The Spar wholesaler is counting the cost after 300-plus stores were affected

Spar wholesaler James Hall was broadsided by a cyberattack last week, which affected more than 300 of the stores it supplies across the north of England.

The impact was severe. Some had to close, while others that could remain open were taking cash only as the “major IT outage” affected credit card payments. Even the wholesaler’s website and staff emails were downed as James Hall pulled the rest of its network offline while it investigated the raid.

To add insult to injury, the Lancashire-based firm confirmed the attack had a ransom motive – meaning hackers had encrypted the data and demanded cash for its release. It did not disclose whether it had paid, or if it would.

But the bigger question is: how did hackers perform what DigitalXRaid CEO Rick Jones calls such a “well-orchestrated” attack? And how can such attacks be prevented?

There are normally two initial techniques to start a cyberattack. One, known as phishing, involves luring a target to click on a link or an attachment in an email. Another is finding vulnerabilities in the server infrastructure, or, as Jones puts it, a “back door” into the IT system.

The latter is likely how the hacker infiltrated James Hall’s network, according to Jones. Hackers would have targeted a vulnerability in the server – a weakness or flaw in software, hardware, or organisational processes – and exploited it to gain access to its internal systems, operating anything from stock control to logistics.

James Hall Christmas web

Experts say weakness probably lay in a too-centralised IT infrastructure

According to Jones, “the hacker would have completed some reconnaissance” of James Hall’s internal systems to identify the best point in the infrastructure to “deploy the ransomware for maximum devastation.” The more damage, the bigger the fee.

It seems probable this was the cardholder data environment (CDE) – the system that processes and stores credit card information – since payments by card were disrupted during the attack.

“Our assumption is that this was targeted specifically because they knew it was going to be the widest affecting service to go for,” adds Jones.

It hit so many stores because “Spar’s vulnerability probably came from having a centralised infrastructure, relying on an application which represented a ‘single point of failure’,” says Shopware UK lead Justin Biddle. By attacking that one point, they could cripple them all, he adds.

The defence against such an attack is to establish a more “decentralised infrastructure” that allows individual stores to continue operating even if others are down, according to Biddle.

‘Defence in depth’

DigitalXRaid’s Jones agrees: “Organisations should avoid a flat network architecture and implement well-defined separation policies. This can be the difference between one compromised device, and a whole network breach.”

This approach is known as the ‘defence in depth’ strategy. It means targets have more opportunities to detect malware and then stop it before it causes real harm, according to the National Cyber Security Centre.

James Hall

Other prevention strategies include implementing an ‘always on’ security operations centre

Of course, software infrastructure isn’t the only potential source of vulnerability. Humans can give hackers a way in too.

“People within an organisation need to be trained and made aware of cyber security,” says Simon Walsh, senior sales engineer at Trend Micro. “Even if you’re somebody working at a store and have access to emails, you can still be a part of that attack chain.”

Other prevention strategies include implementing an ‘always on’ security operations centre to quickly detect and mitigate attacks, as well as making regular backups of your most important files.

“James Hall is in the disaster recovery world now, so it will be dusting off playbooks, looking at recovery techniques and its backup strategies,” adds Jones.

Valuable advice – and not only for James Hall. Because, as other food businesses, from Tesco to JBS and the Coop in Sweden have discovered, it’s not ‘if’ a business will be cyberattacked, it’s ‘when’.