Black Arrow Cyber Threat Intelligence Briefing 23 May 2025

25 May

Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Executive Summary

The unfolding story of the recent incidents at the UK retailer Marks & Spencer (M&S) and others gives us insights into the risks faced by organisations in all sectors and locations. It is reported that M&S’ outsourced IT provider is conducting an internal investigation to establish if it was the main cause of the incident which has caused significant harm to the retailer. The Chief Executive of M&S is reported to be facing a loss of £1.1m in remuneration due to the attack, while the UK’s data protection authority is investigating the loss of personal information during the incident.

These factors of supply chain risks, regulatory investigations, and personal losses of senior leadership, remind us of the need for all organisations to properly understand and manage their risks. The newly reported attack on food distributor Peter Green Chilled further highlights the need for robust due diligence and embedding cyber security requirements in supplier relationships.

Our review of threat intelligence highlights that despite long-standing guidance, many organisations still fail to act on basic protections. Regulators and insurers alike are now focusing more heavily on board-level accountability and cultural readiness, rather than purely technical defences. From conducting cyber attack drills to strengthening oversight structures, effective governance must be proactive, not reactive. HSBC’s admission that cyber security is now its single largest operational cost underscores just how strategic this issue has become.

Finally, the rise of infostealer malware, generative AI risks, and nation-state espionage campaigns such as APT28 are expanding the threat landscape. Black Arrow urges executives to conduct an impartial cyber risk assessment of their organisation, including their supply chain, and to ensure that this analysis and the resulting cyber security strategy are governed as part of the business-wide risk management.

Top Cyber Stories of the Last Week

M&S IT Contractor ‘Investigating Whether It Was Gateway for Cyber Attack’; M&S Chief Executive Faces £1.1M Pay Hit

Tata Consultancy Services is investigating whether it was the entry point for a recent cyber attack on UK retailer Marks and Spencer (M&S), which has forced the shutdown of M&S’ online clothing business for over three weeks. The breach resulted in customer data being stolen, wiped more than £750m off M&S’s market value, and could cost up to £300m in operating profit. M&S Chief Executive Stuart Machin faces a potential £1.1m loss in deferred bonuses and share-based incentives. M&S attributed the incident to human error at a third-party supplier. The UK’s data protection authority (ICO) is now assessing accountability, with potential fines of up to £17.5m. The case highlights growing concerns over third-party risks and the broader vulnerability of IT outsourcing partnerships to increasingly organised cyber crime.

https://www.ft.com/content/c658645d-289d-49ee-bc1d-241c651516b0

https://www.theguardian.com/business/2025/may/23/marks-spencers-it-contractor-investigating-potential-systems-breach-report-claims

https://www.ft.com/content/43531d25-4f7a-4d6e-b809-e85bb8f0033e

https://inews.co.uk/news/business/ms-cyber-attack-has-cost-300m-so-far-and-disruption-will-continue-until-july-3705745?ITO=newsnow

Ransomware Attack on Food Distributor Spells More Pain for UK Supermarkets

A ransomware attack on UK chilled food distributor Peter Green Chilled has disrupted deliveries to major UK supermarkets, with fresh produce left in limbo and small businesses facing losses of up to £100,000. While transport operations continue, order processing was halted, and communication channels remain limited. The incident underscores the growing threat to supply chain resilience, as cyber criminals increasingly target operational systems to inflict maximum disruption. Experts warn that these attacks are no longer just data breaches but full-blown operational crises, with widespread financial and societal consequences, making investment in cyber resilience critical for the retail sector and its partners.

https://www.theregister.com/2025/05/20/ransomware_attack_on_food_distributor/

Businesses Ignore Advice on Preventing Cyber Attacks, Says GCHQ

Despite years of guidance, the UK GCHQ’s National Cyber Security Centre warns that British organisations are still failing to act on freely available cyber security advice. Recent attacks on major retailers and government bodies have highlighted a growing gap between escalating risks and national readiness. Leaders are being urged to take immediate action, as regulatory pressure mounts through a proposed Cyber Resilience Bill aiming to improve supply chain security and grant stronger enforcement powers.

https://www.thetimes.com/uk/technology-uk/article/businesses-ignore-advice-on-preventing-cyberattacks-says-gchq-d5hvfs057

Executive Complacency Is the Most Dangerous Cyber Threat Today, Warns Insurance VP

Executive complacency is emerging as one of the most critical cyber security threats facing organisations today. While insurance and outsourced services can help, they do not absolve leadership of responsibility. Businesses that suffer a cyber attack may face not only operational downtime but also severe reputational damage, which can erode customer trust and long-term viability. Increasingly, insurers are expanding cover to address risks from non-technology vendors and reputational harm, but only where financial loss can be clearly demonstrated. Experts urge board-level engagement and regular risk assessments, with many tools now available to support benchmarking and proactive cyber resilience planning.

https://www.insurancebusinessmag.com/us/news/cyber/executive-complacency-is-the-most-dangerous-cyber-threat-today-warns-insurance-vp-536311.aspx

Cyber Security Now HSBC’s Largest Operational Cost

HSBC UK has confirmed that cyber security is now its largest operational expense, with hundreds of millions of pounds spent annually to defend against constant digital threats. The bank’s CEO highlighted that attacks are relentless, with over 1,000 transactions processed every second and around 8,000 IT changes made weekly. As customers increasingly rely on digital services, resilience and rapid recovery are critical. This comes as scrutiny intensifies across the financial sector, following widespread service outages and incidents linked to third-party software failures affecting major UK banks.

https://www.mpamag.com/uk/mortgage-industry/technology/cybersecurity-now-hsbcs-largest-operational-cost/536544

Best Practices for Board-Level Cyber Security Oversight

Corporate boards are under growing regulatory and operational pressure to strengthen their cyber security oversight. New US disclosure rules now require public companies to outline board-level governance, including how often cyber risks are reviewed, how incidents are reported, and how security is embedded into wider business strategy. Best practice calls for boards to maintain a dedicated oversight structure, meet with the CISO quarterly, and integrate cyber resilience into enterprise risk management. Regular briefings, external expertise, and realistic incident response protocols are essential to ensure accountability, reduce exposure, and support informed, agile decision-making in a dynamic threat landscape.

https://www.techtarget.com/searchsecurity/tip/Best-practices-for-board-level-cybersecurity-oversight

The Importance of Culture in an Effective Cyber Security Programme

A strong cyber security culture is as vital as technical controls in protecting an organisation. Success hinges on leadership fostering a security-first mindset, where all employees understand their role in safeguarding information. Open communication, regular training, and a non-punitive approach to incident reporting create an environment of shared responsibility. When security is embedded into daily operations and visibly supported by leadership, organisations are better equipped to respond to threats and reduce risk. As threats evolve, this cultural foundation enhances resilience and ensures that cyber security remains a collective and continuous priority across the business.

https://www.jdsupra.com/legalnews/the-importance-of-culture-in-an-8005006/

You Do a Fire Drill, so Do a Cyber Attack Drill

Recent cyber attacks on major British retailers have underscored that cyber security is not a luxury but a necessity for all businesses. The disruption caused has ranged from operational paralysis to reputational harm, with some customers even left without basic services. A key takeaway is that strong technology alone is not enough: cultural preparedness and leadership involvement are critical. Just as businesses conduct fire drills, cyber attack simulations should be standard practice. Organisations that fail to plan for continuity, train key personnel, and embed cyber security into contracts and culture risk serious legal, financial, and operational consequences.

https://www.scotsman.com/business/you-do-a-fire-drill-so-do-a-cyber-attack-drill-5137321

Many Rush into GenAI Deployments, Frequently Without a Security Net

Thales research shows that 70% of organisations now rank the rapid growth of generative AI (GenAI) as their top security concern, with many moving ahead before fully securing their environments. A third are already operationalising GenAI, often without a clear understanding of how it integrates with existing systems. Despite this, 73% are actively investing in AI-specific defences, including tools from cloud providers and emerging vendors. GenAI security has become the second-highest priority after cloud security. At the same time, organisations remain alert to evolving risks, including phishing and post-quantum threats, yet many are still lagging in implementing robust countermeasures.

https://www.helpnetsecurity.com/2025/05/22/genai-adoption-security-concern/

SMBs Remain Easy Pickings for Cyber Criminals – Here’s Why

Research shows that over half of UK businesses have suffered a cyber attack in the past five years, with small and medium-sized businesses (SMBs) particularly at risk due to limited budgets, overworked IT teams, and lack of staff training. These weaknesses have led to an estimated £3.4 billion in annual losses for UK SMBs alone. As cyber threats become more advanced, fuelled by artificial intelligence and accessible criminal tools like ransomware-as-a-service, organisations must invest in basic protections, clear policies, and realistic staff training. Without this, the average cost of a breach could escalate alongside reputational and operational damage.

https://www.techradar.com/pro/smbs-remain-easy-pickings-for-cybercriminals-heres-why

Your Information Was Probably Stolen Again: Researcher Discovers 184 Million Stolen Logins

A security researcher has uncovered a publicly exposed database containing over 184 million stolen login credentials from major platforms including Microsoft, Google and PayPal. The 47GB trove, believed to be collected via infostealer malware, included plaintext usernames, passwords and sensitive terms such as "bank" and "wallet", significantly raising the risk of financial fraud. Among the records were over 220 government email addresses spanning 29 countries, signalling potential national security implications. The incident highlights the ongoing threat posed by data harvested through phishing and malicious downloads, and underscores the critical importance of strong passwords, two-factor authentication and continuous monitoring.

https://www.digitaltrends.com/computing/your-information-was-probably-stolen-again-researcher-discovers-184-million-stolen-logins/

Lumma Infostealer Infected About 10 Million Systems Before Global Disruption

LummaC2, a leading malware-as-a-service platform, infected approximately 10 million systems worldwide before a coordinated international takedown disrupted its operations. Used by cyber criminals to harvest sensitive data, including login credentials, financial information, and browser-stored details, the malware is linked to over $36 million in credit card theft in 2023 alone. Victims ranged from individuals to Fortune 500 companies across sectors such as healthcare, finance, and education. Although the group’s infrastructure has been dismantled, authorities warn that the threat may re-emerge, highlighting the ongoing need for vigilance and cross-sector collaboration to protect against sophisticated data theft operations.

https://cyberscoop.com/lumma-infostealer-widespread-victims/

Russia-Linked APT28 Targets Western Logistics Entities and Technology Firms

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that a Russian state-sponsored group, APT28, is actively targeting Western logistics and technology firms supporting aid to Ukraine, posing a growing threat to NATO-aligned supply chains. Since 2022, organisations across 13 countries have been compromised, including those in defence, rail, and maritime sectors. The attackers used a mix of phishing, brute-force attacks, and exploitation of known software flaws to access systems, steal credentials, and exfiltrate sensitive shipment and personnel data. The campaign also leveraged live IP camera feeds near Ukraine’s borders. Authorities expect this espionage-focused activity to persist.

https://securityaffairs.com/178165/apt/russia-linked-apt28-targets-western-logistics-entities-and-technology-firms.html

Governance, Risk and Compliance

Businesses ignore advice on preventing cyber attacks, says GCHQ

Jump in cyber attacks should put businesses on high alert | Computer Weekly

Are we dangling on the edge of a digital apocalypse given all of the high-profile attacks recently? | News and events | Loughborough University

You do a fire drill, so do a cyber attack drill

Executive complacency is the most dangerous cyber threat today, warns insurance VP | Insurance Business America

Best practices for board-level cyber security oversight | TechTarget

Cyber attack threat keeps me awake at night, bank boss says - BBC News

Cyber Security now HSBC's largest operational cost | Mortgage Introducer

The Hidden Cyber Security Risks of M&A

The Importance of Culture in an Effective Cyber Security Program | Ankura - JDSupra

Why Rigid Security Programs Keep Failing

Threats

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

From 60 to 4,000: NATO's Locked Shields Reflects Cyber Defence Growth - SecurityWeek

China

Chinese hackers breach US local governments using Cityworks zero-day

Ivanti EPMM flaw exploited by Chinese hackers to breach govt agencies

Chinese ‘kill switches’ found in US solar farms

A house full of open windows: Why telecoms may never purge their networks of Salt Typhoon | CyberScoop

Russia

Russia-linked APT28 targets western logistics entities and technology firms

Russian APT Groups Intensify Attacks in Europe with Zero-Day Exploits - Infosecurity Magazine

Nation-state APTs ramp up attacks on Ukraine and the EU - Help Net Security

Scattered Spider's Ties to Russia: Closer Than We Think?

Unpacking Russia's cyber nesting doll - Atlantic Council

Europe sanctions Putin's pals over 'hybrid' threats • The Register

Russia to enforce location tracking app on all foreigners in Moscow

Major Russian state services disrupted, reportedly due to cyber attack | The Record from Recorded Future News

Feds Charge 16 Russians Allegedly Tied to Botnets Used in Ransomware, Cyber Attacks, and Spying | WIRED

A Brief History of DanaBot, Longtime Ecrime Juggernaut Disrupted by Operation Endgame | Proofpoint US

U.S. Dismantles DanaBot Malware Network, Charges 16 in $50M Global Cyber Crime Operation

Russian Threat Actor TAG-110 Goes Phishing in Tajikistan

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence

SideWinder APT Caught Spying on India's Neighbor Govts.

Tools and Controls

You do a fire drill, so do a cyber attack drill

100+ Fake Chrome Extensions Found Hijacking Sessions, Stealing Credentials, Injecting Ads

Data-stealing Chrome extensions impersonate Fortinet, YouTube, VPNs

Finding the right balance between 'vibe coders' and security - IT Security Guru

Lessons from the M&S cyber attack: how brands can survive digital catastrophe | Creative Boom

NCSC Helps Firms Securely Dispose of IT Assets - Infosecurity Magazine

Modern authentication: Why OIDC and SAML are just the start - Security Boulevard

Threat intelligence is crucial but organisations struggle to use it

The hidden gaps in your asset inventory, and how to close them - Help Net Security

How to Develop & Communicate Metrics for CSIRPs

Warning! Malicious Chrome extensions found mimicking legit tools | PCWorld

What is Universal 2nd Factor (U2F)? | Definition from TechTarget

Identity Security Has an Automation Problem—And It's Bigger Than You Think

GitLab's AI Assistant Opened Devs to Code Theft

AI hallucinations and their risk to cyber security operations - Help Net Security

What good threat intelligence looks like in practice - Help Net Security

Other News

Cross-site scripting is now responsible for 40 percent of all web attacks -- here's what you need to know

SMBs remain easy pickings for cyber criminals - here’s why | TechRadar

From 60 to 4,000: NATO's Locked Shields Reflects Cyber Defence Growth - SecurityWeek

Cyber security: Lack of planning and outdated IT systems putting Scotland at risk

Cyber attacks are affecting UK consumer trust in online payments, according to new data | Retail Week

Are we dangling on the edge of a digital apocalypse given all of the high-profile attacks recently? | News and events | Loughborough University

Healthcare Cyber Attacks Intensify, Sector Now Prime Target - Infosecurity Magazine

Cyber attack threat keeps me awake at night, bank boss says - BBC News

How to safeguard your small business in the hybrid work era: 5 top cyber security solutions | ZDNET

UK 'extremely dependent' on the US for space security • The Register

Why shipping can’t wait for another cyber security crisis - Splash247

SolarPower Europe calls for tough cyber rules following Danish import probe – pv magazine International

German Cyber Agency Sounds Warning on Grid Vulnerabilities

UK Science Funding HQ hit by 5.4M cyber assaults as attacks increase 600%

Vulnerability Management

Russian APT Groups Intensify Attacks in Europe with Zero-Day Exploits - Infosecurity Magazine

Nation-state APTs ramp up attacks on Ukraine and the EU - Help Net Security

CVE Disruption Threatens Foundations of Defensive Security

Vulnerability Exploitation Probability Metric Proposed by NIST, CISA Researchers - SecurityWeek

NIST's LEV Equation to Rate Chances a Bug Was Exploited

Vulnerabilities

Same suspected Chinese spies again attacking Ivanti bugs • The Register

Ivanti RCE attacks 'ongoing,' exploitation hits clouds • The Register

NATO-Flagged Vulnerability Tops Latest VMware Security Patch Batch - SecurityWeek

Critical OpenPGP.js Vulnerability Allows Spoofing - SecurityWeek

GitLab, Atlassian Patch High-Severity Vulnerabilities - SecurityWeek

Unpatched Windows Server Flaw Threatens AD Users

Cisco Patches High-Severity DoS, Privilege Escalation Vulnerabilities - SecurityWeek

Mozilla fixed zero-days demonstrated at Pwn2Own Berlin 2025

Windows 10 emergency updates fix BitLocker recovery issues

Multiple pfSense Firewall Vulnerabilities Let Attackers Inject Malicious Codes

RCE Vulnerability Found in RomethemeKit For Elementor Plugin - Infosecurity Magazine

O2 UK patches bug leaking mobile user location from call metadata

Critical Zero-Days Found in Versa Networks SD-WAN/SASE Platform - Infosecurity Magazine

Advisory Update on Cyber Threat Activity Targeting Commvault’s SaaS Cloud Application (Metallic) | CISA

Sector Specific

Industry specific threat intelligence reports are available.

· Automotive

· Construction

· Critical National Infrastructure (CNI)

· Defence & Space

· Education & Academia

· Energy & Utilities

· Estate Agencies

· Financial Services

· FinTech

· Food & Agriculture

· Gaming & Gambling

· Government & Public Sector (including Law Enforcement)

· Health/Medical/Pharma

· Hotels & Hospitality

· Insurance

· Legal

· Manufacturing

· Maritime & Shipping

· Oil, Gas & Mining

· OT, ICS, IIoT, SCADA & Cyber-Physical Systems

· Retail & eCommerce

· Small and Medium Sized Businesses (SMBs)

· Startups

· Telecoms

· Third Sector & Charities

· Transport & Aviation

· Web3

Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Black Arrow Admin

Black Arrow Cyber Threat Intelligence Briefing 23 May 2025

Executive Summary

Top Cyber Stories of the Last Week

M&S IT Contractor ‘Investigating Whether It Was Gateway for Cyber Attack’; M&S Chief Executive Faces £1.1M Pay Hit

Ransomware Attack on Food Distributor Spells More Pain for UK Supermarkets

Businesses Ignore Advice on Preventing Cyber Attacks, Says GCHQ

Executive Complacency Is the Most Dangerous Cyber Threat Today, Warns Insurance VP

Cyber Security Now HSBC’s Largest Operational Cost

Best Practices for Board-Level Cyber Security Oversight

The Importance of Culture in an Effective Cyber Security Programme

You Do a Fire Drill, so Do a Cyber Attack Drill

Many Rush into GenAI Deployments, Frequently Without a Security Net

SMBs Remain Easy Pickings for Cyber Criminals – Here’s Why

Your Information Was Probably Stolen Again: Researcher Discovers 184 Million Stolen Logins

Lumma Infostealer Infected About 10 Million Systems Before Global Disruption

Russia-Linked APT28 Targets Western Logistics Entities and Technology Firms

Governance, Risk and Compliance

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Business Email Compromise (BEC)/Email Account Compromise (EAC)

Other Social Engineering

Fraud, Scams and Financial Crime

Artificial Intelligence

2FA/MFA

Malware

Bots/Botnets

Mobile

Denial of Service/DoS/DDoS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Insurance

Supply Chain and Third Parties

Cloud/SaaS

Outages

Identity and Access Management

Encryption

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Regulations, Fines and Legislation

Models, Frameworks and Standards

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs