OT-Sicherheit
Was ist OT Sicherheit?
Mangel an Informationen über die Absichten von Cyber-Angreifern
Angriffe abwehren
Vermögenswerte gegen ausgeklügelte und langwierige Angriffe absichern
Cyberangriffe zu studieren, ohne die Sicherheit oder die Integrität der Infrastruktur zu kompromittieren
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
Root cause analysis
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
Attack timeline
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
Proof of access
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
Threat actor profile
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
Protection measures
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
Introduction
OT-Sicherheit oder Sicherheit von Operationstechnologien ist die Praxis, kritische Infrastrukturen und industrielle Systeme vor Cyberbedrohungen zu schützen. Diese Systeme, zu denen alles von Stromnetzen und Wasseraufbereitungsanlagen bis hin zu Fabriken und Verkehrsnetzen gehört, sind das Rückgrat der modernen Gesellschaft. Im Gegensatz zu traditionellen IT-Systemen sind OT-Systeme dafür ausgelegt, physische Prozesse zu steuern und arbeiten oft in Echtzeit, was sie sowohl einzigartig als auch äußerst anfällig für Cyberangriffe macht.
OT-Sicherheit oder Sicherheit von Betriebstechnologien ist die Praxis, kritische Infrastrukturen und industrielle Systeme vor Cyberbedrohungen zu schützen. Zu diesen Systemen gehören alles von Stromnetzen und Wasseraufbereitungsanlagen bis hin zu Produktionsstätten und Verkehrsinfrastrukturen, die das Rückgrat der modernen Gesellschaft bilden. Im Gegensatz zu traditionellen IT-Systemen sind OT-Systeme darauf ausgelegt, physische Prozesse zu steuern, und operieren oft in Echtzeit, was sie sowohl einzigartig als auch äußerst anfällig für Cyberangriffe macht.
Report Scope
This report is an analysis of the incident based on our analysis, correlation of data, documented TTPs, data from third party forums and lastly our in-depth analysis of the communications and activities of the group involved.
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
Executive Summary
A major cyberattack has thrown Jaguar Land Rover (JLR) into turmoil, forcing a complete halt to its global vehicle production since the end of August 2025. The incident, which has been described as a "digital siege," has had a significant financial impact on the British luxury carmaker and its extensive supply chain, with production now paused until at least the beginning of October 2025.
The attack, which targeted the company's IT systems, has effectively paralyzed JLR's manufacturing capabilities worldwide. The company has been forced to repeatedly extend the production shutdown as it works with cybersecurity experts and law enforcement to investigate the breach and ensure a secure restart of its operations.
The financial fallout from the incident is substantial, with estimates suggesting the production stoppage is costing JLR millions of pounds daily. The ripple effect is being felt acutely throughout the automotive supply chain, with many smaller suppliers who are heavily reliant on JLR facing significant financial distress and potential job losses. The UK government has been urged to intervene and provide support to affected workers and businesses.
While JLR has not officially disclosed the specifics of the attack, reports have linked it to a ransomware group. The hackers are believed to have gained access to the company's internal systems, disrupting everything from manufacturing to vehicle diagnostics and parts ordering.
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
Vereinbaren Sie ein kostenloses Beratungsgespräch
Ergreifen Sie den ersten Schritt zu einer sichereren OT-Umgebung.
Vereinbaren Sie noch heute eine kostenlose Beratung mit unseren OT-Sicherheitsspezialisten. Während dieser Sitzung werden wir:
What you get in the snapshot:
Bewerten Sie Ihre aktuelle OT-Sicherheitslage.
Identifizieren Sie zentrale Schwachstellen und Risiken.
Geben Sie umsetzbare Empfehlungen, die auf Ihre Infrastruktur zugeschnitten sind.
Launching an internal investigation
Engaging external agencies for a more detailed forensic investigation
Eine Beratung anfordern
Vereinbaren Sie ein kostenloses Beratungsgespräch
Ergreifen Sie den ersten Schritt zu einer sichereren OT-Umgebung.
Vereinbaren Sie noch heute eine kostenlose Beratung mit unseren OT-Sicherheitsspezialisten. Während dieser Sitzung werden wir:
What you get in the snapshot:
Bewerten Sie Ihre aktuelle OT-Sicherheitslage.
Identifizieren Sie zentrale Schwachstellen und Risiken.
Geben Sie umsetzbare Empfehlungen, die auf Ihre Infrastruktur zugeschnitten sind.
Launching an internal investigation
Engaging external agencies for a more detailed forensic investigation
Eine Beratung anfordern
Vereinbaren Sie ein kostenloses Beratungsgespräch
Ergreifen Sie den ersten Schritt zu einer sichereren OT-Umgebung.
Vereinbaren Sie noch heute eine kostenlose Beratung mit unseren OT-Sicherheitsspezialisten. Während dieser Sitzung werden wir:
What you get in the snapshot:
Bewerten Sie Ihre aktuelle OT-Sicherheitslage.
Identifizieren Sie zentrale Schwachstellen und Risiken.
Geben Sie umsetzbare Empfehlungen, die auf Ihre Infrastruktur zugeschnitten sind.
Launching an internal investigation
Engaging external agencies for a more detailed forensic investigation
Eine Beratung anfordern
Warum OT-Sicherheit wichtig ist
Die digitale Transformation industrieller Umgebungen hat ohne Beispiel neue Risiken für OT-Systeme eingeführt. Da diese Systeme zunehmend mit IT-Netzwerken und dem Internet verbunden werden, sind sie mehr Cyberbedrohungen ausgesetzt. Hier sind die Hauptgründe, warum die Sicherheit von OT ein kritisches Anliegen ist:
TTP
First level or initial access: Deployment of OAuth apps using trial accounts followed by compromised accounts from unrelated orgs.
Vishing and targeted social engineering: Calling key employees using AI generated voice samples and by mimicking helpdesk/support
Data theft: Exfiltration is done via engineered Python scripts that mimic DataLoader ops. Infrastructure used: Vishing calls are routed through VPN IPs while data is transferred through TOR exit nodes.
Threats: First level of threats could be simple and direct followed by a demand for immediate payment made to the CEO of the victim organisation
Attack timeline
Data from previous attacks carried out by Scattered Lapsus$ Hunters and other threat actors was used to conduct an attack on certain segments of Jaguar Land Rover infrastructure. In addition, a vishing attack was carried out on the CRM using a vishing attack. The CRM attack exposed common credentials that were then used to access and manipulate applications using VPN-based access.
Once the attack succeeded, the threat actor went about following its TTP playbook to move across the JLR’s network and escalate privileges across one or more key applications. Several queries for data theft were then deleted using TOR IP addresses. TOR traffic may have been blended with regular traffic to avoid detection. Data was also possibly exfiltrated via TOR exit nodes.
Once the core applications were accessible and data was exfiltrated, the actor then deployed a modular ransomware and triggered it complete the first two phases of the attack. Encryption of the data alerted the security teams in the organization to the breach and then swift action was taken to control the breach and isolate systems.
Because of the delayed detection, the attack spread across the organization riding on ERP and other connected applications.
Warum OT-Sicherheit wichtig ist
Die digitale Transformation industrieller Umgebungen hat ohne Beispiel neue Risiken für OT-Systeme eingeführt. Da diese Systeme zunehmend mit IT-Netzwerken und dem Internet verbunden werden, sind sie mehr Cyberbedrohungen ausgesetzt. Hier sind die Hauptgründe, warum die Sicherheit von OT ein kritisches Anliegen ist:
TTP
First level or initial access: Deployment of OAuth apps using trial accounts followed by compromised accounts from unrelated orgs.
Vishing and targeted social engineering: Calling key employees using AI generated voice samples and by mimicking helpdesk/support
Data theft: Exfiltration is done via engineered Python scripts that mimic DataLoader ops. Infrastructure used: Vishing calls are routed through VPN IPs while data is transferred through TOR exit nodes.
Threats: First level of threats could be simple and direct followed by a demand for immediate payment made to the CEO of the victim organisation
Attack timeline
Data from previous attacks carried out by Scattered Lapsus$ Hunters and other threat actors was used to conduct an attack on certain segments of Jaguar Land Rover infrastructure. In addition, a vishing attack was carried out on the CRM using a vishing attack. The CRM attack exposed common credentials that were then used to access and manipulate applications using VPN-based access.
Once the attack succeeded, the threat actor went about following its TTP playbook to move across the JLR’s network and escalate privileges across one or more key applications. Several queries for data theft were then deleted using TOR IP addresses. TOR traffic may have been blended with regular traffic to avoid detection. Data was also possibly exfiltrated via TOR exit nodes.
Once the core applications were accessible and data was exfiltrated, the actor then deployed a modular ransomware and triggered it complete the first two phases of the attack. Encryption of the data alerted the security teams in the organization to the breach and then swift action was taken to control the breach and isolate systems.
Because of the delayed detection, the attack spread across the organization riding on ERP and other connected applications.
Proof of access
The threat actor published the following screenshots to confirm their access to the target infrastructure in Jaguar.
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
The first one belongs to an internal portal connected to a shopfloor.
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
A possible debug log.
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
Backend code for identification of a user connected with a vehicle
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
Proof of access
The threat actor published the following screenshots to confirm their access to the target infrastructure in Jaguar.
The first one belongs to an internal portal connected to a shopfloor.
A possible debug log.
Backend code for identification of a user connected with a vehicle
Threat actor profile
Scattered Spider, also known as Sp1d3rhunters or Shiny Hunters, the group claiming responsibility for the Jaguar Land Rover cyber incident, signals a new evolutionary leap in the global threat actor TTP landscape. What sets them apart is their carefully crafted modus operandi, one that fuses three potent ingredients for instant notoriety in cyberspace viz., customer data, large brands and a unique revenue and op. model to target victims.
To the untrained eye, Scattered Spider, may appear as just another threat actor chasing ransom. However, when you scratch the surface, you will start seeing operational layers that unambiguously point to a higher level of evolution both in terms of TTPs and in terms of post-incident pressure tactics. Let us now understand the group in detail to understand why the Jaguar Land Rover incident is proving to be such a long-drawn affair.
This group surfaced in the year 2020 through a series of global breaches. We have reasons to believe that the group was started by former members of ALPHV and RansomHub. The group was possibly incubated by either of these groups and provided stolen data and credentials to breach target networks in its initial stages. Using a best-of-breed approach, Scattered Spider, quickly gained a life of its own and as the revenue counters started humming, the group started paying more attention to its business model.
Between 2021 and 2023, the group underwent a series of leadership changes with the average age of leadership shrinking by nearly a decade. During this period, several new individuals entered the groups while the elders moved out. The newbies settled down fairly quickly and continued to scale operations as is evident from the list of successful crimes committed by Scattered Spider, even during the transition period.
Even for the most sophisticated threat actors, the business and operational models are mostly about raking in ransom while they can and then disappearing in the shadows. ShinyHunters is an exception to this trend. Not only has Scattered Spider, developed many models to sustain revenue for its operations, it also runs one of the most mature ransomware-as-a-service operations with multiple affiliate friendly revenue sharing models. Small wonder that its affiliate base grew by a whopping 700 percent in the last two years.
They are easily among the most collaborative and cyber crime groups out there. Thanks to a fluid leadership structure with deep links to multiple established threat actors, ShinyHunters has many active cyber crime projects running with groups around the world. Today, a large number of the over 400 cyber incidents attributed to the group are carried out by affiliates through the revenue sharing model.
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
Targeting large brands
In addition to seeking publicity for its actions, Scattered Spider, had large brands in its crosshairs since it commenced operations. In its initial phases, the targets were a blend of large and small brands chosen ostensibly for revenue. Zoosk, Home Chef, Minted, Chatbooks, and the Chronicle of Higher Education, Tokopedia and Wattpad were among its early victims. In the subsequent years, as the new leadership began settling in, the group scaled up its operations to target many small and medium businesses that paid off ransoms quietly fearing regulatory attention or investor scrutiny. In 2024, the group went behind AT&T, Twillo and Ticketmaster among other large brands gathering confidence and an unquenchable hunger for publicity in the process. As the year 2025 arrived, the group had grown and its affiliates spread tentacles across the web netting several large brands including:
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
Mangel an Informationen über die Absichten von Cyber-Angreifern
Kering (Gucci, Balenciaga, Alexander McQueen): Customer data from the luxury fashion group was compromised.
LVMH (Louis Vuitton, Dior, Tiffany & Co.): Gained access to a customer information database
Air France-KLM: Customer service data, including names and loyalty program information, was accessed.
Adidas: Customer service tickets were allegedly stolen.
Chanel: A client care database was compromised.
Pandora: Customer profiles were accessed.
Qantas: Customer data stored in a CRM platform was breached.
Allianz Life: The North American branch of the insurance giant was targeted.
Cisco: User profile information from a CRM system was stolen.
Cartier: Limited client information was accessed.
Workday: A customer support database was breached.
Vietnam's National Credit Information Center (CIC): Scattered Spider, claimed to have exfiltrated nearly 160 million records.
Modus operandi
Unlike other groups, that rely purely on domain impersonation, phishing and vishing, Scattered Spider, went a step further by blending these methods with manipulation of MFA applications. The attack begins with a call placed by a gang member pretending to be from the support team to a pre-identified employee. The employee is guided to deploy a modified data loader to enable the gang member to gain access to the CRM data.
The attack is then escalated to target multiple systems. From the preliminary information available, it seems that the group was able to penetrate deep within the networks of Jaguar Land Rover with access to multiple applications and data. It appears that Jaguar is trying to control the spread of the breach by disabling the impacted systems. However, in the initial days when the exact blast radius was unknown, it is possible that some impacted systems in Jaguar Land Rover were kept ‘alive’ leading to loss of data, extension of system impact and delayed recovery.
Leaking data, double extortion and open threats from across social platforms is a common tactic used by this group. Scattered Spider, is also known to use stolen credentials and hi jacked victim applications to send phishing mails to entirely new potential victims.
The US and UK recently charged two members of the group who were arrested earlier. Such arrests as well as a message sent by the group on its Telegram channel which said “We LAPSUS$, Trihash, Yurosh, yaxsh, WyTroZz, N3z0x, Nitroz, TOXIQUEROOT, Prosox, Pertinax, Kurosh, Clown, IntelBroker, Scattered Spider, Yukari, and among many others, have decided to go dark,” indicate that the group is just covering tracks and fading for the time being to bounce back later. The leadership of the group is still at large and we will they will reappear as a rebranded org very soon.
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
Protection measures
So what specific steps can be taken to protect your infrastructure against such attacks?
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
Assess application integration: Applications should be treated as nodes for manipulation by threat actors and privileges should be handed in a need-to-have basis only and revoked when not in use.
Authenticate requests on call: Any request made via calls has to be authenticated through at least two more offline authentication modes before the request is granted.
Adopt a zero tolerance approach to risk: Any amount of residual risk linked to data needs to be mitigated and should not be allowed to linger in the risk register as “acceptable risk”
Conduct a third-party specific risk assessment and incident response: This can be done to check your susceptibility to an attack type mentioned above.
