Harrods becomes the third top UK retailer to fend off a cyberattack

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Harrods, the luxury London department store, has become the latest prominent retailer targeted by cyber hackers, fending off a cyberattack just days after Marks & Spencer and the Co-op were struck by their own cyber incidents.

The luxury department store is understood to have been forced to shut down some systems, but its website and all its stores, including the Knightsbridge flagship, H Beauty, and airport outlets, continued to operate. The retailer first realised it was being targeted earlier this week.

Harrods said: “We recently experienced attempts to gain unauthorised access to some of our systems. Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result we have restricted internet access at our sites today.”

The retailer said it was not asking customers to take any action, indicating that it did not suspect data had been accessed. It added: “We will continue to provide updates as necessary.”

The attack on Marks and Spencer has been attributed to the English-speaking hacking group Scattered Spider. In the latest curtailment forced on Marks and Spencer, the retailer has been forced to pause hiring new workers.

The company said it had removed all online job postings from its website, as its recruitment systems were on hold while tech experts dealt with the consequences of a hack that also forced M&S to close its online shop.

A message on M&S’s jobs website said: “Sorry you can’t search or apply for roles right now, we’re working hard to be back online as soon as possible.” (Mark Kleinman / Sky News and Sarah Butler / The Guardian)

Related: NCSC, London Evening Standard, BBC News, Metro, The Sun, Financial Times, Daily Mail, Mirror, iNews, The Standard, The Guardian

Federal prosecutors said Ukrainian citizen Artem Stryzhak was charged and extradited to the United States for allegedly using Nefilim ransomware to attack large companies in the US and elsewhere.

He was arrested in Spain in 2024 and sent to the US on Tuesday. He was expected to appear yesterday before a federal judge in Brooklyn.

A highly redacted indictment describes the Nefilim ransomware scheme, alleging that Stryzhak and others agreed to give administrators 20 percent of their proceeds in exchange for access to the malware. Prosecutors focused on a spree that started in the summer of 2020 and continued into the fall of 2021.

Nefilim attacks have caused “millions of dollars in losses” overall between ransom payments and damage to computer systems. The ransomware operation, also known as Nephilim, was a rebrand of an earlier scheme known as Nemty. 

Stryzhak’s access to the ransomware began in June 2021, prosecutors said, and he was encouraged to target companies in the US, Canada, or Australia with more than $200 million in annual revenue. At its peak, Nefilim was known for securing larger payouts compared to other operations that were less choosy with targets.

The indictment says Nefilim victims in the US included companies in industries such as aviation, engineering, chemicals, eyewear, insurance, construction, energy, and pet care. The ransomware’s users also deployed otherwise legal tools such as the file-transfer software WinSCP and hacking platform Cobalt Strike. (Joe Warminsky / The Record)

Related: Justice Department, Justice Department, Brooklyn Eagle, Bleeping Computer, Cyberscoop, Security Week, Cybernews

The US Justice Department announced that California man Ryan Kramer, who used the alias "NullBulge," has pleaded guilty to illegally accessing Disney's internal Slack channels and stealing over 1.1 terabytes of internal company data.

Authorities say Kramer created a malicious program in early 2024 that was promoted on GitHub and other platforms as an AI image generation tool.

However, the DOJ says this program was malware that allowed Kramer to access the computers of those who installed it to steal data and passwords from the device.

One of the people who downloaded the program was a Disney employee, Matthew Van Andel, who executed it on his computer. This gave Kramer access to his device, including the passwords stored in his 1Password password manager.

Using Van Andel's stolen credentials, Kramer accessed Disney's Slack channels, downloading 1.1TB of corporate data. He then contacted Van Andel, posing as a Russian hacktivist group called "NullBulge," warning that his personal information and Disney's stolen Slack data would be published if he didn't cooperate.

After receiving no response, NullBulge posted a message on the BreachForums hacking forum on July 12, 2024, titled "DISNEY INTERNAL SLACK," where he claimed to have breached Disney and leaked 1.1TB of stolen data, including Van Andel's personal info.

Kramer has pleaded guilty to one count of accessing a computer and obtaining information and one count of threatening to damage a protected computer. Each charge carries a statutory maximum sentence of five years in federal prison. (Lawrence Abrams / Bleeping Computer)

Related: Justice Department, CyberInsider, Variety, Inside the Magic, The Desk, Deadline, Cyber Security News, The Wrap, The Hollywood Reporter, GBHackers, WDW News Today, KTLA

The US Justice Department announced that Kya Christian Nelson of Racine, Wisconsin, was sentenced to three years and eight months in federal prison in a “swatting” spree in which he and others accessed Ring doorbell accounts and placed hoax calls that elicited police SWAT responses.

According to the US Attorney's Office, he pleaded guilty in January to three felony charges: conspiracy and two counts of unauthorized access to a protected computer to obtain information.

Nelson and James Thomas Andrew McCarty of Charlotte, North Carolina, were each charged in December 2022 in Los Angeles federal court. McCarty was sentenced in June 2024 to seven years in federal prison.

Prosecutors said that for one week in November 2020, Nelson and McCarty gained access to home security door cameras sold by Ring LLC, a Santa Monica-based home security technology company. The indictment states that they also acquired username and password information for victims’ Yahoo email accounts. (My News LA)

Related: Justice Department, Los Angeles Times, Milwaukee Journal-Sentinel

Apple sent notifications this week to several people whom the company believes were targeted with government spyware, according to two of the alleged targets.

Only two people appear to have come forward to reveal that they were among those who received the Apple notifications this week.

One is Ciro Pellegrino, an Italian journalist working for the online site Fanpage. In an article, Pellegrino wrote that he received an email and a text message from Apple on Tuesday notifying him that he had been targeted with spyware. According to Pellegrino, the message also said he wasn’t the only person targeted.

Eva Vlaardingerbroek, a Dutch right-wing activist who posted on X, is the second person to receive an Apple notification.

It’s unclear what spyware campaign the Apple notifications relate to, if known. Last year, Apple notified users across dozens of countries on two occasions that they were targeted by unspecified spyware. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Apple, Engadget, Fanpage, iDrop News, Apple Must, KnowTechie, The Guardian

US defense contractors Raytheon and Nightwing Group agreed to pay the government $8.4 million to settle allegations that Raytheon violated the terms of a contract with the Defense Department by failing to provide ample cybersecurity protections.

According to the settlement agreement, from August 2015 through June 2021, the company’s CODEX division, short for Cyber Offense & Defense Experts, used a network that did not adhere to the government’s cybersecurity standards and which held non-classified defense information.

Raytheon, which does not admit to being at fault, allegedly failed to develop a “system security plan” describing security measures.

In May 2020, Raytheon allegedly informed government clients that the network was not in compliance with National Institute of Standards and Technology standards and that the company “was in the process of developing a robust system environment” that would replace it.

The settlement falls under the False Claims Act, a Civil War-era law that allows for civil damages against government contractors who violate the terms of their agreement. The law has been increasingly used as an enforcement mechanism to require contractors to live up to their cybersecurity obligations. (James Reddick / The Record)

Related: Justice Department, Federal News Network, EIN Press Wire

The RSA conference continued in full force on Thursday. The following are summaries of just some of the reports from the cyber industry's big event:

--North Korea’s ability to surreptitiously slip thousands of its workers into Fortune 500 companies was a main focus for cybersecurity professionals at this year’s RSA Conference. Multiple security experts said that despite months of reporting and law enforcement action, the public was still not aware of the scale of the campaign. Palo Alto Networks’ Sam Rubin said they had one client that, within 12 hours of posting a job, had at least one North Korean surreptitiously apply. (Jonathan Greig / The Record)

Related: Nicole Perlroth on LinkedIn

--Speaking at Cloudflare’s Trust Forward Summit, cryptography experts say the race to fend off future quantum-computer attacks has entered a decisive but measured phase, with companies quietly replacing the internet plumbing that most of the industry once considered unbreakable. (Greg Otto / Cyberscoop)

--Alexei Bulazel, the senior director for cyber at the White House’s National Security Council, said he wants to “destigmatize” offensive cyber operations, seeing them as a vital tool in the government’s playbook in its battle with foreign adversaries.  (Greg Otto / Cyberscoop)

Related: NextGov/FCW, The Record

--Each year, top SANS faculty present at the RSA conference what their community of practitioners and researchers sees as the most pressing challenges facing the cybersecurity community for the year to come. This year, the most pressing challenges were authorization sprawl, ICS ransomware, nation-state ICS attacks, missing forensic artifacts, and AI regulation. (Becky Bracken / Dark Reading)

Related: SC Media, IT Pro

The National Cyber Security Center (NCSC), part of the Dutch Ministry of Justice, said that Russia-aligned hacktivists persistently target key public and private organizations in the Netherlands with distributed denial of service (DDoS) attacks, causing access problems and service disruptions.

The NCSC noted that the attacks were claimed by the hacktivist group named NoName057(16) on the threat actor's Telegram channel.

Although the NCSC said the threat actor's motive is unclear, NoName057(16) declared it was retribution for the Netherlands sending €6 billion in military aid to Ukraine and planning to allocate another €3.5 billion in 2026.

The threat group's latest message on Telegram indicates that the attacks continue.

According to local media outlets, the DDoS attacks have impacted the provinces of Groningen, Noord-Holland, Zeeland, Drenthe, Overijssel, Noord-Brabant, and the municipalities of Apeldoorn, Breda, Nijmegen, and Tilburg. (Bill Toulas / Bleeping Computer)

Related: NCSC.nl, AD.nl

Kraken said it recently realized a North Korean hacker had applied for an engineering role at the US-based cryptocurrency exchange, and instead of rejecting the candidate, Kraken put them through its paces to "learn more about their tactics at every stage of the process."

"Our teams recently identified a North Korean hacker’s attempts to infiltrate our ranks by applying for a job at Kraken," the company said. "What started as a routine hiring process for an engineering role quickly turned into an intelligence gathering operation."

North Korea's involvement in crypto-related cybercrime is well documented. "Industry partners had tipped us off that North Korean hackers were actively applying for jobs at crypto companies," Kraken said.

"Instead of tipping off the applicant, our security and recruitment teams strategically advanced them through our rigorous recruitment process – not to hire, but to study their approach," said Kraken. "This meant putting them through multiple rounds of technical infosec tests and verification tasks, designed to extract key details about their identity and tactics."

During a live interview, Kraken said that its team managed to trip up the applicant with two-factor authentication prompts, "such as asking the candidate to verify their location, hold up a government-issued ID, and even recommend some local restaurants in the city they claimed to be in."

"At this point, the candidate unraveled," Kraken added. "Flustered and caught off guard, they struggled with the basic verification tests, and couldn’t convincingly answer real-time questions about their city of residence or country of citizenship. By the end of the interview, the truth was clear: this was not a legitimate applicant, but an imposter attempting to infiltrate our systems." (RT Watson / The Block)

Related: Kraken, Cointelegraph, Sky News, CCN, Cybernews, BeInCrypto, Coin Central, Decrypt

Researchers at F6 discovered that a financially motivated hacker group known as Hive0117 has launched a new phishing campaign targeting Russian companies across several industries using a modified version of the DarkWatchman malware.

The group has attacked media, tourism, biotechnology, finance, energy, and telecommunications firms.

F6 detailed recent activity involving phishing emails containing password-protected malicious archives. Once opened, the malware infected systems, allowing the hackers to record keystrokes, collect data, and deploy additional payloads.

It is unclear whether the latest attacks were successful or caused financial damage. Researchers previously said that the group’s activity dates back to at least February 2022 and does not appear to be linked to the ongoing cyber conflict between Russia and Ukraine. Hive0117's origins remain unknown.

In previous operations, the hackers impersonated legitimate organizations and targeted entities in Russia, Belarus, Lithuania, Estonia, and Kazakhstan. (Daryna Antoniuk / The Record)

Related: F6, SC Media, Security Affairs, Industrial Cyber

Microsoft announced that all new Microsoft accounts will be "passwordless by default" to secure them against password attacks such as phishing, brute force, and credential stuffing.

The announcement comes after the company started rolling out updated sign-in and sign-up user experience (UX) flows for web and mobile apps in March, optimized for passwordless and passkey-first authentication.

Microsoft says the best passwordless method will be enabled for each account and set as the default. The company also wants more customers to switch to passkeys, a more secure alternative to passwords that uses biometric authentication, such as fingerprints and facial recognition.

Once they're signed in, users will be prompted to enroll a passkey, and the next time they log into their accounts, they'll be asked to sign in with their passkey. (Sergiu Gatlan / Bleeping Computer)

Related: Microsoft, The Verge, Security Week, TweakTown, Tech Monitor, Tech Radar, NewsBytes, XDA

Researchers at Cisco Talos report that an entire cottage industry has formed around phishing attacks that bypass some of the most common forms of multifactor authentication (MFA) and allow even non-technical users to create sites that defeat the protections against account takeovers quickly.

Cybercriminals employ an attack technique known as an adversary in the middle to defeat MFA. These tools provide phishing-as-a-service toolkits marketed in online crime forums under names like Tycoon 2FA, Rockstar 2FA, Evilproxy, Greatness, and Mamba 2FA.

The products provide all the code someone needs to set up a proxy server that sits between the victim and the site they’re trying to log in to. The toolkits also provide templates for creating convincing-looking phishing pages.

The problem with these forms of MFA is that the codes themselves are phishable, since they come in the form of numbers, and occasionally other characters, that are just as easy for the attacker to copy and enter into the site as passwords are. The effect is the same if the MFA is based on push notifications, since the victim clicks the button. And given the ease of using the phishing toolkits, even technical novices can create a legitimate-looking login page and a proxy server. (DanGoodin / Ars Technica)

Related: Cisco Talos

As its recent data breach creates deteriorating conditions at Korean telecom giant SK Telecom, the company will suspend new subscriber sign-ups starting next week to enhance customer protection services.

"From May 5, our 2,600 retail stores will halt new subscriptions and focus on replacing universal subscriber identity module (USIM) cards," Chief Executive Officer (CEO) Ryu Young-sang said.

"The suspension will remain in place until we establish measures to address the USIM supply shortage."

SK Telecom also said it has finalized administrative and technical processes to enroll digitally vulnerable individuals in its USIM Protection Service automatically. (Kim Boram / Yonhap News Agency)

Related: Mobile World Live, The Korea Herald, The Chosun Daily, Yonhap News Agency

Researchers at Socket discovered that seven malicious PyPi packages were found using Gmail's SMTP servers and WebSockets for data exfiltration and remote command execution.

They reported their findings to the PyPI repository, resulting in the removal of the packages.

However, some of these packages were on PyPI for over four years, and based on third-party download counters, one was downloaded over 18,000 times.

The malicious functionality Socket discovered in these packages centers on covert remote access and data exfiltration through Gmail.

A related report published almost simultaneously by Sonatype focuses on a crypto-stealing package named 'crypto-encrypt-ts,' found in npm. That package, which persists on infected systems via cron jobs, only targets wallets with balances that surpass 1,000 units, attempting to snatch their private keys. (Bill Toulas / Bleeping Computer)

Related: Socket, Sonatype, HackRead

Cryptocurrency exchange Binance successfully recovered over $6.1 million in cryptocurrencies after the decentralized exchange KiloEx suffered an attack that resulted in the loss of around $7.5 million across various digital assets.

Binance CEO Richard Teng shared a post outlining the exchange’s role in recovering the stolen funds. According to the post, Binance’s security team acted swiftly once the exploit was detected and reported.

The embattled decentralized exchange had promised the hacker a bounty, a make-up strategy to recoup the funds. As highlighted, the bounty will reward anyone who highlights KiloEx’s security infrastructure flaws. In light of the new developments in the hack, the protocol created compensation plans for its users, including traders, Hybrid Vault stakeholders, and VIP users.

Payouts only cover losses incurred up to the point when KiloEx resumes trading, so users were advised to close their positions as soon as possible. (Godfrey Benjamin / Coinspeaker)

Related: Binance, TokenPost

In an April 30 memo signed by US Secretary of Defense Pete Hegseth, the Department of Defense said it wants new and existing defense contracts to give the Army the right to repair its own weapons, in a bid to save money and time by ending requirements to use original manufacturers for servicing.

The right to repair is expected to improve the Army's ability to maintain and upgrade its equipment, reducing reliance on original manufacturers and enhancing operational efficiency. (Jody Godoy and Mike Stone / Reuters)

Related: 404 Media, The Register, army.mil, US Department of Defense, Senator Elizabeth Warren, Electronic Frontier Foundation, Federal News Network

The US Central Intelligence Agency released two videos to recruit Chinese officials who might be disillusioned by their prospects in government to get them to share top secrets about China with the US.

The effort is part of CIA Director John Ratcliffe's broader strategy to boost intelligence collection on China, which has become Washington’s biggest competitor and adversary in areas such as artificial intelligence and quantum computing. The US also hopes to prevent Chinese military aggression against Taiwan.

The videos show potential recruits how to contact the agency securely. The first depicts a senior Chinese official who finds that despite his efforts to climb up the ranks, his family still lives in fear due to sweeping changes in government, leading him to contact the CIA.

In recent years, the Chinese leadership has embarked on an anti-corruption drive that has resulted in the dismissal of many senior officials. (Natalia Drozdiak / Bloomberg)

Related: New York Times, Business Insider, NBC News, Al Jazeera, The Guardian, CNN, Reuters, Time Magazine, Nikkei Asia

Identity security company Veza announced it had raised $108 million in a Series D funding round.

New Enterprise Associates (NEA) led the round with participation from new investors Atlassian Ventures, Workday Ventures, Snowflake Ventures, and existing investors, Accel, GV (Google Ventures), True Ventures, Norwest, Ballistic Ventures, J.P. Morgan, and Blackstone Innovations Investments. (Jordan Novet / CNBC)

Related: Business Wire, MSSP Alert, Silicon Angle, Security Week, FinSMEs

In Memoriam

Defense industry cyber champion Robert Metzger, considered the "godfather" of the Defense Department's CMMC (Cybersecurity Maturity Model Certification), passed away from cancer.

Best Thing of the Day: Stupid Is as Stupid Does

A photograph of a cabinet meeting held by Donald Trump revealed that Mike Waltz of SignalGate fame, who was until Thursday the US National Security Advisor, used an obscure and unofficial version of Signal designed to archive messages. This raises questions about what classification of information officials are discussing on the app and how that data is being secured.

Worst Thing of the Day: A Small Mind Proving Itself

Former CISA Director Chris Krebs' membership in the US border crossing Global Entry program has been revoked in what he believes is a petty, vengeful act by Donald Trump, who has targeted the highly respected former official for validating the security of the 2020 election.

Closing Thought