This article is from the source 'bbc' and was first published or seen on . The next check for changes will be
You can find the current article at its original source at https://www.bbc.com/news/articles/cr58pqjlnjlo
The article has changed 5 times. There is an RSS feed of changes available.
| Version 3 | Version 4 |
|---|---|
| M&S hackers sent abuse and ransom demand directly to CEO | M&S hackers sent abuse and ransom demand directly to CEO |
| (about 7 hours later) | |
| The Marks & Spencer hackers sent an abuse-filled email directly to the retailer's boss gloating about what they had done and demanding payment, BBC News has learnt. | The Marks & Spencer hackers sent an abuse-filled email directly to the retailer's boss gloating about what they had done and demanding payment, BBC News has learnt. |
| The message to M&S CEO Stuart Machin - which was in broken English - was sent on the 23 April from the hacker group DragonForce using an employee email account. | The message to M&S CEO Stuart Machin - which was in broken English - was sent on the 23 April from the hacker group DragonForce using an employee email account. |
| The email confirms for the first time that M&S has been hacked by the ransomware group – something that M&S has so far refused to acknowledge. | The email confirms for the first time that M&S has been hacked by the ransomware group – something that M&S has so far refused to acknowledge. |
| "We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers," the hackers wrote. | "We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers," the hackers wrote. |
| "The dragon wants to speak to you so please head over to [our darknet website]." | "The dragon wants to speak to you so please head over to [our darknet website]." |
| The cyber attack has been hugely damaging for M&S, costing it an estimated £300m. More than six weeks on, it is still unable to take online orders | The cyber attack has been hugely damaging for M&S, costing it an estimated £300m. More than six weeks on, it is still unable to take online orders |
| The extortion email was shown to the BBC by a cyber-security expert. | The extortion email was shown to the BBC by a cyber-security expert. |
| The message, which includes a racist term, was sent to the M&S CEO and seven other executives. | The message, which includes a racist term, was sent to the M&S CEO and seven other executives. |
| As well as bragging about installing ransomware across the M&S IT system to render it useless, the hackers say they have stolen the private data of millions of customers. | As well as bragging about installing ransomware across the M&S IT system to render it useless, the hackers say they have stolen the private data of millions of customers. |
| Nearly three weeks later customers were informed by the company that their data may have been stolen. | Nearly three weeks later customers were informed by the company that their data may have been stolen. |
| The email was sent apparently using the account of an employee from the Indian IT giant Tata Consultancy Services (TCS) - which has provided IT services to M&S for over a decade. | The email was sent apparently using the account of an employee from the Indian IT giant Tata Consultancy Services (TCS) - which has provided IT services to M&S for over a decade. |
| The Indian IT worker based in London has an M&S email address but is a paid TCS employee. | The Indian IT worker based in London has an M&S email address but is a paid TCS employee. |
| It appears as though he himself was hacked in the attack. | It appears as though he himself was hacked in the attack. |
| TCS has previously said it is investigating whether it was the gateway for the cyber-attack. | TCS has previously said it is investigating whether it was the gateway for the cyber-attack. |
| The company has told the BBC that the email was not sent from its system and that it has nothing to do with the breach at M&S. | The company has told the BBC that the email was not sent from its system and that it has nothing to do with the breach at M&S. |
| M&S has declined to comment entirely. | M&S has declined to comment entirely. |
| 'We can both help each other' | 'We can both help each other' |
| A darknet link shared in the extortion email connects to a portal for DragonForce victims to begin negotiating the ransom fee. This is further indication that the email is authentic. | A darknet link shared in the extortion email connects to a portal for DragonForce victims to begin negotiating the ransom fee. This is further indication that the email is authentic. |
| Sharing the link – the hackers wrote: "let's get the party started. Message us, we will make this fast and easy for us." | Sharing the link – the hackers wrote: "let's get the party started. Message us, we will make this fast and easy for us." |
| The criminals also appear to have details about the company's cyber-insurance policy too saying "we know we can both help each other handsomely : ))". | The criminals also appear to have details about the company's cyber-insurance policy too saying "we know we can both help each other handsomely : ))". |
| The M&S CEO has refused to say if the company has paid a ransom to the hackers. | The M&S CEO has refused to say if the company has paid a ransom to the hackers. |
| DragonForce ended the email with an image of a dragon breathing fire. | DragonForce ended the email with an image of a dragon breathing fire. |
| This dragon image was appended to the hackers email, seen by the BBC | This dragon image was appended to the hackers email, seen by the BBC |
| The email confirms for the first time the link between M&S's hack and the nearly simultaneous Co-op cyber-attack, which DragonForce have also claimed responsibility for. | |
| The two hacks - which began in late April - have wrought havoc on the two retailers. Some Co-op shelves were left bare for weeks, while M&S expects its operations to be disrupted until July. | The two hacks - which began in late April - have wrought havoc on the two retailers. Some Co-op shelves were left bare for weeks, while M&S expects its operations to be disrupted until July. |
| Although we now know that DragonForce is behind both, it is still not clear who the actual hackers are. | Although we now know that DragonForce is behind both, it is still not clear who the actual hackers are. |
| DragonForce offers cyber-criminal affiliates various services on their darknet site in exchange for a 20% cut of any ransoms collected. | DragonForce offers cyber-criminal affiliates various services on their darknet site in exchange for a 20% cut of any ransoms collected. |
| Anyone can sign up and use their malicious software to scramble a victim's data or use their darknet website for their public extortion. | Anyone can sign up and use their malicious software to scramble a victim's data or use their darknet website for their public extortion. |
| Nothing has appeared on the criminal's darknet leak site about either Co-op or M&S but the hackers told the BBC last week that they were having IT issues of their own and would be posting information "very soon." | Nothing has appeared on the criminal's darknet leak site about either Co-op or M&S but the hackers told the BBC last week that they were having IT issues of their own and would be posting information "very soon." |
| Some researchers say DragonForce are based in Malaysia, while others say Russia. Their email to M&S implies that they are from China. | Some researchers say DragonForce are based in Malaysia, while others say Russia. Their email to M&S implies that they are from China. |
| Speculation has been mounting that a loose collective of young western hackers known as Scattered Spider might be the affiliates behind the hacks and also one on Harrods. | Speculation has been mounting that a loose collective of young western hackers known as Scattered Spider might be the affiliates behind the hacks and also one on Harrods. |
| Scattered Spider is not really a group in the normal sense of the word. It's more of a community which organises across sites like Discord, Telegram and forums – hence the description "scattered" which was given to them by cyber-security researchers at CrowdStrike. | Scattered Spider is not really a group in the normal sense of the word. It's more of a community which organises across sites like Discord, Telegram and forums – hence the description "scattered" which was given to them by cyber-security researchers at CrowdStrike. |
| Some Scattered Spider hackers are known to be teenagers in the US and UK. | Some Scattered Spider hackers are known to be teenagers in the US and UK. |
| The UK's National Crime Agency said in a BBC documentary about the retail hacks, that they are focusing investigations on the group. | The UK's National Crime Agency said in a BBC documentary about the retail hacks, that they are focusing investigations on the group. |
| The BBC spoke to the Co-op hackers who declined to answer whether or not they were Scattered Spider. "We won't answer that question" is all they said. | The BBC spoke to the Co-op hackers who declined to answer whether or not they were Scattered Spider. "We won't answer that question" is all they said. |
| Two of them said they wanted to be known as "Raymond Reddington" and "Dembe Zuma" after characters from US crime thriller The Blacklist which involves a wanted criminal helping police take down other criminals on a blacklist. | Two of them said they wanted to be known as "Raymond Reddington" and "Dembe Zuma" after characters from US crime thriller The Blacklist which involves a wanted criminal helping police take down other criminals on a blacklist. |
| In a message to me, they boasted: "We're putting UK retailers on the Blacklist." | In a message to me, they boasted: "We're putting UK retailers on the Blacklist." |
| There have been a series of smaller cyber-attacks on UK retailers since but none as impactful of disruptive as those on Co-op, M&S and Harrods. | There have been a series of smaller cyber-attacks on UK retailers since but none as impactful of disruptive as those on Co-op, M&S and Harrods. |
| In the early stages of the M&S hack, unknown sources told cyber news site Bleeping Computer that evidence is pointing to Scattered Spider. | In the early stages of the M&S hack, unknown sources told cyber news site Bleeping Computer that evidence is pointing to Scattered Spider. |
| The UK's national cyber-crime unit has confirmed to the BBC that the group is one of their key suspects. | The UK's national cyber-crime unit has confirmed to the BBC that the group is one of their key suspects. |
| As for the hackers I spoke to on Telegram, they declined to answer whether or not they were Scattered Spider. "We won't answer that question" is all they said. | As for the hackers I spoke to on Telegram, they declined to answer whether or not they were Scattered Spider. "We won't answer that question" is all they said. |
| Sign up for our Tech Decoded newsletter to follow the world's top tech stories and trends. Outside the UK? Sign up here. | Sign up for our Tech Decoded newsletter to follow the world's top tech stories and trends. Outside the UK? Sign up here. |