Deciphering the Jaguar Land Rover cyberattack

In a major cyber incident, leading automotive company, Jaguar Land Rover faced a cyber incident last week that led to a forced shutdown of systems across multiple sites. The company was doing its best to reboot the affected systems. The incident has mainly impacted production including production of spare parts which has impacted servicing of vehicles due to lack of spares.

So, what went wrong?

As per sources and Jaguar Land Rover, the incident began with the company discovering an “unauthorized intrusion” in its network. The intrusion was discovered when some anomalous activity was noticed on a peripheral network and reported by an employee. Jaguar Land Rover then initiated a series of measures as part of its incident response policy to contain the intrusion including:

· Shutting down systems

· Blocking access and privileges to impacted systems

· Shutting down production lines with connected systems

· Launching an internal investigation

· Engaging external agencies for a more detailed forensic investigation

Dissecting the attack and the threat actor behind it

The origins of the attack can be traced back to a social engineering/Vishing campaign that threat actor ShinyHunters ran a few weeks ago. ShinyHunters is known to target well known brands globally across campaigns. The group began its activities by targeting known vulnerabilities across cloud applications and restricted use databases and then decided to change tracks when it realized its activities were not yielding the level of results it sought for.

ShinyHunters, in association with another threat actor Scattered Spider, then began going after large scale corporate database managers in order to get more relevant data and credentials. Scattered Lapsus$ Hunters (AKA SCATTERED SP1D3R HUNTERS AKA THE COMHQ) a group within ShinyHunters decided to use the database stolen by ShinyHunters to run large scale ransomware campaigns targeting major global brands. It is one of these very campaigns that contributed to this attack on Jaguar Land Rover.  

Scattered Lapsus$ Hunters is nothing but another brand identity of ShinyHunters and possibly a rebranded variant of AlphV. The constant rebranding is designed to keep law enforcement agencies busy chasing empty trails. In fact, when one analysis the communications of these three threat groups, there is very little effort being placed in disguising their common origin.

It could very well be that these 3 groups are not just sharing members but are also operating under a single banner under a single set of masterminds. Since Scattered Lapsus$ Hunters also operates a Ransomware-as-a-service, it is possible that stolen credentials are being actively traded by this group.

Scattered Lapsus$ Hunters has also placed a ransom threat to Google asking them to fire two key security researchers and abandon an ongoing investigation against them or risk a potential dataleak.  They are also known to run campaigns on social media to determine their next targets. A recent campaign had them asking followers to indicate if they wanted to target the world’s largest beverage company and a food delivery service in India. Both these companies have been subsequently targeted by the group.  

TTP

· First level or initial access: Deployment of OAuth apps using trial accounts followed by compromised accounts from unrelated orgs.

· Vishing and targeted social engineering: Calling key employees using AI generated voice samples and by mimicking helpdesk/support

· Data theft: Exfiltration is done via engineered Python scripts that mimic DataLoader ops.

· Infrastructure used: Vishing calls are routed through VPN IPs while data is transferred through TOR exit nodes.

· Threats: First level of threats could be simple and direct followed by a demand for immediate payment made to the CEO of the victim organisation

Our theory on how the attack happened and how it progressed

It is possible that Scattered Lapsus$ Hunters used Jaguar Land Rover data obtained from earlier attacks on CRM and Database managers to make its vishing campaign more targeted and lethal. Once the attack succeeded, the threat actor went about following its TTP playbook to move across the JLR’s network and escalate privileges across one or more key applications. Several queries for data theft were then deleted using TOR IP addresses. TOR traffic may have been blended with regular traffic to avoid detection. Data was also possibly exfiltrated via TOR exit nodes.    

So what can be done to protect your infrastructure against such attacks?

· Assess application integration: Applications should be treated as nodes for manipulation by threat actors and privileges should be handed in a need-to-have basis only and revoked when not in use.   

· Authenticate requests on call: Any request made via calls has to be authenticated through at least two more offline authentication modes before the request is granted.  

· Adopt a zero tolerance approach to risk: Any amount of residual risk linked to data needs to be mitigated and should not be allowed to linger in the risk register as “acceptable risk” 

· Conduct a third-party specific risk assessment and incident response: This can be done to check your susceptibility to an attack type mentioned above.

Talk to our cyber incident expert or set up a free consultation with our third-party risk consultant. 

Read our blog on OT vulnerability management.