‘We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers,” hackers from DragonForce wrote to M&S executives. Are they really from China? Or could they be Russian? Or even Malaysian?
Researchers and police are trying to understand more about this aggressive new force in the hacking world that has been building up victims and attacking rivals since emerging in March 2023.
In the M&S case it appears that two groups are working together: Scattered Spider and DragonForce.
Stuart Machin, the chief executive of M&S. The company has refused to publicly acknowledge that it was attacked by Scattered Spider or DragonForce
PHIL WILKINSON
The former is a loose collective of mostly young men from the US and UK who specialise in getting into systems, often by tricking people through “social engineering” to hand over passwords. They deploy DragonForce software to cripple networks and steal data.
• Why teenage hackers pose more danger than ever
Like many “ransomware” groups, DragonForce operates an “affiliate” model, much like a conventional franchise. It allows other hackers to use its brand, technology and services, for a cut of any money — said to be about 20 per cent.
DragonForce has taken this model further with a “white label” service allowing hackers who use its software to do it under their own names, branding and leak sites.
“The line between the affiliate and the actual operators is kind of muddy at the moment. It’s difficult to see where one ends and the other begins,” said Aiden Sinnott, senior threat researcher at Sophos, who has been following the group. DragonForce’s dark web site, meanwhile, has been quiet since April 22.
• Inside the M&S meltdown: 3am meetings and £40m a week in lost sales
Sinnott believes that despite there being a DragonForce hacking group in Malaysia, the M&S attackers could be Russian. The Malaysian group is politically motivated and has never mentioned using ransomware, which is done for money.
In contrast the DragonForce ransomware group stipulates that affiliates should not attack Russian targets. “That’s not patriotism, that’s self-preservation. If they don’t attack the Russian state, they’ll pretty much be left alone to operate. And they had that as a rule for affiliates. So from that we made the assessment they’re likely Russia-based,” Sinnott said.
That has not stopped it attacking other Russian hackers in a vicious turf war, defacing and taking over their leak sites. The battle comes during a cyber power vacuum after police took down two of the largest groups, LockBit and BlackCat.
Koley, a leader of the RansomHub group, which had been targeted by DragonForce, threatened them on an underground forum, saying: “You use Feds to steal and shutdown others … next time we talk will be over your grave.”
