discussing any of the details of our interaction with the threat actor,” said … Norman, referring to the ransom payment. “We don’t think it’s in the public interest to go into that.”
…
Norman said that “nobody” at Marks & Spencer interacted directly with the cybercriminals, which he attributed as the ransomware gang DragonForce. … Norman told lawmakers that the company is still dealing with recovery efforts and will continue to do so until October or November.

Wait. DragonForce? I thought it was Scattered Spider? James Davey has more: Companies should have to disclose major cyberattacks, M&S says

“Loosely aligned parties”
Businesses should be legally required to report material cyberattacks to the authorities, the chairman of retailer Marks & Spencer said, … claiming two recent major attacks on large UK firms had gone unreported. [He said] there was “a big deficit” in knowledge in the cybersecurity space.
…
He said “loosely aligned parties” worked together on the M&S cyberattack. … “When this happens you don’t know who the attacker is, and in fact they never send you a letter signed Scattered Spider—that doesn’t happen,” said Norman.

¿Por qué no los dos? Kevin Poireault shrugs: DragonForce, Scattered Spider or Both?

“DragonForce affiliates”
DragonForce originated as a pro-Palestine hacktivist group allegedly based in Malaysia (under the name DragonForce Malaysia) that has been active since August 2023. It is understood to be behind a number of notable cyber-attacks in the Asia-Pacific region and the US, including on Honolulu OTS (Oahu Transit Services), the Government of Palau, Coca-Cola (Singapore), the Ohio State Lottery and Yakult Australia.
…
Scattered Spider, tracked as Octo Tempest by Microsoft and UNC3944 by Google Cloud, is a financially motivated threat group active since May 2022. Primarily native English speakers, likely including some teenagers based in the UK or the US, Scattered Spider members are affiliated with the cybercriminal collective ‘The Com.’ The group is associated with the 2023 hacks of Caesars Entertainment and MGM Resorts International.
…
Researchers at Google … said in a May 6 report they have not independently confirmed the involvement of Scattered Spider or the DragonForce ransomware group. [They] said the hacks … were consistent with Scattered Spider targeting [and] that one or several members of the Scattered Spider group worked as DragonForce affiliates in the UK retail hack wave.

Any word on TTPs? Sam Sabin summarizes: How Scattered Spider hackers are wreaking havoc on corporate America

The group’s primary tactic remains voice-based phishing where they call a company’s overseas help desk, impersonate an employee, and reset their single sign-on passwords. They then use SIM swapping to intercept multifactor-authentication codes. … Experts urge U.S. companies to implement strict ID verification protocols at IT help desks and to upgrade outdated MFA methods like SMS and voice codes.
…
The group has escalated attacks by targeting ESXi hypervisors — systems that power a company’s servers and digital operations but often fly under the radar of traditional security tools. Once inside, they deploy ransomware and cripple the server environment.

ELI5? IT WAS LITERALLY JUST A TREE CHILL OUT explains like we’re five:

To be absolutely clear about how this happened—and it’s in the public domain: The hackers literally rang up the helpdesk pretending to be M&S staff, had their password reset and they were in. … They can blame as many people as they want — if they make it so ridiculously easy to break in, then what do they expect?

And that helpdesk was outsourced overseas. ListenVeryCarefully will say this only once:

So Archie Norman decided not to spend some money on proper IT security … and is now paying the price. (As well as the ransom, it would appear.)

Are you saying M&S paid the ransom? Here’s Matthew J.’s reaction to that allegation:

It needs to be hard illegal, along the lines of sponsoring terrorism and such. As in, jail time for any exec who greenlights or knows about it. Get your house in order. And if you can’t be bothered to, then take your medicine.

But Peregrine1 has a more nuanced view:

Power to Archie Norman for being honest. Large companies have placed themselves in invidious positions by listening to the advice of consulting advisors and outsourcing their IT.
…
IT teams are difficult to manage, and difficult to find. [But] IT is a core function of a large business and should be mainly staffed by those who owe their loyalty to the company. Fire him if you like, but people like him will not make the same mistake again!

It’s the age-old problem of invisible RoI. BPMKent sees the silver lining:

I’d love to know when M&S last had some penetration testing. These kinds of companies are ideal targets for hackers, relying on boards of old men who won’t put money into cybersecurity because they can’t see a return on investment, and convince themselves that they’re protected by insurance. Hopefully a wake up call to similar businesses.

Meanwhile, msawzall sounds slightly confused:

DragonForce? I love Through the Fire and Flames! When did they start hacking?

And Finally:

JER swears a bit in this, sorry

Hat tip: DingoChavez

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Web Summit Qatar (cc:by; leveled and cropped)