Retail under siege
United Natural Foods Inc. (UNFI), the primary supplier for Whole Foods and over 30,000 North American retailers, disclosed a cyberattack on 9 June that forced parts of its network offline, disrupting order fulfillment and deliveries. News reports indicate that workarounds are in place, but operational impacts are ongoing, exposing vulnerabilities in supply chain infrastructure.
This incident comes hot on the heels of a spate of attacks on major UK retailers. Recent publications state that Marks and Spencer has already reported a £300 million disruption, coupled with stolen customer data, after Easter weekend, while Co-op has confirmed data exposure and major outages at over 2,300 stores. Harrods also suffered network disruptions in May, triggering retail security alerts in both the UK and US.
These breaches show that even large and mature organisations are vulnerable. If distributors and retailers with advanced cyber defences can be knocked offline, every enterprise needs robust business continuity and cyber resilience planning.
Active Directory is mission critical
Behind most modern retail systems lies Active Directory. It handles logins, identity and access across warehouses, point of sale terminals, customer relationship systems and cloud services. If AD fails or is compromised, users are locked out, systems stop functioning and business grinds to a halt.
AD is not just another system on the network. It is the authority for access control, policy enforcement and identity governance. It is also a common target. The majority of human-operated ransomware campaigns involve compromising domain controllers to gain privileged access. Once AD is under attacker control, they can pivot across systems, deploy malware, disable security tooling and exfiltrate data.
In product distribution, outages have physical effects. If drivers cannot access schedules or warehouse systems cannot validate shipments, real-world deliveries fail. A compromised AD domain can turn into a complete halt in real-world operations.
Resilience is about being ready before the attack
The explosive rise in retail sector attacks shows you cannot rely on luck. AD outages can take days or weeks to restore. Just ask Maersk after the NotPetya outbreak in 2017. It took nine days to recover from a wiped directory from a single remaining backup. That is time an organisation cannot afford in real-world operations.
UNFI and the UK retailers are emerging from similar disruptions. Marks and Spencer had to switch to manual processes, and Co-op backfilled stock through contingency lanes. Recovery took weeks, even for the largest retailers. Smaller enterprises would be devastated which means that a robust backbone of preventive controls and tested AD recovery plans is absolutely essential.
Five immediate steps sysadmins MUST take
1. Audit AD security regularly
Perform AD health reviews to uncover stale accounts, rogue delegation, weak ACLs and over-privileged service accounts. Leverage continuous monitoring with tools like Security Guardian for early detection of account abuse before disaster strikes, while keeping an audit trail of changes across on-premises and hybrid directories.
2. Reduce the blast radius of compromise
Restrict domain admin access. Rotate privileged account credentials regularly. Enforce strong authentication on all elevated users. Remove legacy protocols such as NTLM or LDAP signing exceptions wherever possible. Configure Group Policy to prevent lateral movement and enforce credential isolation for privileged sessions. AD must be treated as a Tier Zero asset, not just another Windows service.
3. Monitor AD for attacker activity
If an attacker makes a change in AD, you want to know about it. Unexpected membership changes to key groups, suspicious Kerberos ticket requests or mass account lockouts are signs of compromise. Security Guardian can detect these behaviours in real time across on-premises and hybrid environments. Early detection is critical to preventing lateral movement or the deployment of ransomware.
4. Prepare an AD specific recovery workflow
Generic backup solutions are often insufficient. Active Directory requires careful orchestration of system state and metadata across domain controllers. Deterministic backup and restore are vital. Solutions like Recovery Manager for Active Directory Disaster Recovery Edition automate forest restoration and reduce recovery times from days to hours with minimal error.
5. Validate and practise your recovery plan
Backups are meaningless without practice. Conduct regular AD restoration drills in a sandbox or controlled failover scenario. Verify you can rebuild domain controllers, recover Group Policy objects and reinitiate replication seamlessly. Refine documentation and simple runbook steps until your team can act confidently under pressure.
The edge between survival and shutdown
As the UNFI breach and high-profile UK retailer incidents show, identity infrastructure is now the frontline of operational continuity. Once breached or disrupted, it can immobilise shelving, logistics, payments and customer services. Resilience planning is not optional. It is mission critical.
System administrators must ask themselves:
- Do you have trustworthy backups of all AD partitions?
- Do you know how to rebuild your domain controllers from clean images?
- Have you verified your recovery tools and staff skills in real world drills?
If you can answer yes to the above questions, you are prepared for a resilience incident. If not, you are exposing your organisation to unacceptable risk.
All enterprises must treat Active Directory as critical infrastructure with the same seriousness as their servers or databases. Audit your AD, engineer robust privilege controls, invest in identity recovery tools and practise full restoration. Your next attack may be lurking out there already.
