【CyCraft Monthly Intelligence】Jaguar Land Rover Cyberattack: Impact and Technique Analysis

‍

Threat and Impact

In late August 2025, Jaguar Land Rover (JLR) suffered a large-scale cyberattack. After confirming the breach on September 1st, JLR deactivated its global IT systems to contain the attack's expansion. Manufacturing plants under the JLR Group across the UK, Slovakia, Brazil, India, and other locations were completely shut down for five weeks.

JLR reported that critical systems were forced offline, including production line controls, design and development, and dealer ordering systems. Even email and CAD/PLM equipment were temporarily paralyzed.

The Scattered Lapsus$ Hunters group claimed responsible for this attack on Telegram and leaked screenshots of JLR's internal IT systems. The channel has since been terminated. Multiple sources consistently indicated that their extortion and leak activities in October 2025 directly relied on BreachForums' domain, which was subsequently seized by U.S. and French law enforcement.

‍

Analyst Perspective

Scattered Lapsus$ Hunters is a cybercrime alliance that suddenly emerged in mid 2025. It is an alliance of three notorious threat actors: Scattered Spider, LAPSUS$, and ShinyHunters. The alliance maintains a clear division of labor: Scattered Spider specializes in initial access, LAPSUS$ focuses on extortion and amplification (generating public notoriety), and ShinyHunters excels in large-scale data harvesting and sales on the dark web.

Scattered Lapsus$ Hunters maintains a highly public presence on Telegram, where they post intrusion results and leaked data to pressure victim organizations while taunting law enforcement. These tactics serve to further escalate the scale and impact of their attacks.

Incident Description

The comprehensive business disruption cost JLR approximately £50 million per week, with UK official estimates placing the economic damage at £1.9 billion (approximately NT$78.8 billion), making this the most costly cyberattack incident in British history. Hundreds of suppliers were forced to lay off workers or cease operations, and upstream and downstream industries including auto parts supply and maintenance services were severely affected. The UK government urgently intervened with support, providing £1.2 billion in loans to maintain supply chain stability.

Recent attacks associated with the Scattered Lapsus$ Hunters hacker alliance include:

• 2025: Salesforce successive breaches and large-scale extortion incidents
• 2024: ShinyHunters data theft and sales activities, breaching cloud platforms including Snowflake and Salesforce
• 2023: Scattered Spider ransomware incidents, primarily targeting U.S. Caesars Entertainment and MGM Resorts

‍

Technical Details

No samples are available for this incident. Based on similar attacks commonly using ALPHV/BlackCatRansomware, the following behavioral descriptions and analysis are provided for reference.

Initial Access

• T1566.002 – Phishing: Spearphishing Link
  Collect employee information through social media and send phishing emails containing malicious links that, when clicked, initiate the attack chain.
• T1078 – Valid Accounts
  Intercept multi-factor authentication (MFA) to steal valid account credentials and gain legitimate access to internal systems.
• T1598 – Phishing for Information
  Covertly gather personal information from platforms like LinkedIn and GitHub for subsequent social engineering.
• T1592.002 – Gather Victim Identity Information: Employee Names
  Target engineering departments to collect identity and role associations, creating targeted attack lists.

Execution

• T1059.001 – Command and Scripting Interpreter: PowerShell
  Use PowerShell scripts for execution and lateral movement within the internal network.
• T1569.002 – System Services: Service Execution
  Launch malicious programs using legitimate system services or existing remote agents.

Persistence

• T1078.004 – Valid Accounts: Cloud Accounts
  Use credentials to maintain persistent control over cloud platforms like Salesforce and Jira.

Privilege Escalation

• T1068 – Exploitation for Privilege Escalation
  Exploit SAP NetWeaver vulnerabilities (CVE-2025-31324/CVE-2025-42999) to gain higher system privileges.

Defense Evasion

• T1036 – Masquerading
  Impersonate administrators or IT personnel to confuse defense systems.
• T1070.001 – Indicator Removal on Host: Clear Windows Event Logs
  Use wevtutil to clear event logs.
• T1070.004 – Indicator Removal on Host: File Deletion
  Use vssadmin, bcdedit, and wmic to delete backups and snapshots.
• T1027 – Obfuscated Files or Information:
  Execute activities using legitimate tools (PowerShell, RDP, SMB) to evade detection.

Lateral Movement

• T1021.001 – Remote Services: Remote Desktop Protocol (RDP)
  Move laterally across internal systems via RDP.
• T1021.002 – Remote Services: SMB/Windows Admin Shares
  Leverage SMB shares to distribute ransomware and tools.

Command and Control (C2)

• T1090.003 – Proxy: Multi-hop Proxy/TOR
  Conceal C2 traffic through TOR tunnels, blending into normal network communications.
• T1105 – Ingress Tool Transfer
  Download additional tools or modules from external C2 hosts.

Exfiltration

• T1041 – Exfiltration Over C2 Channel
  Exfiltrate large volumes of data through C2 channels.
• T1567.002 – Exfiltration to Cloud Storage
  Upload stolen data to cloud storage to coerce victims of data leak threats.

Impact

• T1491.002 – Defacement: Internal Defacement/Data Leak Extortion
  Publicly release internal system screenshots and data to pressure victims for ransom.

‍

Mitigation

Isolate suspicious hosts and block suspicious external connections

• Investigate EDR logs
• Attackers commonly use TOR/C2 and high-volume external traffic to exfiltrate stolen data or simultaneously control multiple machines.

Revoke exposed credentials and API tokens

• Force logout, reset passwords, revoke API tokens, and clear OAuth authorizations for accounts proven or suspected to be compromised (including third-party or partner accounts).
• Patch SAP NetWeaver and other service vulnerabilities (CVE-2025-31324/CVE-2025-42999).

Monitor SMB connection behavior

• Configure alerts for abnormal high-volume SMB connections.
• Regularly rotate service or administrative account passwords and check for lateral password reuse.
• Block unnecessary SMB access, especially from endpoints to servers.

Monitor commonly abused commands

• Such as wevtutil, vssadmin, wmic, and bcdedit used in BlackCatRansomware.
• Create real-time alerts for sudden event log clearing or shadow copies deletion.

Network segmentation

• Divide the network into "security zones" (e.g., IT, OT, suppliers, R&D, guests), allowing only necessary traffic (whitelist), using the principle of least privilege to prevent attacks from spreading from one zone to another.

OT/ICS segragation (including supply chain channels)

• Critical OT (production lines) and IT should interact through specific jump hosts.
• Block direct connections from Internet/VPN to PLCs, factory machines, etc.
• Implement OT security foundational guidance such as NIST SP-800-82.

‍

Reference

• Jaguar Land Rover網攻導致停產 延長到至少10月初
• 駭客組織疑似聯手，資安威脅再升級
• Inside the Jaguar Land Rover hack: stalled smartfactories, outsourced cybersecurity and supply chain woes
• Hackers linked to M&S breach claim responsibilityfor Jaguar Land Rover cyber-attack
• A Deep Dive Into ALPHV/BlackCat Ransomware

‍

IoCs (Indicator of Compromise)

Attacker-related information

• Email: shinyc0rp[at]tuta.io
• Telegram：[at]shinyc0rp

User-Agent strings (attacker automation tool information)

• Salesforce-Multi-Org-Fetcher/1.0
• Salesforce-CLI/1.0
• python-requests/2.32.4, aiohttp/3.12.15

IP