By: David Shipley

Cyber attacks in the United Kingdom and Europe are crippling grocery chains and food distribution companies, leaving company CEOs in shock and store shelves bare. It’s the type of crime story that seems ripped out of the pages of a William Gibson cyberpunk dystopia — disaffected teens lured into cybercrime online and using leased Russian cyber weapons to wreak havoc on everyday life.

But it’s not the stuff of fiction — it’s the last few weeks of living nightmares for grocery chains and customers, and it’s a warning for North America. We could be next.

And in a way, actually, we were first.

Not that we cared.

The U.K. crisis started over a month ago on the Easter Weekend when U.K. retail and grocery giant Marks and Spencer (M&S) reported a cyber-attack that shut down its online ordering system, online payments, and led to empty shelves in stores. Marks and Spencer is the fastest-growing U.K. retail and grocery chain, of about the same size as Canada’s Empire Co., which runs the Sobeys chain.

This is why North America was a prologue of sorts: Empire suffered its own major cyber-attack in late 2022. That one cost the chain more than $50 million on top of losses covered by its cyber insurance. It probably should’ve been a warning globally. It wasn’t. As is frequently the case in the Mad Max-like online world we now live in, it led to the collective shrug that seems to be our societal default response to the single largest, fastest-growing area of crime on the planet.

Back to the British: The Marks and Spencer attack is estimated to have cost the company more than $500 million so far, and is still unfolding — online orderering is still offline, and may be for months to come. But that was just the beginning. A few days after Marks and Spencer shut down, Co-op, another major U.K. retail and grocery chain, shut its IT systems down after they realized attackers were inside their systems. This led, hilariously, to the attackers claiming the Co-op shutting down the systems and kicking them out was worse than what they would have done.

In the weeks since, both companies have been struggling to resume normal operations (though Co-op does seem to be getting back on its feet). In the meantime, the British papers have been running photos from the U.K. that seem like scenes from the apocalypse, with grocery stores stripped bare of inventory.

The attacks didn’t stop there. Storied retailer Harrods was also hit, along with a major chilled and frozen food distributor called Peter Green Chilled. They serve not only Marks and Spencer, as well as Co-op, but a number of the U.K.’s other grocery and retail giants, including Asda, Morrison’s, Sainsbury’s, Tesco, and Waitrose. Across the Channel, in mid-May, a major German dairy co-op was hit by ransomware.

For those in the cybersecurity, and national security, fields, these kinds of incidents set off all kinds of alarm bells. Modern food distribution systems are incredibly complex. Because food is perishable, the entire system is designed to be as efficient as possible — it is the ultimate “just-in-time delivery” use case. Food is obtained (fruit picked, animals slaughtered, grains harvested, etc), processed, packaged, transported and then sold, sometimes across continental or even global distances, in mere days.

There is virtually no slack in the system — a disruption of a day or two (caused by bad weather, a traffic accident, and the like) can be absorbed, but much more than that and things get dicey. There is some resiliency in the mix — dry bulk goods have longer shelf lives than dairy or fresh fruit — but overall, our kitchen tables are the last stop on a fantastically intricate supply chain that can stretch thousands of kilometres around the world.

Some of you have probably heard of the concept of “nine missed meals from anarchy.” This is what we’re talking about. Avoiding those kinds of scenarios requires hugely sophisticated logistics and inventory management systems and professionals. The amount of energy — computational, physical, intellectual — required to keep billions of people fed is basically inconceivable. Any disruption to any of these systems is a threat to the integrity of the system as a whole. Targeting a country’s food distribution networks should be seen as akin as targeting its communication facilities or its energy grid — an extremely serious threat against a very vulnerable system that countless millions depend on for survival.

And yet, so far …. not so much.

Police in the U.K. are looking at a loosely affiliated group of primarily teenage males in the U.K. and the U.S. known collectively as Scattered Spider as the primary suspects. For those who don’t live and breathe the cyber-nerd obsession with naming these criminal groups, it’s become vogue to give each one their own cool brand and, in some cases, collectible keepsakes.

It’s hard to keep up with the Scattered Spiders, Fancy Bears, Salt Typhoons — that’s the name for the Chinese state-sponsored crew that ran completely through the entire U.S. telecommunications sector in the past year. But Scattered Spider has had some big hits in the past few years. They’ve been credited with the major takedowns of both Caesar’s Palace and MGM in Las Vegas, gaining millions in extortion payments and causing hundreds of millions in damages.

Police believe the teens at Scattered Spider were using the DragonForce ransomware platform. The DragonForce group, active since 2023, has hit hundreds of victims and rebranded itself in March as a cybercrime cartel. Cybersecurity intelligence firms say it’s not crystal clear where the group is based, but they’re noted as Russian-speaking, promote themselves on the largest Russian cybercrime marketplace, and have a ban on attacks on members of the Russia-aligned former Soviet Union Commonwealth of Independent States.

And of course, a rival ransomware group has accused DragonForce of working with Russia’s FSB intelligence unit. So, there’s that.

But right now, that’s about it. We don’t really know who did it. And we aren’t sure if they’ll strike again, though that’s likely. Google’s cybersecurity researchers say the group behind the European retail and grocery store carnage has now turned its attention to the United States (and one can safely assume, Canada).

Which leads us to the sad state of affairs in the True North.

Canada failed to pass even basic cybersecurity legislation for federally regulated critical infrastructure before the fall of the Trudeau government. After dragging their heels (which arguably wasn’t unique to cyber issues) for more than two years, the last-minute sprint to royal assent was botched when the Senate noticed a clerical error that invalidated large parts of the bill and had to send it back to Parliamentary committee for re-approval prior to a House vote. (This actually happened. I’m not making that up.)

But, thanks to the proroguing of Parliament, that went nowhere.

It’s yet to be seen if cyber is at all on Prime Minister Mark Carney’s radar, but considering it’s not mentioned once in the one mandate letter, the odds aren’t great.

And even if the federal government does resurrect the doomed cyber legislation, it only focused on federally regulated financial institutions, telecommunications, transportation, and energy transmission. Grocery and retail don’t make the critical infrastructure cut and will likely be left to the provinces, which means nothing will happen in most of the country.

But if the price of eggs can influence U.S. presidential elections, and the cost of groceries continues to increase despite inflation easing in other areas of the economy, our political class would be wise to watch this rising threat to everyday Canadians. We know it can happen — because it has happened. And we also know, sadly, that we have done very, very little to defend ourselves in their field, or to build in resilience, either at the macro-level, or even just at the family level.

Which is wild, when you think about it, and proof of just how much this miracle of modern logistics is taken for granted. We no longer think it’s weird to be eating a fresh salad and munching on ripe bananas and pineapple in the darkest depths of a Canadian winter. We just assume that’s normal.

It’s not. It’s a major vulnerability. People get weird and angry when they can’t get food and essentials. Might be time to make sure we’re as resilient as possible so that a gang of teens with Russian cyber weapons doesn’t cause a political earthquake, or worse.

Or you can shrug your shoulders. But you can’t say you weren’t warned.

David Shipley is co-founder and CEO of Beauceron, a Canadian cybersecurity company.

The Line is entirely reader and advertiser funded — no federal subsidy for us! If you value our work, have already subscribed, and still worry about what will happen when the conventional media finishes collapsing, please make a donation today.

The Line is Canada’s last, best hope for irreverent commentary. We reject bullshit. We love lively writing. Please consider supporting us by subscribing. Follow us on Twitter @the_lineca. Pitch us something: lineeditor@protonmail.com