The JLR Cyber-attack – a bigger issue than most realise
Unless you’ve been living under a rock this last couple of months, you can’t fail to have heard about the cyber-attack that hit Jaguar-Landrover (JLR) in the last week of August.
In this post, I will try to explain the timeline of the attack, what’s happened, and the knock-on effect it is having – not only within JLR, but throughout the wider automotive industry.
How it started
The first external signs of the attack that has since plagued Britain’s largest automotive employer, started on the last Sunday of August 2025. Managers at Jaguars plant in in Halewood, Merseyside told industry contacts there might have been an incident that has come from an attack – At that time however, it was not clear what the extent of the incident was.
That extent became more obvious the next morning as workers attempted to start their shifts – JLR became acutely aware that this was a major incident. The Liverpool Echo reported on that Monday that JLR workers at the Halewood plant were told to stay at home as a result of an ongoing cyber-incident.
An ongoing incident that has halted JLR’s global production, with staff at their factories in the UK, Slovakia, Brazil and India all now being told to stay at home, with production not expected to start once more until the 24th September at the earliest.
JLR’s global production line has ground to a halt – A huge problem for JLR and its parent company Tata Group, as this now affects many thousands of employees in many countries.
Many analysts are saying that the attack looks like it was timed to coincide with one of the automotive industry’s busiest days – 1st September – the 2nd day in the year for new vehicle registrations, and traditionally, the busiest of the 2 days (The other being in March).
JLR sites across the world
Jaguar Land Rover operate numerous sites across the world, as shown below:
Assembly plants
Halewood, Merseyside – Used for Land Rover production. Originally a Ford assembly plant, Halewood was given to Jaguar in 2000 for production of the X-Type. Ford still own the transmission operation at Halewood
Lode Heath, Solihull, West Midlands – The main JLR assembly plant – used for production of the Land Rover, Range Rover, and the Jaguar XE and F-Pace models.
Pune, India – Used for assembly of the Jaguar XF, Range Rover Evoque, and Velar ranges
Changshu, China – This is the plant co-operated by JLR and Chery and manufactures parts for the Range Rover Evoque, Land Rover Discovery, Jaguar XE, and Jaguar XF
Itatiaia, Brazil – Used for the manufacture of parts for the Range Rover Evoque and Land Rover Discovery
Nitra, Slovakia – Used to manufacture the Land Rover Discovery and the Land Rover Defender
Research & Development
Gaydon, Warwickshire – Engineering & Development centre and home to the Jaguar heritage museum
Whitley, Coventry – Headquarters of Jaguar Land Rover, and the main research & development site
Pressed steel panel production
Castle Bromwich, Birmingham – Originally the home of all Jaguar production, but now used for the production of pressed steel body components for cars built in other locations across the world
Engine Assembly
Wolverhampton, West Midlands – The i54 site in Staffordshire is where the modular diesel & petrol engines are built for most JLR models.
Changshu, China
Ryton-on-Dunsmore, Warwickshire – Home of the SVO – Special Vehicle Operations centre
Co-operations
Graz, Styria, Austria – Home of the Magna Steyr Fahrzeugtechnik GmbH & Co KG automobile manufacturer who builds vehicles on behalf of various marques.
Recovery and assistance
A statement from UK trade body the Society of Motor Manufacturers and Traders (SMMT) confirms that the UK government is helping the effort to recovery JLR’s IT systems and production lines.
As well as aiding moves to restart production, government cyber experts from NCSC are helping to assess “any impacts on the supply chain”, which workers’ union Unite claimed on Wednesday was at the brink of collapsing.
The SMMT statement said: “The recent cyber incident is having a significant impact on Jaguar Land Rover and on the wider automotive supply chain. The government, including government cyber experts, are in contact with the company to support the task of restoring production operations, and are working closely with JLR to understand any impacts on the supply chain.”
Automotive industry analysts have estimated that the attack could be costing JLR in excess of £5 million a day in terms of lost revenue, and expenses such as wages and loans, etc. The knock-on effects however to the wider supply chain could be even more devastating, as many smaller suppliers could go bust from a lack of a working supply chain.
For the employees, things are becoming even more grim, and Unite said that many employees are being told to apply for Universal Credit as they are moved onto zero-hours contracts by those employers in an attempt to stay afloat.
Unite general secretary Sharon Graham said the union has written to the UK government demanding it set up a furlough scheme to take the pressure off suppliers by supplementing workers’ pay packets while they’re unable to do their jobs.
Graham went on to say, “Workers in the JLR supply chain must not be made to pay the price for the cyber attack, It is the government’s responsibility to protect jobs and industries that are a vital part of the economy.”
Who dunnit?
On the 3rd of September, the hacking group Scattered Lapsus$ Hunters claimed responsibility for the attack on JLR – Scattered Lapsus$ Hunters is the same group of hackers that attacked Marks & Spencer in May, causing seven weeks of disruption and costing £300 million in lost operating profit.
The attack against Marks and Spencer came about after the hacking gang gained access to the retailer’s systems via Tata Consultancy Services (TCS) by Social Engineering their way into their systems. If this is the case, then it poses an even bigger problem for JLR’s owners Tata Motors, part of Tata Group, and owners of TCS.
TCS has a five-year, £800m contract with JLR agreed in 2023. The partnership planned to “rapidly transform, simplify, and manage JLRs digital and IT estate, supporting its broader strategic business transformation”. TCS runs large parts of JLR’s key computer systems, ranging from its networks to data connections, and, crucially, its cybersecurity.
Part of the JLR’s reimagine strategy required more flexible software to enable the carmaker to produce Range Rovers in precisely the configuration demanded by the global rich paying £120,000 plus – all while retaining the efficiency of a high-volume factory.
One of TCS’s jobs was to manage the upgrade of JLR factory systems to the latest software from the German company SAP. That software was vital to managing production of vehicles and getting parts to the right place at the right time, as well as the “handshake” systems that link to other suppliers.
Scattered Lapsus$ Hunters claimed to have obtained customer data from JLR after exploiting a flaw in JLR’s SAP Netweaver software. This claim was made on a Telegram messenger group, where a member of the group posted a screenshot of what appeared to show some of JLR’s internal systems.
A video with JLR published on TCS’s website shows the TCS president of manufacturing, Anupam Singhal, highlighting “smart factories where everything is connected” to try to “remove waste” and use artificial intelligence to “avoid plant downtime”.
The fact that “everything is connected” in JLR’s systems appears to have been the major factor in the attack – When JLR discovered the intrusion, they were unable to isolate factories or functions, forcing it to shut down its global operations, thus leading to the state they are currently in. A state that is set to continue to cause disruption in the global automotive supply chain for many weeks to come.
Who are Scattered Lapsus$ hunters?
The hacking group is one of a number of such groups which came out of a decentralised hacking network known as “The Community,” or “The Com,” which had been previously linked to high-profile attacks on more than 130 companies, including MGM Resorts, Clorox and cryptocurrency exchange Coinbase.
Groups such as ShinyHunters and Lapsus$ focused on theft, extortion and service disruption, while Scattered Spider deployed ransomware for data extortion. All these groups primarily used social engineering tactics such as SIM-swapping and phishing to target their victims.
ShinyHunters targeted Google, Cisco and Salesforce using voice phishing, whereas retailers Marks & Spencer and Co-op were targeted through social engineering, impersonating IT help desk staff. The hacking group deployed the DragonForce ransomware to encrypt their victims networks
Law enforcement agencies have increased their crackdown on the groups and their members. A key figure, 20yr old Noah Michael Urban (A.K.A. “King Bob,” “Sosa,” “Elijah,” and “Gustavo Fring,”), received a 10 year prison sentence from a Jacksonville, FL federal judge after earlier pleading guilty for conspiracy to commit wire fraud, wire fraud, and aggravated identity theft.
In July, UK law enforcement arrested four suspected Scattered Spider members for their roles in Marks & Spencer and the Co-op hacks. Whilst in November 2024, Canadian police arrested another Scattered Spider member – Alexander Moucka (A.K.A. Waifu,” “Judische,” “Catist” and “Ellyel8), on charges tied to stealing terabytes of data from clients of cloud-based data warehousing platform Snowflake, potentially under the Scattered Spider banner.
Back in 2022, Moroccan police arrested French national Sébastien Raoult, (A.K.A. “Sezyo,”) at an airport in Morocco. He was later extradited to the U.S. and sentenced to a three-year prison sentence and ordered to pay more than $5 million in restitution for committing wire fraud and aggravated identity theft.
In light of these crackdowns and subsequent arrests, the group announced a declaration of a cease fire.
In a message on its since shut down Telegram channel, the Scattered Lapsus$ Hunters has said that it will no longer be running, saying: “Silence will now be our strength.”
The group said that though more companies may disclose breaches or hacks from the group, the cyber gang is no longer active.
“You may see our name in new databreach disclosure reports from the tens of other multi billion dollar companies that have yet to disclose an breach, as well as some government agencies, including highly secured ones, that does not mean we are still active“
“We LAPSUS$, Trihash, Yurosh, yaxsh, WyTroZz, N3z0x, Nitroz, TOXIQUEROOT, Prosox, Pertinax, Kurosh, Clown, IntelBroker, Scattered Spider, Yukari, and among many others, have decided to go dark. Our objectives having been fulfilled, it is now time to say goodbye,” the message said
The message also mentioned the group members that have been arrested, with the gang expanding “our regrets to their relatives, and apologising for their sacrifice.”
“Any State needs its scapegoat, Those carefully selected targets are the last collateral victims of our war on power, and the use of our skills to humiliate those who have humiliated, predate those who have been predated. We have ensure that the investigations targeting them will progressively fall apart, and that their mild vanity peccati will not inflict on them, long term consequences.”
Are they really gone?
Industry experts doubt that the group has ceased operations, and the statement is merely a ploy to divert law enforcement, or to tone down their sudden high-profile stature.
Cian Heasley, principal consultant at Acumen Cyber said “It’s more likely members are having internal disagreements around how to proceed under the threat of prison time, how high a profile they want to maintain in the media and the cybercrime underground and whether to lie low until the dust settles,“
Christiaan Beek, senior director of threat intelligence and analytics at Rapid7, called the announcement more “tactical than conclusive,” likely intended to “lower their profile, or test reactions.“
“Unless there are clear signs – like long-term silence on their channels, known personas disappearing, or takedown notices from service providers – we should treat this as a claim that may or may not reflect their actual operational status“
