A letter from the M&S hackers landed in my inbox - this is what happened next
Almost daily, my phone pings with messages from hackers of all stripes.
The good, the bad, the not-so-sure.
I've been reporting on cyber security for more than a decade, so I know that many of them like to talk about their hacks, findings and escapades.
About 99% of these conversations stay firmly locked in my chat logs and don't lead to news stories. But a recent ping was impossible to ignore.
"Hey. This is Joe Tidy from the BBC reporting on this Co-op news, correct?" the hackers messaged me on Telegram.
"We have some news for you," they teased.
When I cautiously asked what this was, the people behind the Telegram account - which had no name or profile picture - gave me the inside track on what they claimed to have done to M&S and the Co-op, in cyber attacks that caused mass disruption.
Through messages back-and-forth over the next five hours, it became clear to me that these apparent hackers were fluent English speakers and although they claimed be messengers, it was obvious they were closely linked to - if not intimately involved in - the M&S and Co-op hacks.
They shared evidence proving that they had stolen a huge amount of private customer and employee information.
I checked out a sample of the data they had given me - and then securely deleted it.
They were clearly frustrated that Co-op wasn't giving in to their ransom demands but wouldn't say how much money in Bitcoin they were demanding of the retailer in exchange for the promise that they wouldn't sell or give away the stolen data.
After a conversation with the BBC's Editorial Policy team, we decided that it was in the public interest to report that they had provided us with evidence proving that they were responsible for the hack.
I quickly contacted the press team at the Co-op for comment, and within minutes the firm, who had initially downplayed the hack, admitted to employees, customers and the stock market about the significant data breach.
Much later, the hackers sent me a long angry and offensive letter about Co-op's response to their hack and subsequent extortion, which revealed that the retailer narrowly dodged a more severe hack by intervening in the chaotic minutes after its computer systems were infiltrated. The letter and conversation with the hackers confirmed what experts in the cyber security world had been saying since this wave of attacks on retailers began – the hackers were from a cyber crime service called DragonForce.
Who are DragonForce, you might be asking? Based on our conversations with the hackers and wider knowledge, we have some clues.
DragonForce offers cyber criminal affiliates various services on their darknet site in exchange for a 20% cut of any ransoms collected. Anyone can sign up and use their malicious software to scramble a victim's data or use their darknet website for their public extortion.
This has become the norm in organised cyber crime; it's known as ransomware-as-a-service.
The most infamous of recent times has been a service called LockBit, but this is all but defunct now partly because it was cracked by the police last year.
Following the dismantling of such groups, a power vacuum has emerged. Cue a tussle for dominance in this underground world, leading to some rival groups innovating their offerings.
DragonForce recently rebranded itself as a cartel offering even more options to hackers including 24/7 customer support, for example.
The group had been advertising its wider offering since at least early 2024 and has been actively targeting organisations since 2023, according to cyber experts like Hannah Baumgaertner, Head of Research at Silobeaker, a cyber risk protection company.
"DragonForce's latest model includes features such as administration and client panels, encryption and ransomware negotiation tools, and more," Ms Baumgaertner said.
As a stark illustration of the power-struggle, DragonForce's darknet website was recently hacked and defaced by a rival gang called RansomHub, before re-emerging about a week ago.
"Behind the scenes of the ransomware ecosystem there seems to be some jostling - that might be for prime 'leader' position or just to disrupt other groups in order to take more of the victim share," said Aiden Sinnott, senior threat researcher from the cyber security company Secureworks.
DragonForce's prolific modus operandi is to post about its victims, as it has done 168 times since December 2024 - a London accountancy firm, an Illinois steel maker, an Egyptian investment firm are all included. Yet so far, DragonForce has remained silent about the retail attacks.
Normally radio silence about attacks indicates that a victim organisation has paid the hackers to keep quiet. As neither DragonForce, Co-op nor M&S have commented on this point, we don't know what might be happening behind the scenes.
Establishing who the people are behind DragonForce is tricky, and it's not known where they are located. When I asked their Telegram account about this, I didn't get an answer. Although the hackers didn't tell me explicitly that they were behind the recent hacks on M&S and Harrods, they confirmed a report in Bloomberg that spelt it out.
Of course, they are criminals and could be lying.
Some researchers say DragonForce are based in Malaysia, while others say Russia, where many of these groups are thought to be located. We do know that DragonForce has no specific targets or agenda other than making money.
And if DragonForce is just the service for other criminals to use – who is pulling the strings and choosing to attack UK retailers?
In the early stages of the M&S hack, unknown sources told cyber news site Bleeping Computer that evidence is pointing to a loose collective of cyber criminals known as Scattered Spider - but this has yet to be confirmed by the police.
Scattered Spider is not really a group in the normal sense of the word. It's more of a community which organises across sites like Discord, Telegram and forums – hence the description "scattered" which was given to them by cyber security researchers at CrowdStrike.
They are known to be English-speaking and probably in the UK and the US and young – in some cases teenagers. We know this from researchers and previous arrests. In November the US charged five men and boys in their twenties and teens for alleged Scattered Spider activity. One of them is 22-year-old Scottish man Tyler Buchanan, who has not made a plea, and the rest are US based.
Crackdowns by police seem to have had little effect on the hackers' determination, though. On Thursday, Google's cyber security division issued warnings that it was starting to see Scattered Spider-like attacks on US retailers now too.
As for the hackers I spoke to on Telegram, they declined to answer whether or not they were Scattered Spider. "We won't answer that question" is all they said.
Perhaps in a nod to the immaturity and attention-seeking nature of the hackers, two of them said they wanted to be known as "Raymond Reddington" and "Dembe Zuma" after characters from US crime thriller The Blacklist which involves a wanted criminal helping police take down other criminals on a blacklist.
In a message to me, they boasted: "We're putting UK retailers on the Blacklist."
M&S says customer data stolen in cyber attack
Beware phony IT calls after Co-op and M&S hacks, says UK cyber centre
Why is the M&S cyber attack chaos taking so long to resolve?
Sign up for our Tech Decoded newsletter to follow the world's top tech stories and trends. Outside the UK? Sign up here.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
14 minutes ago
- Yahoo
20 stocks primed for rapid growth while trading at half of Nvidia's valuation
When selecting investments, it is easy to get hung up on a particular metric, such as a dividend yield or a price ratio, but investors need to look deeper or they might miss opportunities. Inc. AMZN provides an example: Its stock has typically traded at a high price-to-earnings ratio. Investors tend to look at a stock's forward P/E ratio, which is the price divided by analysts' consensus estimate for earnings per share over the following 12 months. Over the past 10 years, Amazon's stock has traded at an average forward P/E of 79.5, while the S&P 500 SPX has traded at an average forward P/E of 18.7, according to FactSet. But Amazon's stock was up 855% for 10 years through Friday, while the S&P 500 returned 235% with dividends reinvested. My daughter's boyfriend, a guest in my home, offered to powerwash part of my house — then demanded money What on Earth is going on with the American consumer? My father-in-law has dementia and is moving in with us. Can we invoice him for a caregiver? 'The situation is extreme': I'm 65 and leaving my estate to only one grandchild. Can the others contest my will? 20 stocks primed for rapid growth while trading at half of Nvidia's valuation It turns out that for Amazon's management team, bottom-line earnings traditionally weren't a focus. The emphasis was on reinvesting most of the cash being generated to expand the business in multiple directions. So the Amazon story was about revenue growth, rather than EPS growth. And that brings us to Nvidia Corp. NVDA. Last week Laila Maidan looked into Nvidia's relatively high forward P/E and explained why the stock might still be considered a bargain for long-term investors, based on analysts' expectations for the company's revenue growth. Nvidia's stock traded at a forward P/E of 28.1 at Friday's close, while the S&P 500 traded at a weighted forward P/E of 21.4. It is not a surprise to see Nvidia trading at a P/E valuation that is 31% higher than that of the index. But based on consensus estimates among analysts polled by FactSet, Nvidia is expected to increase its sales per share at a compound annual growth rate of 41.7% through 2026, versus an expected sales-per-share CAGR of 5.5% for the S&P 500. All such estimates in this article are adjusted by FactSet to match calendar years; about 20% of companies in the S&P 500 have fiscal reporting periods that don't match the calendar. For Nvidia, investors pay a premium for the higher expected growth rate. And that sets the stage for a stock screen. Which companies trading at low P/E multiples are also expected to increase revenue quickly? For this screen we are looking at revenue growth projections — specifically sales per share. We are using the per-share numbers because they reflect expected dilution to a company's share count if it issues new shares to help fund an acquisition. Merging with a competitor will obviously make revenue increase. But if the share count rises significantly, sales per share will be lower. The per-share numbers help investors to understand whether or not a company might have overpaid for an acquisition. Starting with the S&P 500, we narrowed the list to companies trading at forward P/E ratios of 14 or less — half Nvidia's valuation. Actually, we rounded down, so the list was confined to stocks trading at a forward P/E of less than 14.5. Then we sorted the list by expected sales-per-share CAGR from calendar 2024 through 2026, based on consensus estimates among analysts polled by FactSet. Here are the 20 stocks in the S&P 500 with the highest expected sales-per-share CAGR through 2025 among those trading at a P/E of less than 14.5: Company Ticker Industry Forward P/E Expected sales-per-share CAGR from 2024 through 2026 Expand Energy Corp. EXE Integrated Oil 12.0 39.6% Super Micro Computer Inc. SMCI Computer Processing Hardware 14.1 31.9% EQT Corp. EQT Integrated Oil 13.6 26.0% Micron Technology Inc. MU Semiconductors 9.4 23.2% Coterra Energy Inc. CTRA Integrated Oil 8.3 21.2% First Solar Inc. FSLR Solar Power Equipment 8.7 20.5% Norwegian Cruise Line Holdings Ltd. NCLH Hotels/ Resorts/ Cruiselines 7.9 15.9% Incyte Corp. INCY Pharmaceuticals 10.7 15.5% Seagate Technology Holdings PLC STX Computer Peripherals 12.4 15.0% Gen Digital Inc. GEN Software 11.1 13.0% DaVita Inc. DVA Medical/ Nursing Services 11.6 12.0% Oneok Inc. OKE Oil & Gas Pipelines 14.2 11.8% Molina Healthcare Inc. MOH Managed Healthcare 11.7 11.8% Aptiv PLC APTV Electrical Products 9.0 10.9% UnitedHealth Group Inc. UNH Managed Healthcare 12.5 10.7% Elevance Health Inc. ELV Managed Healthcare 10.5 10.4% Dell Technologies Inc. Class C DELL Computer Processing Hardware 11.4 10.2% American International Group Inc. AIG Multi-Line Insurance 12.2 10.2% HCA Healthcare Inc. HCA Hospital/ Nursing Management 14.4 9.9% Ball Corp. BALL Containers/ Packaging 14.3 9.7% Source: FactSet You may need to scroll the table to see all of the data. It is a varied list. Super Micro Computer SMCI ranks second, with a 31.9% CAGR expected for sales per share through 2026. The stock soared last month after President Donald Trump announced investment agreements with Saudi Arabia to build data centers in the U.S., which lifted suppliers of related equipment. Read: Super Micro's stock keeps surging. Here's what might come next. It might surprise you to see UnitedHealth Group UNH on the list, in light of the company's numerous difficulties. These have included higher-than-expected costs in its Medicare Advantage business, reports of a government investigation into possible healthcare fraud and the departure of Chief Executive Andrew Witty. But with the stock having tumbled 40% this year through Friday, with dividends reinvested, analysts working for brokerage and research firms believe the worst is over, with 21 out of 29 analysts polled by FactSet rating UnitedHealth a buy or the equivalent. Only three of the analysts rate the stock a sell or the equivalent. Leaving the companies passing the screen in the same order, here is a summary of analysts' opinions about the stocks: Company Ticker Share buy ratings Share neutral ratings Share sell ratings May 30 price Consensus price target Implied 12-month upside potential Expand Energy Corp. EXE 90% 10% 0% $116.13 $128.45 11% Super Micro Computer Inc. SMCI 47% 41% 12% $40.02 $40.69 2% EQT Corp. EQT 72% 24% 4% $55.13 $60.63 10% Micron Technology Inc. MU 85% 12% 3% $94.46 $123.95 31% Coterra Energy Inc. CTRA 83% 17% 0% $24.31 $33.41 37% First Solar Inc. FSLR 78% 20% 2% $158.08 $202.43 28% Norwegian Cruise Line Holdings Ltd. NCLH 72% 28% 0% $17.65 $23.65 34% Incyte Corp. INCY 45% 52% 3% $65.06 $73.95 14% Seagate Technology Holdings PLC STX 59% 36% 5% $117.94 $119.88 2% Gen Digital Inc. GEN 45% 55% 0% $28.48 $31.83 12% DaVita Inc. DVA 9% 83% 8% $136.26 $167.14 23% ONEOK Inc. OKE 67% 33% 0% $80.84 $106.75 32% Molina Healthcare Inc. MOH 42% 47% 11% $305.04 $356.93 17% Aptiv PLC APTV 68% 23% 9% $66.81 $75.76 13% UnitedHealth Group Inc. UNH 73% 17% 10% $301.91 $376.05 25% Elevance Health Inc. ELV 75% 25% 0% $383.84 $491.94 28% Dell Technologies Inc. Class C DELL 81% 19% 0% $111.27 $136.52 23% American International Group Inc. AIG 55% 45% 0% $84.64 $90.88 7% HCA Healthcare Inc. HCA 59% 34% 7% $381.39 $387.95 2% Ball Corp. BALL 61% 33% 6% $53.58 $61.23 14% Source: FactSet Any stock screen has its limits and should only be used as a tool as part of your own research if you are selecting individual companies for investment. Click on the tickers for more about each company. Read: Tomi Kilgore's detailed guide to the information available on the MarketWatch quote page 'You never know what might happen': How do I make sure my son-in-law doesn't get his hands on my daughter's inheritance? Strategists forecast a sizzling summer for small-cap stocks 'I am getting very frustrated': My mother's adviser has not returned my calls. He manages $1 million. Is this normal? My life partner is 18 years my senior. He wants to leave his $4.5 million fortune to me — not his two kids. Do we tell them? 'I'm afraid to ask her': My stepmother won't show me my father's will. What now?
Forbes
19 minutes ago
- Forbes
The AI Era Enters Its Sovereign Phase
Generative AI adoption started in late 2022 with public adoption of models like ChatGPT and Llama. As it drives towards its next phase of value creation with reasoning, also referred to as agentic AI, it has recently crossed the boundary from a consumer-centric application into an enterprise application. Right on the heels of this adoption is also another phase of value creation – Sovereign AI. What Is Sovereign AI? Sovereign AI refers to artificial intelligence that is developed, maintained, and controlled within a specific nation's or organization's jurisdiction, ensuring independence from external influences. This artificial intelligence is designed to align with local regulations, ethical standards, and strategic priorities, allowing governments and enterprises to maintain autonomy over their AI-driven operations. The Opportunity To Reign Supreme (Or At Least Be At The Front Of The Pack) Nvidia CEO Jensen Huang recently stated that 'AI is now an essential form of national infrastructure – just like energy, telecommunications and the internet.' Indeed, many leading countries such as the United States, United Kingdom, China, France, Denmark and the United Arab Emirates have launched sovereign AI initiatives. Stargate is an example of such an initiative from the United States. Additionally, leading AI enablers like Nvidia and OpenAI, have initiatives targeted specifically at helping entities establish their own sovereign AI capabilities. Sovereign AI is particularly crucial in areas like national security, defense, and critical infrastructure, where reliance on foreign AI models could pose risks related to data privacy, cybersecurity, or geopolitical dependencies. By building and maintaining custom AI capabilities, nations and organizations can safeguard their technological sovereignty while fostering innovation tailored to their unique needs. Moving Forward With Sovereign AI While this is a gross oversimplification of how complicated this task is for national leaders to undertake, the following are some critical areas that must be addressed in embarking on the sovereign AI journey: To this end, AI enablers like Nvidia and leading countries such as France have started to organize events. For example, at the upcoming Viva Technology event in Paris this coming June, Jensen Huang and Nvidia have organized a dedicated GTC event where interested parties can learn more. As mentioned earlier, it is important to keep in mind that sovereign AI isn't necessarily limited to national entities. Any sufficiently capable entity, whether they be nations, companies, organizations or universities interested in securing their own AI systems and capabilities from data curation and model creation to specified and focused outcomes can take advantage of sovereign AI.
Yahoo
29 minutes ago
- Yahoo
Israel launches strikes on weapons in Syria
Israel said it had launched strikes on weapons belonging to Syria, hours after reports that two projectiles had been fired from Syria into Israel on Tuesday. The Israeli strikes on southern Syria caused "significant human and material losses", Syria's foreign ministry said, adding that Israel was "trying to destabilise the region". Israeli Defence Minister Israel Katz said he held Syrian interim President Ahmed al-Sharaa responsible for the projectiles launched into Israel. Despite recent indirect talks to ease tensions between the two countries, Israel has stepped up attacks on targets in Syria since Sharaa led a rebel offensive that overthrew Bashar al-Assad's regime in December 2024. "Violent explosions shook southern Syria, notably the town of Quneitra and the Daraa region, following Israeli aerial strikes," said the Syrian Observatory of Human Rights, a UK-based monitoring group. In a statement, Syria's foreign ministry said: "This escalation constitutes a blatant violation of Syrian sovereignty and aggravates tensions in the region. "Syria has never been and will never be a threat to anyone in the region." It was unclear how many people were killed or injured in Israel's strikes. Israel said the strikes came after two projectiles launched from Syria landed in open areas of the country, causing no injuries. Israeli media reported that the strikes were the first launched from Syria since the fall of the Bashar al-Assad regime. It was not immediately clear who fired the projectiles. "We consider the president of Syria directly responsible for any threat and fire toward the State of Israel," Katz said. Syria's foreign ministry said reports of the launches from inside Syria "have not been verified yet". When the Assad regime was deposed, Israel launched a wave of attacks to degrade Syrian military infrastructure. It has also encouraged the expansion of settlements in the occupied Golan Heights, territory which Israel seized from Syria in 1976 and is considered illegally occupied under international law. Last month, US President Donald Trump announced plans to lift decade-old sanctions on Syria, imposed in response to atrocities committed by forces loyal to Assad during a 13-year civil war. During that conflict, more than 600,000 people were killed and 12 million others were forced from their homes. Last month, Israel bombed an area near Syria's presidential palace in Damascus, a strike which Israeli Prime Minister Benjamin Netanyahu said was a "clear message" that it would "not allow the deployment of forces south of Damascus". UN Secretary-General Antonio Guterres said the bombing was a "violation of Syria's sovereignty".
