Cyber correspondent, World Service
Bloomberg via Getty ImagesAn abusive email sent by the Marks & Spencer hackers to the retailer’s boss gloating about the hack and demanding payment has been seen by the .
The message to M&S CEO Stuart Machin – which was in broken English – was sent on the 23 April from the hacker group called DragonForce using the email account of an employee.
The email confirms for the first time that M&S has been hacked by the ransomware group – something that M&S has so far refused to acknowledge.
“We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers,” the hackers wrote.
“The dragon wants to speak to you so please head over to [our darknet website].”
The extortion email was shown to the by a cyber-security expert.
The blackmail message, which includes a racist term, was sent to the M&S CEO and seven other executives.
As well as bragging about installing ransomware across the M&S IT system to render it useless, the hackers say they have stolen the private data of millions of customers.
Nearly three weeks later customers were informed by the company that their data may have been stolen.
The email was sent apparently using the account of an employee from the Indian IT giant Tata Consultancy Services (TCS) – which has provided IT services to M&S for over a decade.
The Indian IT worker based in London has an M&S email address but is a paid TCS employee.
It appears as though he himself was hacked in the attack.
TCS has previously said it is investigating whether it was the gateway for the cyber-attack.
The company has told the that the email was not sent from its system and that it has nothing to do with the breach at M&S.
M&S has declined to comment entirely.
‘We can both help each other’
A darknet link shared in the extortion email connects to a portal for DragonForce victims to begin negotiating the ransom fee. This is further indication that the email is authentic.
Sharing the link – the hackers wrote: “let’s get the party started. Message us, we will make this fast and easy for us.”
The criminals also appear to have details about the company’s cyber-insurance policy too saying “we know we can both help each other handsomely : ))”.
The M&S CEO has refused to say if the company has paid a ransom to the hackers.
DragonForce ended the email with an image of a dragon breathing fire.
The email confirms for the first time the link between M&S’s hack and the ongoing Co-op cyber-attack, which DragonForce have also claimed responsibility for.
The two hacks – which began in late April – have wrought havoc on the two retailers. Some Co-op shelves were left bare for weeks, while M&S expects its operations to be disrupted until July.
Although we now know that DragonForce is behind both, it is still not clear who the actual hackers are.
DragonForce offers cyber-criminal affiliates various services on their darknet site in exchange for a 20% cut of any ransoms collected.
Anyone can sign up and use their malicious software to scramble a victim’s data or use their darknet website for their public extortion.
Nothing has appeared on the criminal’s darknet leak site about either Co-op or M&S but the hackers told the last week that they were having IT issued of their own and would be posting information “very soon.”
Some researchers say DragonForce are based in Malaysia, while others say Russia. Their email to M&S implies that they are from China.
Speculation has been mounting that a loose collective of young western hackers known as Scattered Spider might be the affiliates behind the hacks and also one on Harrods.
Scattered Spider is not really a group in the normal sense of the word. It’s more of a community which organises across sites like Discord, Telegram and forums – hence the description “scattered” which was given to them by cyber-security researchers at CrowdStrike.
Some Scattered Spider hackers are known to be teenagers in the US and UK.
The UK’s National Crime Agency said in a documentary about the retail hacks, that they are focusing investigations on the group.
The spoke to the Co-op hackers who declined to answer whether or not they were Scattered Spider. “We won’t answer that question” is all they said.
Two of them said they wanted to be known as “Raymond Reddington” and “Dembe Zuma” after characters from US crime thriller The Blacklist which involves a wanted criminal helping police take down other criminals on a blacklist.
In a message to me, they boasted: “We’re putting UK retailers on the Blacklist.”
There have been a series of smaller cyber-attacks on UK retailers since but none as impactful of disruptive as those on Co-op, M&S and Harrods.
In the early stages of the M&S hack, unknown sources told cyber news site Bleeping Computer that evidence is pointing to Scattered Spider.
The UK’s national cyber-crime unit has confirmed to the that the group is one of their key suspects.
As for the hackers I spoke to on Telegram, they declined to answer whether or not they were Scattered Spider. “We won’t answer that question” is all they said.
