British supermarket chain Co-op is still recovering from a major cyberattack and experiencing significant disruption. Hackers who claimed responsibility for the breach have links to the Russian Federation, according to Halcyon researchers.
A hacking group known as DragonForce claimed responsibility for the damaging cyberattack against Co-op, a major UK retailer, as well as a recent breach at Marks and Spencer (M&S). However, other reports attributed the M&S breach to Scattered Spider, a notorious English-speaking teenage hacking group.
DragonForce’s public stance strongly implies “a close alignment—or even allegiance—with the Russian Federation,” researchers of Halcyon, a cybersecurity firm, said.
“Investigators believe DragonForce’s tools, not those of its occasional affiliate Scattered Spider, were used in this breach.”
The retailers still struggle to return to normal operations.
“The criminals that are perpetrating these attacks are highly sophisticated and our colleagues are working tirelessly to do three things: (1) protect and defend our Co-op, (2) fully understand the extent of the impact caused by the attack and (3) provide much needed information to the authorities that may help them with their investigations,” a statement by Shirine Khoury-Haq, CEO of the Co-operative Group, reads.
“Actively managing the severity of the attack has meant shutting down some of our systems to protect the organisation.”
Co-op shelves are depleted across the UK due to fears that hackers may still have access to their systems. The attack has also affected funeral services and insurance divisions, according to a report by Recorded Future News.
During the cyberattack, hackers extracted data from a certain system and accessed information relating to “a significant number” of Co-op members, such as names, residential addresses, email addresses, phone numbers, and dates of birth.
“We do not believe the following types of identifiable personal data have been extracted: members’ passwords, bank or credit card details, transactions, or information relating to any members’ or customers’ products or services with the Co-op Group,” the company said last week.
Ties to Russia
In a post on a dark web forum, DragonForce has recently warned affiliates not to use its ransomware against targets in Russia or any former Soviet state. The Daily Mail reports that the hackers threaten to “punish any violations.”
“Let’s call it like it is: ransomware is a dual-purpose weapon. While crews like DragonForce are making money from their attacks, they are also doing Moscow’s dirty work at the same time,” Halcyon explains in a blog post.
“When a ransomware gang openly declares their tooling can’t be used against Russian infrastructure or former Soviet states and they threaten to ‘punish’ anyone who crosses that line, they’re revealing the direct connection between ransomware and Russian state-sponsored operations.”
Ransomware cartel rakes in millions while “acting as proxy attackers for the Russian government.”
“Meanwhile, the Kremlin gets to sit back with clean hands and deny everything,” researchers noted.
Last year, Group-IB’s researchers discovered that the DragonForce ransomware group publish their rules, guides, and contacts regarding the use of DragonForce ransomware in Russian.
DragonForce has recently stirred a few ransomware turf wars. It has claimed hacks against data leak sites belonging to BlackLock and Mamona, two related ransomware groups that used to communicate in Russian and Chinese.
Such tactics may also be false flag operations to disguise ransomware market consolidation or rebranding, often linked to law enforcement pressure or internal issues.
DragonForce also says it hacked RansomHub, another prominent ransomware cartel, one of the most active gangs from the last year. DragonForce lures competitors with the opportunity to join their ranks, and claims to overtake RansomHub’s infrastructure.
RansomHub itself previously attracted affiliates from LockBit and Blackcat following law enforcement take-downs.
Since it was first discovered at the end of 2023, Dragonforce has claimed around 170 victims, according to ransomware.live data.
DragonForce portrays itself as a ransomware cartel with a “white label” operation model that allows other hackers to use its tools. The gang claims to have financial motivation rather than destructive: “not here to kill”, and “to make money and do business.”
“They see themselves as organized cybercriminal entrepreneurs with boundaries—particularly when it comes to Russian geopolitical interests,” Halcyon believes.
“That’s the beauty of proxy attacks and plausible deniability. Russia gets an advantage by way of the disruption and chaos the attacks cause, without ever signing their name to the attack.”
The researchers warn that the hackers aren’t picking targets at random, but choosing high-value victims from both financial and geopolitical perspectives.
“The longer we treat it like just plain cybercrime instead of a national security threat, the more ground we lose in a shadow war we have yet to even admit is happening,” the researchers conclude.
Your email address will not be published. Required fields are markedmarked