Hackers strike Harrods in latest UK cyberattack
observer.co.uk76 points by dijit 6 hours ago
76 points by dijit 6 hours ago
Just two days ago the BBC published[1] a story about how a ransomware group tried to infiltrate their network by.... approaching their cybersecurity correspondent.
I wonder if it was the same group.
From the article, it sounds like this was earlier in the year, but they're only revealing it now? Isn't that way beyond the deadline for such things?
Does the UK actually have a mandated deadline for any kind of infosec disclosure?
If the breach contains personal data then you are supposed to report it within 72 hours:
https://ico.org.uk/for-organisations/report-a-breach/persona...
We were still in the EU when GDPR came along, and we haven't repealed our implementation of it, the Data Protection Act ( 2018 ), which has mandated disclosure in line with GDPR.
Even pre-GDPR we had much stronger data protection than most countries with the Data Protection Act ( 1998 ), although I don't remember that having disclosure rules, it did have a lot of things that companies only freaked out about post GDPR and the weight of the EU behind severe penalties.
Terrible tech reporting, as is the norm.
https://www.bbc.com/news/articles/c8d70d912e6o indicates that the recently announced breach was separate from the one in May (for which the attackers were arrested in July?). I think the one in May leveraged CVE-2025–31324.
I know very little about cyber security in the wild - little Bobby Tables is about my level.
Are these hacks unavoidable, or are they indicative of shoddy IT on the victim's side? There has been a sleugh of cyberattacks recently and I don't know what to make of it.
If it's kind of like getting burgled - get good home security but a determined burglar will get in anyway - then it's a systemic problem we have to somehow tackle as a society. And if it's shoddy workmanship, again, it would appear so widespread that we have to do something about it.
I'm not passing judgment, just trying to understand.
IMO it's shoddy. Anybody can get hacked, that's true. But a modern corp that has tried to defend itself should have multiple layers of defenses against complete pwnage.
If you've paid attention in the last 10 (or even 5) years as a company, and did some pentests and redteams, you've seen how you could be breached, and you took appropriate steps years ago.
A non-shoddy company will have:
- hardened their user endpoints with some sort of modern EDR/detection suite.
- Removed credentials from the network shares (really).
- Made sure random employees are not highly privileged.
- Made sure admin privileges are scoped to admin business roles (DBA admin is not admin on webservers, and vice-versa).
- Made sure everyone is using MFA for truly critical actions and resource access.
- Patched their servers.
- Done some pentests.
This won't stop the random tier 2 breach on some workstation or forgotten server still hooked up on prod/testing, but it will stop the compromise _after_ that first step. So sure, hackers will still shitpost some slack channel dumps, but they won't ransomware your whole workstation fleet...
I guess you forgot the most important part: making sure your security and devops teams and people in company management follow exactly the same protocol as everyone else with no exception.
Because big bosses hate it when their PC don't just let them run whatever they want and they are not allowed to VPN into network from their home or their grandma desktop because they like her very much.
Also any Linux nerd sysadmin dude (like me) who know better is another type of person who hate following rules.
There is no system in use by a commercial entity in the world that can stop criminals with ~10 M$ from completely bypassing all of their security and doing arbitrary amounts of damage. If the attackers can on average derive more than 10 M$ of return, then you are guaranteed profitable to hit.
For instance, in the 2023 casino hacks of MGM and Caesars, Caesar paid a random of ~15 M$, making them profitable. In the JLR hack, JLR has incurred ~500 M$ of damage to date. These attacks cost less than 10 M$ to create and deploy guaranteed.
However, most commercial systems are vastly easier to hit than even 10 M$. I would venture that most of these high profile attacks are on the order of merely ~10-100 K$ to actually create and deploy making them wildly profitable with a ROI in the 10-1000(!) range. And, if you have the choice of spending 100K to get 15 M$ or 10 M$ to get 15 M$, it is pretty obvious who you would prioritize.
It is like the story of two people and the hungry bear. Even if you can not outrun the bear, if you can outrun the other person then the bear will tear you apart second.
So it is both. Everything is shoddy. Some are dramatically more shoddy than others. And the hungry bears are breeding so they can eat all the dodos.
No doubt there are some professional cyber criminal groups like ones from North Korea, but I seriously doubt that most of high-profile attacks even cost $10-100k. I mean you could say that if salary of random black hat researcher from Turkey, ex-USSR or Nigeria was $100,000 / year. But they obviously have no salary whatsoever and just trying and trying until they finally find suitable target.
Most likely all that was used is $50 / month server for nmap and other tools, bunch of $3 / month VPNs. Or might be everything that was needed is $10 for a eSim and one scam call.
And of course a lot of time of a person who can't get properly paid job anyway. Obviously might be only few people succeed, but in the end each particular attack cost peanuts.
> Are these hacks unavoidable, or are they indicative of shoddy IT on the victim's side?
That's a really good question and one that I've asked (myself) many times. What I can't understand is that on one side you have an IT division that (probably) has a substantial budget, security hardware and software layers, security strategies and probably hundreds of personnel. On the other side you have a group of hackers/crackers who have none of the above, but often succeed. How does that work? Srsly!
From a brief review, it looks like the underlying platform they use is https://www.scayle.com/ (though I'm not sure its the one that was attacked) its just the one I found while looking at their site.
It's almost like they earned enough from the data that the risk was worth it
How much time before a large bank will be held hostage by such an attack?
It's likely already happened, but we will never hear about it. Their attack surfaces will be clustered and broken up, through an inhomogenous distribution of various systems and layers and networks, and the entirety of the system will be protected through disjoint connections, both the intentional and the bureaucratic and structural that follow from the mere fact of being really big organizations. Any particular unit within the whole that gets pwned will have recovery tactics available, but reporting will probably be kept as private as humanly possible, even to the extent of avoiding reporting to government, so as to avoid "damage" to markets, loss of reputation, runs on the bank, and so forth. If they don't have a near instant recovery and mitigation of the attack, they'll be much more likely to pay and recover, quietly, than most other organizations. There are laws and regulations and boxes that get checked to ostensibly hold them to a high cybersecurity standard, but that's a lot of theater and pomp for public confidence over anything practical. Where they benefit is from being able to pay for teams and high quality security personnel and being incentivized to avoid getting hacked.
It's not in anyone's interest to make a lot of fuss or noise in the public eye, so us chickens out here won't ever hear about anything that happens.
That comes with the caveat that the big banks can afford to pay really nasty people to go find hackers and turn them over to authorities, or worse options in more lawless parts of the world, and the public will never hear about those actions either, which disincentivizes the hackers. There are easier ways of getting more money with less risk of catastrophic personal outcomes, with the technical difficulty of even attempting anything serious filtering out the impulsive and stupid.
Just because you never heard about, say, the BancoEstado ransomware attack doesn't mean it was covered up. It's actually pretty much impossible to cover up impactful ransomware events for several very obvious reasons.
For sure, but these are the level of organizations that have PR firms on hand to put in a lot of work to suppress news, to frame things in as bland a manner as possible, to use all the available tools to ensure that even if things get reported, they're noticed as little as possible. Authorities often work with them to suppress and gag reporting of specific institutions that get hit, for a variety of reasons, but obviously including corruption - it's easy to convince politicians that they don't want pension funds or mortgage lenders or whatever to take a hit from negative publicity.
Over the last 5 years, dozens of huge financial firms - banks, hedge funds, credit unions, mortgage lenders, etc - have been hit, and about 15-20% pay the ransoms.
Even if public notice is mandated, there are probably cases where it's an obscure notification on some official government website, or a 3-4 page deep "announcement" on a company page phrased to look innocuous and routine. "We experienced a cybersecurity incident which was resolved" or what have you.
It's fairly trivial for them - routine - to cover things up, right out in the open, and with the speed of the news cycle, it's only gotten easier.
We should probably mandate disclosure by big corporations, institutions, and banks through a glaringly obvious, top half of the front page of their website, blunt declaration for 30 days, with a government page listing incidents and responses for 5 years. "XXX Corp was hit by ransomware and paid $123 in bitcoin to the APT Group AwfulAsshats"
Mandating by law that ransom not be paid puts the onus of maintaining proper disaster and ransomware recovery on the insitutions - if you're handling a huge scale of resources, you're on the hook for responsibly managing your employees security and livelihoods, your users and customers assets and data, and not incentivizing ransomware as a viable avenue of attack. If you can't handle the responsibility of securing against ransomware, you've no business handling people's data and money, frankly.
This would wipe out a whole slew of nonsense businesses, I think.
"Bank runaway" and "Loss of confidence in markets" does it.
That works for your country. Why aren't banks in smaller countries affected? Their security is not good, and markets aren't important.
In Costa Rica there was an incident where the equivalent of the IRS was held ransom and the government didn't pay. (Thumbs up to them.) Again, why doesn't that happen to banks there?
Depends on the confidence and appetite for risk of the leadership, what they're instructed to do by boards, what they think they can or should get away with. If it's a hesitant political creature who wants to hide weakness it's going to be much different outcome than a strong leader with a principled stance, like Costa Rica.
Lots of shitty behavior is grounded in what weak people imagine other people will think of them, and them bending over backwards to hide and cover up and obfuscate. Those are the ones that pay ransomware gangs, and they're also the ones that don't plan ahead and prepare responsibly.
Luckily, the Venn diagram overlap of black hat hackers and greying IBM mainframe programmers who understand things like JCL, RPG, COBOL and VSAM is a very small one indeed.
> JCL, RPG, COBOL and VSAM
Nobody understands those things, they just take working code and modify it.
Hell a lot of it isn't modified. I've recently seen cobol files with a last modified entry of '85.
Great, that'll be another intelligence review Monday morning.
Can someone give the kids a ping pong table or something so i can eat my breakfast in peace?
Bad news, folks: the erudite hackers have added an apostrophe to Harrod's logo
For some reason the "no apostrophe" thing is common in UK company names.
The greengrocer’s have taken the entirety of the British High Streets apostrophe supply.
6 orange’s for just £3!
It is this grammatical "mistakes" that make it so obvious a scam is a scam. I often raised my eyebrows at phishing messages and wondered if they knew grammar, but then realized in Nigeria this is their most appropriate grammatical structure and language begins with "Dear Sir..."
Interestingly, it's common in the Midwest to add "'s" where it doesn't exist when referring to a brand e.g. calling Costco "Costco's".
https://styleblueprint.com/everyday/why-do-people-add-s-to-t...
It's because shops were traditionally named after the people who owned them. There are still loads of shops bearing people's names, even now.
"Sainsbury's" supermarket used to be "J. Sainsbury's" named after its founder John Sainsbury, &c. "Morrisons" was "Wm Morrison" founded by William Morrison. So when you refer to a shop you say Sainbury's as in [Mr.] Sainsbury's shop, or "Morrison's" as in Mr. Morrison's shop.
Then this becomes so ingrained it gets misapplied sometimes. I don't think I'd ever say Asda's though. But I would say Tesco's, even though Tesco is the initials of three people.
Surely this is the same worldwide?
As mentioned above, in Liverpool, Asda becomes Asdas. Whether it has an apostrophe or not I don't know.
Similarly common in the UK, or at least where I am (Glasgow, Scotland).
Completely normal to say "Tesco's", "Aldi's" etc.
Marks and Spencers.
Wait..make that "Markses".
Some companies decided to embrace the pattern: Goldberg became Goldbergs, Morrisons, Dobbies...
[flagged]
> A new cybersecurity and resilience bill will make it mandatory to report more incidents. The bill’s slow progress is frustrating security experts, according to Jamie MacColl, a senior research fellow at Rusi. However, ministers have been reluctant to impose more regulation on businesses, but having “major cybersecurity incidents is not good for economic growth,” he said.
A minister's bill is less effective than a Ukrainian soldier's bullet.
Funny you say this because Scattered Spider is largely made up of Western teenagers, not Russians.
There is a fair bit of grooming going on out there on the private discord channels and similar.
> In July, four people including a 17-year-old boy were arrested on suspicion of being involved in cyberattacks on Harrods, the Co-op, and Marks and Spencer, and were bailed pending further inquiries.
Your proposal is we have a foreign army come over and start executing children? What is this Bush era nonsense.
My proposal is the Western world do more to support the Ukrainian military, defeat the Putin regime militarily, and usher in the collapse of the russian federation.
You can't have state-sponsored cyber-attacks if the state sponsoring the cyber-attacks goes away.
No, I am not proposing anyone start killing children. What a ridiculous misinterpretation of my words. It's the russian military who kill kids[0], and nobody should be ok with that. It's also the russian government recruiting children to commit acts of sabotage[1] abroad.
[0]: https://www.politico.eu/article/former-wagner-group-commande...
[1]: https://www.justiceinfo.net/en/147402-ukraine-fsb-recruits-t...
I generally agree with your stance about the situation in eastern Europe, but there's no particular reason to connect that to this incident. There's no public evidence that this was state-sponsored or even connected to Russia at all. They definitely provide sponsorship and cover to a lot of attacks, but still are not the only source of online crime. We have plenty in the US and the UK and everywhere else.
Yup, I find I hard to believe kids have suddenly discovered hacking in the last two years.
It's either covertly state sponsored, or outsourcing everything to India is finally showing some results.
You know more than one thing can be true at once though right?
I.e.some combination of state sponsored, opportunistic script kiddies and better reporting. After the earlier attacks subsequent ones get more press as well.
What's state sponsored about a bunch of bored children putting in dummy calls to retail helpdesks?
I dont see what this has to do with russia russia russia
It's literally in the article.
> Although cyberattacks have become more high profile, there is little reliable data on how many attacks take place in the UK each year. Hackers are drawn from a mix of organised criminal gangs, those sponsored by state actors including Russia and China, and hacktivists with a political agenda, according to a report by the Royal United Services Institute (Rusi).
That's just a general statement; nothing suggests these children are working with or acting on behalf of Russia.
More likely they are spectrum'd to fuckery or pushing a political agenda.
> More likely
What are you basing this probability on?
The UK and EU has seen a significant increase in cyber-attacks and acts of sabotage since February 2022. In some cases, evidence has been found that the attacks were orchestrated by the russian government.
I suppose it's all one big coincidence?
Unfortunately, it's become Bush-Obama-Biden-Trump era nonsense because it seems ingrained now.
Add all your other "western leaders" out there who also seem to love and push for wars fought by others and not their children or themselves.
Ah, nothing like the war hawk who cowardly wants violence and murder from the safety of their computer and see the world as good Vs guys movie where everything is solved with good old murder.
If you care so much go out yourself out there. Go fight that war. See how much it helps.
1984 style war propaganda. Get a grip.
This thread has become reminiscent of this HN classic: https://news.ycombinator.com/item?id=35079
>1984 style war propaganda
Nothing screams newspeak-like thinking than western 'pacifists' that thinks self-defense, from an enemy that explicitly wants to harm us and destroy our way of living, is somehow violent. This kind of opinions are literally killing people.
I've spent enough nights in bomb shelters in Ukraine, and I have a medal from the Ukrainian military for my contributions.
How about you?