Author: Roman Arutyunov, Co-Founder and SVP Products, Xage Security 

In a series of incidents over the past few weeks, three major UK retailers—Harrods, Marks & Spencer, and Co-op—have fallen victim to what is believed to be coordinated cyberattacks. Early investigations indicate a concerning trend: these were not isolated events, but possibly interconnected strikes exploiting shared vulnerabilities in retail infrastructure.

Security researchers believe the recent wave of attacks was carried out using a Ransomware-as-a-Service (RaaS) platform known as DragonForce, with strong indications that the perpetrators are linked to the loosely organized threat collective Scattered Spider. This is the same group responsible for the high-profile 2023 cyberattack on MGM Resorts, which crippled operations across the Las Vegas Strip and resulted in estimated losses exceeding $110 million.

Despite law enforcement making five arrests in November, Scattered Spider remains active—likely due to its decentralized and fluid structure. As reported by BleepingComputer, Scattered Spider is not a conventional cybercrime gang but rather an amorphous network of financially motivated threat actors. Members coordinate and share resources across Telegram, Discord, and dark web forums, making the group both resilient and difficult to dismantle.

In all three cases, once inside, ransomware was able to propagate laterally and exfiltrate sensitive customer data.

Could VPNs Be at Fault? …Again

While full details are still emerging, analysts suspect a shared architectural or supply chain vulnerability among the affected retailers. The fact that all were compromised in a short time span hints at commonalities in remote access technologies, security configurations, or identity management practices.

Co-op’s internal response sheds light on the scope of the breach. In a memo obtained by The Register, Co-op’s Chief Digital Information Officer Rob Elsey confirmed the shut down of VPN access to stem the attack’s spread. Elsey also urged employees to refrain from transcribing Teams calls, verify all meeting participants, and avoid entering sensitive information in chat, signaling that attackers may have had deep access to internal collaboration tools.

While it’s not confirmed whether VPNs served as the initial entry point in these attacks, they are well-documented as some of the most commonly exploited attack vectors in cyber intrusions.

Access Control and Risk Mitigation Guidance

These incidents underscore a critical truth: perimeter-based defenses are no longer sufficient. Once attackers are inside, they can move freely unless access and communication pathways are tightly controlled. We recommend the following defensive strategies to harden infrastructure against similar attacks:

• Adopt a Zero Trust Architecture: Eliminate implicit trust. The traditional VPN is now one of the most targeted entry points in modern attacks. In this attack for example, attackers were able to access critical IT domain resources through a VPN connection.  Instead, employ identity-driven granular access that is continuously verified and monitored.

• Implement Secure Remote Access: Protect remote access channels with Zero Trust Access solutions that do more than just authenticate—they continuously assess risk and granularly enforce least-privilege policies in real-time.

• • Deploy Phishing-resistant MFA: Use FIDO2-based authentication methods that remain effective even in disconnected or offline environments—critical in ransomware scenarios where systems may be taken down. 
  • Per Device MFA: The NCSC has emphasized the importance of enabling 2FA across all systems—especially for remote and privileged access. Per-device, adaptive MFA that enforces identity validation at every access point, even offline.

• Use Adaptive Access and AI-Driven Security: Leverage AI-driven Adaptive Access to detect anomalies and dynamically adjust access policies:

• • • Step-up authentication when behavior deviates from norms.
    • Shrink or revoke access policies based on threat level.
    • Require additional approvals or block access during suspicious events. 

• Apply Adaptive Microsegmentation: Prevent lateral movement by enforcing microsegmentation – granular access controls between users and systems as well as between systems. Allow system interaction based only on identity, need, and time of access using principles of least privilege. Most systems do not need to interact with each other. Adaptive microsegmentation dynamically shrinks the attack surface.

• Deploy Multi-layered Defenses: Eliminating single points of failure is critical to resilient security. For example, compromising a centralized Active Directory and stealing the NTDS.dit file can expose an entire domain. Replacing such systems with a distributed, consensus-driven vault ensures no single compromise can collapse the entire security architecture.

• Remove Standing Privileges: Use just-in-time privileged access with ephemeral credentials that disappear once a task is complete. No static accounts means less to hack, less to steal.

These attacks remind us to assume that breaches will happen and prepare to minimize damage, isolate threats, and prevent propagation. With Zero Trust principles, AI-driven adaptive access, phishing-resistant MFA and layered defenses, organizations can transform their security model from reactive to resilient.

For organizations looking to implement these access control and risk mitigation strategies, Xage Security can help. To learn more, request a meeting.