Headset on laptop showing IT help desks social engineering attack

IT Help Desks Across UK Victimized by “DragonForce” Social Engineering Attack

A recent spree of cyber attacks against major UK retailers is the work of a group called “DragonForce” that was able to successfully deploy the same social engineering approach against their IT help desks. The National Cyber Security Centre (NCSC) is warning that the group may try to build on this success by similarly targeting any and all of the country’s large businesses.

Social engineering approach proves effective against multiple IT help desks

DragonForce has hit three major UK retailers to date: Marks & Spencer, Co-op, and Harrods. Marks & Spencer was the first victim, hit with ransomware in late April that encrypted servers and disrupted its online ordering and in-person contactless payment systems. Co-op reported an attack shortly after that it has confirmed involved the theft of customer data, and Harrods reported a breach on May 1 but thus far says that it was able to contain it without significant damage.

The “DragonForce” group has stepped forward to claim all three incidents. This is a relatively new hacking group, but its tools and tactics suggest a connection with the former Scattered Spider/Octo Tempest attackers that famously hit Caesars and MGM in 2023, severely disrupting casino-hotel operations for the latter for a substantial amount of time after they refused to pay a ransom. It is still not entirely clear who the DragonForce team is but Scattered Spider was unusual among criminal ransomware groups in being made up of mostly teenagers from the US and UK, something that helped it lead with effective social engineering approaches to gain its initial footholds.

In at least two of the attacks, those on Co-op and Marks and Spencer, the group is confirmed to have used very similar social engineering approaches to convince the IT help desks to have an employee password reset. They then moved on to steal a Windows Active Directory Services database that contains password hashes for company Microsoft accounts.

It is unclear if customer data was lost in the other two attacks, but the threat actors claim that they stole the profile information of some 20 million members of the Co-op member rewards program. The threat actors shared screenshots of their extortion messages to the company with BBC reporters as evidence of their claim. Marks and Spencer was forced to suspend online ordering of clothes and furniture through the final week of April and first week of May, and reports losses of 30 million pounds thus far while seeing its share price drop 12% over that period.

NCSC is now warning that all large businesses in the UK, not just the retail sector, should anticipate having their IT help desks approached in a similar way by threat actors. However, the agency has also not formally confirmed that DragonForce is behind all of the attacks or that there is a link between them.

Is the security level of IT help desks adequate?

DragonForce first publicly emerged in mid-2023 as a supposed “hacktivist” group in support of Palestine, though it was soon revealed to be a profit-seeking ransomware group that attacks targets that have a tenuous connection to that conflict at absolute best. The group now openly advertises on the dark web as a ransomware-as-a-service (RaaS) operator, providing affiliates with its tools in return for 20% to 30% of the take.

Some analysts feel DragonForce may be an emerging leader among RaaS groups, a market that usually sees new players rise to the top once every year or two as the most successful ones draw too much attention and eventually get taken apart by law enforcement. The group is already referring to itself as a “cartel” and has a branded form of ransomware that it provides to affiliates, which can be purchased as a “white label” service that the threat actor partners put their own name on. The group promised in at least one interview that it would not allow attacks on hospitals that might cause real-world harm to patients, though other major ransomware gangs have made similar promises and then backed out of them later.

DragonForce thus far denies any connection to Scattered Spider, but it is possible that members of that group joined up after it was broken up by a wave of law enforcement arrests in mid-2024. Six arrests were made across the US and UK, though it is likely that members of the group remain at large.

NCSC is strongly recommending that all large UK firms review the practices and training of their IT help desks in the wake of these attacks, particularly the procedures for authorizing an employee password reset request if the account has escalated privileges that would provide the attackers with lateral movement opportunities or direct access to customer or financial data.

The agency has published a list of recommendations for security hardening of IT help desks that includes special monitoring for risky logins flagged in Microsoft Entra ID Protection, regular auditing of admin accounts to very legitimate access, and ensuring that security teams are able to tell when a login originates from a suspicious source such as a residential VPN. The identity verification procedures of IT help desks should also be carefully reviewed.

Piyush Pandey, CEO at Pathlock, adds: “This incident shows that organizations must not only authenticate users but also continuously validate their risk posture and behavior throughout their digital journey. In such cases, even if attackers gain unauthorized access to the corporate network through sophisticated social engineering techniques, their malicious activity can be detected and stopped early. Combining behavioral analytics with centralized access governance ensures that only the right people, not just the “right credentials, ” can access critical systems.”

Ms. Aditi Gupta, Senior Manager, Professional Services Consulting at Black Duck, additionally observes that this is far from the first time that attackers have deployed these tactics against IT help desks: “Social engineering skills and the use of AI to impersonate employees, is a common tactic utilized by many threat actors that is becoming increasingly familiar. One security strategy to combat this is for organizations to create a threat model for their enterprise. It is important to identify the surface area and exposure of the organization to threat actors. This can apply to applications, the network and most importantly, customer facing employees such as the helpdesk. Securing the perimeter of an organization needs to include a tailored strategy for each entry point.”