In recent weeks, several major UK retail brands, including M&S, Harrods, and the Co-operative Group, have recently suffered significant cyberattacks disrupting business operations. These incidents are claimed to have been orchestrated by the DragonForce ransomware group.
As a former Head of IAM at a major retailer, I’ve been part of the response to identity-first attackers, and I have deep empathy for the teams who are working tirelessly to respond and recover. While the full scope of these breaches is still coming to light, early signs point to an identity-first threat actor. DragonForce are known to exploit identity weaknesses and then move laterally through compromised credentials. Their methodology highlights something we’ve been saying for years: identity is the new battleground. These attackers target who you are rather than what you have.
While you can’t fix everything in a day, I’ve outlined a few steps that, based on my experience, identity and security teams can take now to get closer to where they want to be.
Understanding the attacker: An identity-first approach
So, who are these attackers, and how do they operate? DragonForce uses similar TTPs as Scattered Spider and are known to use phishing emails, exploit known vulnerabilities, and leverage stolen credentials to gain initial access to victim networks.
Their playbook starts with the most vulnerable link in any security chain: humans. They’re masters of social engineering, crafting convincing phishing campaigns, executing SIM swaps to hijack phone numbers, and launching “MFA fatigue” attacks where they bombard users with authentication requests until someone simply gives in and approves one. They’re particularly fond of targeting helpdesk staff, manipulating them into resetting passwords and providing that crucial first foothold.
Once inside, they move methodically. They look for accounts protected by just a username and password, using these to move through networks. Service accounts—non-human identities that keep systems running but often fly under the radar—are often targeted, offering privileged access with minimal monitoring. From there, it’s a matter of increasing their privileges and positioning themselves to deploy ransomware where it hurts most. What makes this approach so devastating in retail isn’t just the sophistication; it’s that it exploits blind spots that are particularly common in retail environments.
Retail’s complex identity landscape
If you work in retail security, you’re already facing unique challenges that make identity protection especially difficult.
You manage tens, hundreds or thousands of locations—plus online businesses—that all need consistent security controls despite varying local conditions and operational constraints.
Your infrastructure is a complex hybrid of on-prem systems alongside newer cloud environments, all of which need protecting. Your critical systems may have been in place for many years, designed before modern identity security was even a consideration.
Your operations likely rely on countless third-party vendors and service providers, each requiring specific access to your systems. Meanwhile, you’re enabling frontline workers with corporate accounts for greater business efficiency and security, but in doing so, you’re accidentally increasing your identity attack surface multiple times over. All the while, you’re tackling workforce that grows rapidly with seasonal demands, making identity governance a constantly moving target.
These realities mean a large attack surface for identity-based threat actors to exploit.
Admin accounts often lack proper oversight and protection. Non-human identities, from Active Directory service accounts to cloud workloads, frequently operate with extensive access and minimal monitoring. MFA implementation is typically inconsistent, especially for backend systems. And the interconnected nature of retail environments creates countless pathways for attackers to move between systems once they’ve gained initial access.
Building retail-specific identity defenses
The recent retail breaches can act as a catalyst for identity and security teams to revisit and accelerate key initiatives—especially those that may have already faced pushback from teams focused on operational efficiency. Moments like these can help align priorities across the organization. If I were in their shoes, here’s what I’d focus on right now:
1. Protect initial access points
- Enforce comprehensive MFA: Verify that all external access points to systems are secured with MFA, including VPNs, SaaS applications, and other internet-facing systems.
- Implement phishing-resistant MFA: Move to number matching at minimum (remember to remove non-phishing-resistant factors too) and consider “unphishable” FIDO2 authenticators (like Yubikeys) for prime targets, like IT and security teams.
- Secure password reset processes: Harden helpdesk procedures with strict identity verification protocols. Consider temporarily implementing in-person resets for your most critical accounts.
- Protect MFA management: Ensure second factors can only be added or changed with appropriate identity verification, not just with username and password.
2. Prevent lateral movement post-compromise
- Extend MFA coverage internally: MFA must extend beyond the perimeter to internal systems and infrastructure access, especially Active Directory environments that are prime targets for threat actors and ransomware groups. Protecting RDP alone is not enough—this must be on all protocols (PowerShell, for example, is favoured by attackers).
- Protect non-human identities (NHIs): Implement strict controls on service accounts, limiting where they can be used and alerting on any unusual activity patterns that could indicate compromise.
- Contain vulnerable legacy protocols: Restrict legacy authentication protocols like NTLMv1 to the applications that absolutely require them.
- Implement identity segmentation: Create security boundaries between different parts of the retail environment to contain breaches; for example, by disallowing server authentication from your retail sites.
3. Monitor for identity threats
- Deploy Identity Threat Detection & Response: Implement ITDR to identify anomalous behaviors like lateral movement attempts and equip your SOC to respond.
- Focus on service account activity: Create detailed baselines of normal service account behavior and alert on deviations.
- Monitor privileged account usage: Track admin account activity with particular attention to cross-tier usage where high-privilege accounts access lower-security environments.
Real world protection in action
This isn’t just theoretical advice; it’s based on real battles against the exact threats targeting retailers today.
Take the case of a Silverfort customer who faced a lateral movement attack similar to what M&S is experiencing now. Attackers had already compromised two administrator accounts and a service account, typically a recipe for disaster. But because they had implemented MFA across all internal systems and automated service account protection, they detected and blocked the attack in its early stages, preventing what could have been catastrophic damage to their operations. You can read the full case study here.
Or consider another organisation, a leading manufacturer, that prevented lateral movement during a sophisticated supply chain attack. Nation state actors had compromised a factory network and were attempting to pivot into the company’s domain environment through employees’ laptops. By implementing policies that detected and blocked unusual authentication attempts, particularly those using vulnerable protocols like NTLM, their security team stopped the attack before it could establish a foothold. This detailed case study is available here.
Secure today, build for tomorrow
While these immediate actions will help contain identity risks quickly, there are other protections to consider that are longer-term investments.
Identity Security Posture Management (ISPM) can proactively discover and address identity weaknesses before attackers find them. Create a true “closed loop” of identity security where account setup and recovery processes require strong verification at every step.
Look at automating your identity lifecycle with special attention to the often overlooked non-employee and non-human identities. Reduce reliance on local accounts that bypass central identity controls, and begin the journey toward zero standing privileges, where access is provided just in time and just enough, dramatically reducing the attack surface that DragonForce, Scattered Spider and similar groups exploit.
For your non-human identities, consider moving toward ephemeral credentials rather than static, high-risk credentials like long-lived service account passwords, secrets, API keys, and SSH keys. This eliminates one of the most pervasive risks in retail environments—compromised service account credentials that provide attackers with persistent access.
Mind the identity gap
Traditional approaches to securing identities simply aren’t sufficient against today’s identity-focused attackers where every account and authentication presents a risk.
For retailers, where system availability directly impacts the bottom line and customer trust is paramount, getting identity security right—containing the risk of account compromise, lateral movement and ultimately ransomware—is paramount.
By understanding how groups like DragonForce operate and implementing comprehensive identity security measures, you can significantly reduce your risk profile.
As we’ve seen from real world examples, properly implementing identity security can be the difference between business as usual and a headline-hitting breach. Download our ebook, Retail Roulette: Facing and Overcoming Identity Security Challenges.