Cyber Threats Targeting the UK Food Supply Chain

Recent cyber attacks on the UK food supply chain and logistics sector have underscored significant vulnerabilities in this critical infrastructure. A detailed review of incidents since early 2022, particularly a series of attacks between February and May 2025, highlights the evolving nature of these threats, the actors involved, and their substantial impact on businesses and consumers. The food sector has become an attractive target, with clear implications for national security.

Notable Cyber Incidents in the UK Food & Logistics Sector

The period in Spring 2025 witnessed a series of disruptive attacks. In mid-April 2025, Marks & Spencer (M&S) suffered a severe ransomware/extortion attack that crippled systems, suspending online orders and click-and-collect for around three weeks and affecting contactless payments. To contain the breach, M&S took food supply systems offline, leading to temporary food shortages and empty shelves in some stores. Attackers also accessed significant customer data.

Shortly after M&S, The Co-op Group detected a similar intrusion and preemptively shut down IT systems to prevent ransomware deployment. While this action, described by attackers as Co-op "yanking their own plug," prevented encryption, it still caused significant short-term disruption, including empty shelves and payment issues. Attackers stole personal data of up to 20 million customers while inside the network.

In mid-May 2025, Peter Green Chilled, a crucial cold-chain distributor supplying major supermarkets, was hit by a ransomware attack. This attack halted warehouse management and ordering systems, resulting in a backlog of fresh goods and reports of thousands of packs of meat at risk of spoilage due to delivery delays.

These incidents follow earlier attacks since 2022, including:

•

KP Snacks (Feb 2022): A Conti ransomware attack disrupted IT systems and threatened delays in deliveries of crisps and nuts.

•

Yodel (Jun 2022): Parcel delivery operations were disrupted for days by a suspected ransomware attack, impacting logistics including grocery deliveries.

•

Royal Mail (Jan 2023): A LockBit ransomware attack caused severe disruption to international mail exports, halting shipments for days and affecting critical logistics.

Other incidents have affected food producers, wholesalers, and retailers, indicating that attackers have targeted various points from agricultural suppliers to grocery store networks. The increasing reliance on digitised systems means a breach can swiftly halt operations across the chain.

Threat Actors and Tactics

The overwhelming majority of these attacks are attributed to financially motivated cybercriminal groups, primarily ransomware gangs. Groups implicated include Conti, LockBit, and Scattered Spider. Scattered Spider, identified in the M&S and Co-op attacks, is noted for its sophistication, particularly its use of clever social engineering tactics to impersonate company staff and bypass security measures like multifactor authentication. Once access is gained, these groups often escalate privileges and exfiltrate data before deploying ransomware, a tactic known as double extortion. Scattered Spider reportedly refers to their ransomware as "DragonForce".

Many of these groups, such as Conti and LockBit, operate from or have strong ties to Russia and Eastern Europe. While their primary motivation is financial gain, their activities can align with hostile state interests by causing economic and social disruption in rival countries. Attackers often specifically target "time-sensitive" sectors like food distribution because the urgency driven by perishable goods and just-in-time delivery pressures increases the likelihood of a quick ransom payment.

While other actors like hacktivists exist, predominantly conducting less disruptive DDoS attacks, criminal ransomware and extortion crews pose the most significant immediate cyber threat to food and logistics organisations.

Potential Foreign State Actor Involvement

Officially, UK authorities maintain that the food sector attacks appear to be the work of cybercriminals rather than direct nation-state cyber warfare. The Spring 2025 retail attacks have not been publicly attributed to any government. However, UK intelligence and cyber security leaders caution that the distinction between criminal and state-aligned activity can be ambiguous.

Hostile states, including Russia, are increasingly using technology dependence against Western countries to cause disruption, specifically targeting critical national infrastructure (CNI), which includes food supply chains. The UK's security services view attacks on infrastructure as potentially part of a hybrid warfare strategy. While state-sponsored APT groups have primarily focused on Ukraine and military targets since the war began, officials have not ruled out them targeting food supply in Western countries as tensions persist. The NotPetya incident in 2017, perpetrated by Russian military hackers, demonstrated how a state attack could cascade into global logistics paralysis, serving as a stark warning. China is also mentioned as a state actor, although its primary interest in food/logistics might be focused on espionage and supply chain mapping rather than immediate disruption.

In summary, while known attacks are attributed to criminal groups, the strategic backdrop of heightened international tensions and the potential for state tolerance or encouragement of criminal groups targeting CNI means the risk of a deliberate state-backed attack on UK food supply, or a state-inspired criminal act, cannot be entirely dismissed.

Government and Expert Commentary

UK cyber and intelligence officials have been vocal about the severe threat to CNI, including the food sector. The NCSC describes the risk as "widely underestimated" and notes a "widening gap" between threats and defenses. The NCSC CEO labelled the recent retail attacks a "wake-up call to all organisations". Parliamentary committees, such as the Joint Committee on National Security Strategy, explicitly link the retail hacks to national security, highlighting that disruption leading to empty shelves and unfulfilled deliveries affects local communities and the economy. Former and current MI5 leaders recognise that "food is part of our national security" and advocate for greater resilience. The NCSC actively engages with the food industry and conducts exercises simulating supply chain attacks, underscoring the sector's importance.

International Context

The UK's experience is part of a global trend of cyber attacks on food and logistics sectors.

•JBS Foods (Global, 2021): A ransomware attack on the world's largest meat processor forced plant shutdowns in multiple countries, threatening supply and increasing prices.

•Kaseya/Coop Sweden (2021): A supply-chain attack via an IT provider crippled hundreds of Swedish Coop grocery stores, leaving shoppers facing closed stores.

•Bakker Logistiek (Netherlands, 2021): A ransomware attack on a major food logistics company led to shortages of certain foods, such as cheese, in Dutch supermarkets.

•Dole Food Company (Global, 2023): R...