These threat actors are experts at using social engineering attacks, SIM Swapping, and MFA fatigue attacks to breach networks and then steal data or deploy ransomware. However, soon after the news broke, BleepingComputer learned that the company did indeed suffer a breach utilizing tactics associated with Scattered Spider/Octo Temptest, but their defenses prevented the threat actors from performing significant damage to the network. After the attack, Co-op sent an internal email to employees warning them to be vigilant when using Microsoft Teams and not to share any sensitive data, likely out of concern that the hackers still had access to the platform. The threat actors stated they contacted Co-op's head of cyber security and other executives using Microsoft Teams messages, sharing screenshots of the extortion messages with the BBC. The threat actors reportedly conducted a social engineering attack that allowed them to reset an employee's password, which was then used to breach the network. The threat actors claim to have data from 20 million people who registered for Co-op's membership reward program. Sources told BleepingComputer that it is believed the attack occurred on April 22, with the threat actors utilizing tactics similar to the attack on Marks and Spencer. Today, the BBC first reported that affiliates for the DragonForce ransomware operation, the same hackers who breached M&S, are also behind the attack on Co-op. The threat actors then demand a ransom payment to retrieve a decryptor and promise that stolen data will be deleted. "As a result of ongoing forensic investigations, we now know that the hackers were able to access and extract data from one of our systems," Co-op told BleepingComputer. In attacks, the affiliates will breach a network, steal data, and ultimately deploy malware that encrypts the files on all of the servers and workstations. The Co-op cyberattack is far worse than initially reported, with the company now confirming that data was stolen for a significant number of current and past customers. BBC correspondent Joe Tidy spoke to the DragonForce operator, who confirmed they were behind the attack and shared samples of corporate and customer data stolen during the attack. Instead, they are an amorphous community of financially motivated threat actors who congregate on the same Telegram channels, Discord servers, and hacking forums.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 02 May 2025 19:56:17 +0000