Insights
The recent cyberattack on Jaguar Land Rover is a stark reminder that cybersecurity is no longer just an IT issue, it’s a business continuity and economic security imperative.
A ransomware-style attack disrupted JLR’s IT systems, halting production for nearly six weeks and impacting thousands of suppliers.
The Impact
- Estimated losses: £50M/US$65M per week
- Total economic hit: £1.9B/US$2.53M
- Classified as a Category 3 systemic incident by UK authorities.
Root Cause
Initial Access Exploit
Attackers exploited an unpatched SAP NetWeaver installation used in JLR’s enterprise systems. This vulnerability had been flagged by security agencies earlier in the year, but it appears the patch was not applied.
Credential Compromise
Infostealer malware harvested Jira credentials from employees, enabling attackers to infiltrate internal systems. This method aligns with tactics previously used by the HELLCAT ransomware group.
Advanced Persistent Threat Techniques:
The attackers used MITRE ATT&CK techniques such as:
- T1078 (Valid Accounts) – leveraging stolen credentials
- T1190 (Exploit Public-Facing Application), exploiting SAP vulnerabilities
- Lateral Movement via remote services and system tampering
- Deployment of custom malware for credential harvesting and data exfiltration.
Threat Actors
A group calling itself “Scattered Lapsus$ Hunters” claimed responsibility, suggesting collaboration between Scattered Spider, Lapsus$, and ShinyHunters, all known for ransomware and data theft campaigns.
Earlier attacks in 2025 by HELLCAT ransomware group also targeted JLR, exfiltrating sensitive documents and employee data.
Why It Was So Severe
JLR’s highly connected enterprise architecture, integrating IT, operational technology (OT), and global supply chains, created a massive attack surface. Once attackers gained access, they could disrupt production control systems and IT infrastructure simultaneously.
The timing coincided with UK’s “New Plate Day”, amplifying financial losses as dealerships could not register or deliver vehicles.
Remediation
- Phased recovery with government-backed £1.5B/US$2B loan guarantee
- Focus on Zero Trust, supply chain risk mapping, and resilience planning.
Cost
Projected financial impact: £1.6B/US$2.1B to £2.1B/US$2.8B, excluding reputational damage.
Key Takeaway
Cyber resilience must be a board-level priority. CIOs and CISOs need to collaborate on proactive strategies because the next attack could be even bigger.
What’s your organisation doing to strengthen its cyber resilience?
Reach Out to us via contactus@northwickcyber.com or visit our website at https://northwickcyber.com
