Hackers targeted JLR months before the cyberattack that shut down production

Open Editor’s Digest for free

Rula Khalaf, editor of the Financial Times, picks her favorite stories in this weekly newsletter.

Hackers appear to have targeted Jaguar Land Rover more than a year before the August cyberattack that forced the automaker to halt production, as investigators examine whether a state-backed actor or organized crime group was behind the hack.

Few details have emerged from the National Crime Agency’s investigation into the devastating attack JLR supply chain A raised State-backed loan worth £1.5 billion The British car manufacturer is owned by the Indian company Tata Motors. The National Cyber ​​Security Center is also participating in the investigation.

One person with direct knowledge of Jaguar Land Rover’s investigation into the attack said it had not ruled out the involvement of organized crime or state-backed agents.

A senior government figure added: “It is reasonably likely that a hostile state is behind this, although we don’t yet know either way.”

According to an analysis by cybersecurity consulting firm Deep Specter Research, the malicious activity targeting JLR appears to have begun around the time the automaker began replacing its digital and production systems with the help of various technology units of the Tata Group in late 2023.

The analysis found that large amounts of employee and customer information and other data were then leaked to the dark web several times in 2024, with details suggesting the data originated from Jaguar Land Rover’s systems.

According to Deep Specter, major data leaks were also spotted in 2024 in… Tata Consultancy Serviceswhich JLR uses for cybersecurity services. TCS declined to comment.

The August hack “certainly was not a spontaneous attack,” said Chaia Wiedemann, co-founder of Deep Specter and former head of information security at Porsche’s digital unit.

“We believe it was orchestrated by the state,” he added, citing the length of the campaign, the financial resources allocated and the level of infiltration, which led to Jaguar Land Rover production being halted for a month. JLR resumed production of the Range Rover and Range Rover Sport at its Solihull plant only last week.

However, other cybersecurity experts say it is unclear whether any previous leaks are linked to the August attack.

JLR said it was investigating the attack but declined to comment further. “Our focus is on safe recovery and recovery across our global operations,” she said.

Shortly after the attack, the pirates Calling himself “Rey”, he claimed to have hacked JLR’s systems. Cyber ​​experts said they believe Ray is the same person, previously linked to hacker group Hellcat, who claimed to have hacked JLR in March and stolen confidential data.

State-sponsored groups often try to cover their tracks by sharing access codes with others, Deep Specter said. Other cyber experts said hacker groups sometimes worked with or received support from larger criminal organizations.

A spate of recent cyber attacks on British companies, including retailers Marks & Spencer, Co-op and Harrods, has prompted Chancellor Rachel Reeves to warn that hostile countries are being involved.

“A number of these attacks are emanating from Russia by Russian-backed entities,” she recently told ITV News.

The spate of hacks has also led to scrutiny of Tata Consultancy Services, which provided services to recent victims including M&S, Co-op, Stellantis and Renault.

TCS cleared itself in an internal investigation and denied being used as a gateway for criminals in the M&S attack.

Some cyber experts have suggested that TCS’s broad market share in cybersecurity could explain its links to many of the companies that have been targeted.

Ciaran Martin, former chief executive of NCSC, said the JLR hack in August was unusual because so far few details have emerged about who did it and how it came to be.

“This attack could have been well planned and researched to see what damage they could do and how they could inflict maximum pain on Jaguar Land Rover,” said Martin, who is now a professor at Oxford University’s Blavatnik School of Government.

Wiedemann said the Jaguar Land Rover hack could expose the supply chain and other vulnerabilities across the sector, with Stellantis and Renault recently falling victim to data theft.

At the time of the attack, JLR did not have cyber security insurance Although it was in talks to buy the policy.

The company had warned in its 2024 annual report that: “Failure of critical infrastructure or applications could cause service interruptions across the Jaguar Land Rover enterprise, hindering our ability to conduct transactions or essential business activities.”

Any organization the size of Jaguar Land Rover will have cyber vulnerabilities, especially in manufacturing, said Jamie McCall, a senior researcher and cybersecurity expert at the Royal United Services Institute. “The question is how resilient they are when your system is actually compromised by a bad actor,” he added.

Additional reporting by Chris Kay in Mumbai