Incident Analysis Report
Jaguar Land Rover Breach
Table of contents
Introduction
Report Scope
Executive Summary
What went wrong?
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
Root cause analysis
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
Attack timeline
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
Proof of access
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
Threat actor profile
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
Protection measures
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
Introduction
In a major cyber incident, leading automotive company, Jaguar Land Rover faced a cyber incident this month that led to a forced shutdown of systems across multiple sites. The company was doing its best to reboot the affected systems. The incident has mainly impacted production including production of spare parts which has impacted servicing of vehicles due to lack of spares. The attack has wreaked havoc across JLR’s vast supply chain involving roughly 200,000 workers. The incident recovery has been delayed and the incident has cost the company millions in lost business.
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
Report Scope
This report is an analysis of the incident based on our analysis, correlation of data, documented TTPs, data from third party forums and lastly our in-depth analysis of the communications and activities of the group involved.
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
Executive Summary
A major cyberattack has thrown Jaguar Land Rover (JLR) into turmoil, forcing a complete halt to its global vehicle production since the end of August 2025. The incident, which has been described as a "digital siege," has had a significant financial impact on the British luxury carmaker and its extensive supply chain, with production now paused until at least the beginning of October 2025.
The attack, which targeted the company's IT systems, has effectively paralyzed JLR's manufacturing capabilities worldwide. The company has been forced to repeatedly extend the production shutdown as it works with cybersecurity experts and law enforcement to investigate the breach and ensure a secure restart of its operations.
The financial fallout from the incident is substantial, with estimates suggesting the production stoppage is costing JLR millions of pounds daily. The ripple effect is being felt acutely throughout the automotive supply chain, with many smaller suppliers who are heavily reliant on JLR facing significant financial distress and potential job losses. The UK government has been urged to intervene and provide support to affected workers and businesses.
While JLR has not officially disclosed the specifics of the attack, reports have linked it to a ransomware group. The hackers are believed to have gained access to the company's internal systems, disrupting everything from manufacturing to vehicle diagnostics and parts ordering.
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
What went wrong?
As per sources and Jaguar Land Rover, the incident began with the company discovering an “unauthorized intrusion” in its network. The intrusion was discovered when some anomalous activity was noticed on a peripheral network and reported by an employee. Jaguar Land Rover then initiated a series of measures as part of its incident response policy to contain the intrusion including:
What you get in the snapshot:
Shutting down systems
Blocking access and privileges to impacted systems
Shutting down production lines with connected systems
Launching an internal investigation
Engaging external agencies for a more detailed forensic investigation
Request a Consultation
What went wrong?
As per sources and Jaguar Land Rover, the incident began with the company discovering an “unauthorized intrusion” in its network. The intrusion was discovered when some anomalous activity was noticed on a peripheral network and reported by an employee. Jaguar Land Rover then initiated a series of measures as part of its incident response policy to contain the intrusion including:
What you get in the snapshot:
Shutting down systems
Blocking access and privileges to impacted systems
Shutting down production lines with connected systems
Launching an internal investigation
Engaging external agencies for a more detailed forensic investigation
Request a Consultation
What went wrong?
As per sources and Jaguar Land Rover, the incident began with the company discovering an “unauthorized intrusion” in its network. The intrusion was discovered when some anomalous activity was noticed on a peripheral network and reported by an employee. Jaguar Land Rover then initiated a series of measures as part of its incident response policy to contain the intrusion including:
What you get in the snapshot:
Shutting down systems
Blocking access and privileges to impacted systems
Shutting down production lines with connected systems
Launching an internal investigation
Engaging external agencies for a more detailed forensic investigation
Request a Consultation
Root cause analysis
The origins of the attack can be traced back to a social engineering/Vishing campaign that threat actor ShinyHunters ran a few weeks ago. ShinyHunters is known to target well known brands globally across campaigns. The group began its activities by targeting known vulnerabilities across cloud applications and restricted use databases and then decided to change tracks when it realized its activities were not yielding the level of results it sought for.
ShinyHunters, in association with another threat actor Scattered Spider, then began going after large scale corporate database managers in order to get more relevant data and credentials. Scattered Lapsus$ Hunters (AKA SCATTERED SP1D3R HUNTERS AKA THE COMHQ) a group within ShinyHunters decided to use the database stolen by ShinyHunters to run large scale ransomware campaigns targeting major global brands. It is one of these very campaigns that contributed to this attack on Jaguar Land Rover.
Scattered Lapsus$ Hunters is nothing but another brand identity of ShinyHunters and possibly a rebranded variant of AlphV. The constant rebranding is designed to keep law enforcement agencies busy chasing empty trails. In fact, when one analysis the communications of these three threat groups, there is very little effort being placed in disguising their common origin.
It could very well be that these 3 groups are not just sharing members but are also operating under a single banner under a single set of masterminds. Since Scattered Lapsus$ Hunters also operates a Ransomware-as a-service, it is possible that stolen credentials are being actively traded by this group.
Scattered Lapsus$ Hunters has also placed a ransom threat to Google asking them to fire two key security researchers and abandon an ongoing investigation against them or risk a potential dataleak. They are also known to run campaigns on social media to determine their next targets. A recent campaign had them asking followers to indicate if they wanted to target the world’s largest beverage company and a food delivery service in India. Both these companies have been subsequently targeted by the group.
TTP
First level or initial access: Deployment of OAuth apps using trial accounts followed by compromised accounts from unrelated orgs.
Vishing and targeted social engineering: Calling key employees using AI generated voice samples and by mimicking helpdesk/support
Data theft: Exfiltration is done via engineered Python scripts that mimic DataLoader ops. Infrastructure used: Vishing calls are routed through VPN IPs while data is transferred through TOR exit nodes.
Threats: First level of threats could be simple and direct followed by a demand for immediate payment made to the CEO of the victim organisation
Attack timeline
Data from previous attacks carried out by Scattered Lapsus$ Hunters and other threat actors was used to conduct an attack on certain segments of Jaguar Land Rover infrastructure. In addition, a vishing attack was carried out on the CRM using a vishing attack. The CRM attack exposed common credentials that were then used to access and manipulate applications using VPN-based access.
Once the attack succeeded, the threat actor went about following its TTP playbook to move across the JLR’s network and escalate privileges across one or more key applications. Several queries for data theft were then deleted using TOR IP addresses. TOR traffic may have been blended with regular traffic to avoid detection. Data was also possibly exfiltrated via TOR exit nodes.
Once the core applications were accessible and data was exfiltrated, the actor then deployed a modular ransomware and triggered it complete the first two phases of the attack. Encryption of the data alerted the security teams in the organization to the breach and then swift action was taken to control the breach and isolate systems.
Because of the delayed detection, the attack spread across the organization riding on ERP and other connected applications.
Root cause analysis
The origins of the attack can be traced back to a social engineering/Vishing campaign that threat actor ShinyHunters ran a few weeks ago. ShinyHunters is known to target well known brands globally across campaigns. The group began its activities by targeting known vulnerabilities across cloud applications and restricted use databases and then decided to change tracks when it realized its activities were not yielding the level of results it sought for.
ShinyHunters, in association with another threat actor Scattered Spider, then began going after large scale corporate database managers in order to get more relevant data and credentials. Scattered Lapsus$ Hunters (AKA SCATTERED SP1D3R HUNTERS AKA THE COMHQ) a group within ShinyHunters decided to use the database stolen by ShinyHunters to run large scale ransomware campaigns targeting major global brands. It is one of these very campaigns that contributed to this attack on Jaguar Land Rover.
Scattered Lapsus$ Hunters is nothing but another brand identity of ShinyHunters and possibly a rebranded variant of AlphV. The constant rebranding is designed to keep law enforcement agencies busy chasing empty trails. In fact, when one analysis the communications of these three threat groups, there is very little effort being placed in disguising their common origin.
It could very well be that these 3 groups are not just sharing members but are also operating under a single banner under a single set of masterminds. Since Scattered Lapsus$ Hunters also operates a Ransomware-as a-service, it is possible that stolen credentials are being actively traded by this group.
Scattered Lapsus$ Hunters has also placed a ransom threat to Google asking them to fire two key security researchers and abandon an ongoing investigation against them or risk a potential dataleak. They are also known to run campaigns on social media to determine their next targets. A recent campaign had them asking followers to indicate if they wanted to target the world’s largest beverage company and a food delivery service in India. Both these companies have been subsequently targeted by the group.
TTP
First level or initial access: Deployment of OAuth apps using trial accounts followed by compromised accounts from unrelated orgs.
Vishing and targeted social engineering: Calling key employees using AI generated voice samples and by mimicking helpdesk/support
Data theft: Exfiltration is done via engineered Python scripts that mimic DataLoader ops. Infrastructure used: Vishing calls are routed through VPN IPs while data is transferred through TOR exit nodes.
Threats: First level of threats could be simple and direct followed by a demand for immediate payment made to the CEO of the victim organisation
Attack timeline
Data from previous attacks carried out by Scattered Lapsus$ Hunters and other threat actors was used to conduct an attack on certain segments of Jaguar Land Rover infrastructure. In addition, a vishing attack was carried out on the CRM using a vishing attack. The CRM attack exposed common credentials that were then used to access and manipulate applications using VPN-based access.
Once the attack succeeded, the threat actor went about following its TTP playbook to move across the JLR’s network and escalate privileges across one or more key applications. Several queries for data theft were then deleted using TOR IP addresses. TOR traffic may have been blended with regular traffic to avoid detection. Data was also possibly exfiltrated via TOR exit nodes.
Once the core applications were accessible and data was exfiltrated, the actor then deployed a modular ransomware and triggered it complete the first two phases of the attack. Encryption of the data alerted the security teams in the organization to the breach and then swift action was taken to control the breach and isolate systems.
Because of the delayed detection, the attack spread across the organization riding on ERP and other connected applications.
Proof of access
The threat actor published the following screenshots to confirm their access to the target infrastructure in Jaguar.
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
The first one belongs to an internal portal connected to a shopfloor.
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
A possible debug log.
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
Backend code for identification of a user connected with a vehicle
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
Proof of access
The threat actor published the following screenshots to confirm their access to the target infrastructure in Jaguar.
The first one belongs to an internal portal connected to a shopfloor.
A possible debug log.
Backend code for identification of a user connected with a vehicle
Threat actor profile
Scattered Spider, also known as Sp1d3rhunters or Shiny Hunters, the group claiming responsibility for the Jaguar Land Rover cyber incident, signals a new evolutionary leap in the global threat actor TTP landscape. What sets them apart is their carefully crafted modus operandi, one that fuses three potent ingredients for instant notoriety in cyberspace viz., customer data, large brands and a unique revenue and op. model to target victims.
To the untrained eye, Scattered Spider, may appear as just another threat actor chasing ransom. However, when you scratch the surface, you will start seeing operational layers that unambiguously point to a higher level of evolution both in terms of TTPs and in terms of post-incident pressure tactics. Let us now understand the group in detail to understand why the Jaguar Land Rover incident is proving to be such a long-drawn affair.
This group surfaced in the year 2020 through a series of global breaches. We have reasons to believe that the group was started by former members of ALPHV and RansomHub. The group was possibly incubated by either of these groups and provided stolen data and credentials to breach target networks in its initial stages. Using a best-of-breed approach, Scattered Spider, quickly gained a life of its own and as the revenue counters started humming, the group started paying more attention to its business model.
Between 2021 and 2023, the group underwent a series of leadership changes with the average age of leadership shrinking by nearly a decade. During this period, several new individuals entered the groups while the elders moved out. The newbies settled down fairly quickly and continued to scale operations as is evident from the list of successful crimes committed by Scattered Spider, even during the transition period.
Even for the most sophisticated threat actors, the business and operational models are mostly about raking in ransom while they can and then disappearing in the shadows. ShinyHunters is an exception to this trend. Not only has Scattered Spider, developed many models to sustain revenue for its operations, it also runs one of the most mature ransomware-as-a-service operations with multiple affiliate friendly revenue sharing models. Small wonder that its affiliate base grew by a whopping 700 percent in the last two years.
They are easily among the most collaborative and cyber crime groups out there. Thanks to a fluid leadership structure with deep links to multiple established threat actors, ShinyHunters has many active cyber crime projects running with groups around the world. Today, a large number of the over 400 cyber incidents attributed to the group are carried out by affiliates through the revenue sharing model.
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
Targeting large brands
In addition to seeking publicity for its actions, Scattered Spider, had large brands in its crosshairs since it commenced operations. In its initial phases, the targets were a blend of large and small brands chosen ostensibly for revenue. Zoosk, Home Chef, Minted, Chatbooks, and the Chronicle of Higher Education, Tokopedia and Wattpad were among its early victims. In the subsequent years, as the new leadership began settling in, the group scaled up its operations to target many small and medium businesses that paid off ransoms quietly fearing regulatory attention or investor scrutiny. In 2024, the group went behind AT&T, Twillo and Ticketmaster among other large brands gathering confidence and an unquenchable hunger for publicity in the process. As the year 2025 arrived, the group had grown and its affiliates spread tentacles across the web netting several large brands including:
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
Google: Breached through a third-party CRM environment, exposing contact information of business customers.
Kering (Gucci, Balenciaga, Alexander McQueen): Customer data from the luxury fashion group was compromised.
LVMH (Louis Vuitton, Dior, Tiffany & Co.): Gained access to a customer information database
Air France-KLM: Customer service data, including names and loyalty program information, was accessed.
Adidas: Customer service tickets were allegedly stolen.
Chanel: A client care database was compromised.
Pandora: Customer profiles were accessed.
Qantas: Customer data stored in a CRM platform was breached.
Allianz Life: The North American branch of the insurance giant was targeted.
Cisco: User profile information from a CRM system was stolen.
Cartier: Limited client information was accessed.
Workday: A customer support database was breached.
Vietnam's National Credit Information Center (CIC): Scattered Spider, claimed to have exfiltrated nearly 160 million records.
Modus operandi
Unlike other groups, that rely purely on domain impersonation, phishing and vishing, Scattered Spider, went a step further by blending these methods with manipulation of MFA applications. The attack begins with a call placed by a gang member pretending to be from the support team to a pre-identified employee. The employee is guided to deploy a modified data loader to enable the gang member to gain access to the CRM data.
The attack is then escalated to target multiple systems. From the preliminary information available, it seems that the group was able to penetrate deep within the networks of Jaguar Land Rover with access to multiple applications and data. It appears that Jaguar is trying to control the spread of the breach by disabling the impacted systems. However, in the initial days when the exact blast radius was unknown, it is possible that some impacted systems in Jaguar Land Rover were kept ‘alive’ leading to loss of data, extension of system impact and delayed recovery.
Leaking data, double extortion and open threats from across social platforms is a common tactic used by this group. Scattered Spider, is also known to use stolen credentials and hi jacked victim applications to send phishing mails to entirely new potential victims.
The US and UK recently charged two members of the group who were arrested earlier. Such arrests as well as a message sent by the group on its Telegram channel which said “We LAPSUS$, Trihash, Yurosh, yaxsh, WyTroZz, N3z0x, Nitroz, TOXIQUEROOT, Prosox, Pertinax, Kurosh, Clown, IntelBroker, Scattered Spider, Yukari, and among many others, have decided to go dark,” indicate that the group is just covering tracks and fading for the time being to bounce back later. The leadership of the group is still at large and we will they will reappear as a rebranded org very soon.
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
Protection measures
So what specific steps can be taken to protect your infrastructure against such attacks?
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
Assess application integration: Applications should be treated as nodes for manipulation by threat actors and privileges should be handed in a need-to-have basis only and revoked when not in use.
Authenticate requests on call: Any request made via calls has to be authenticated through at least two more offline authentication modes before the request is granted.
Adopt a zero tolerance approach to risk: Any amount of residual risk linked to data needs to be mitigated and should not be allowed to linger in the risk register as “acceptable risk”
Conduct a third-party specific risk assessment and incident response: This can be done to check your susceptibility to an attack type mentioned above.
