Cybercrooks ripped the wheels off at Jaguar Land Rover. Here's how not to get taken for a ride
(2025/09/10)
- Reference: 1757491214
- News link: https://www.theregister.co.uk/2025/09/10/jaguar_key_lessons/
- Source link:
Feature Jaguar Land Rover (JLR) is the latest UK household name to fall victim to a major cyberattack. IT systems across multiple sites have been offline for over a week after what the company described as a "severe disruption."
The attack stalled production and dealer operations across its global network when attackers hit on August 31, leading to shutdowns at its Solihull plant, and meant that UK dealers couldn't register new vehicles or supply parts. Its factories will reportedly remain closed until Wednesday at the earliest, according to reports [1]earlier this week .
$380M lawsuit claims intruder got Clorox's passwords from Cognizant simply by asking [2]READ MORE
Since the attack, a group calling itself "Scattered Lapsus$ Hunters" has claimed responsibility – the same group claiming to be behind the [3]Marks & Spencer breach. These hackers, believed to be teens, are now taunting the company and bragging about their actions on Telegram, sharing screenshots of information from supposedly inside JLR's IT system.
What makes JLR's case noteworthy is its speed of response. The company quickly shut down IT across its distributed operations, presumably to prevent attackers from moving laterally through their system and causing wider damage. It was disruptive, no doubt, but in the face of a live attack, it was a bold and necessary call.
Attacks on the manufacturing sector are not new. [4]In August 2023 , US manufacturer Clorox suffered a breach that disrupted production, forced it to revert to manual order processing, and was tracked back to a compromise by its third-party IT service provider. Third-party software suppliers have also been targeted. And Microsoft's troubles with the Russian state-backed " [5]Midnight Blizzard " attackers showed how even one overlooked legacy system can give attackers access to senior executives' inboxes and even source code.
[6]
The lesson is clear. It's not if an organization will be tested; it's when. So, how can businesses across the UK be better prepared?
1. Act quickly
JLR's swift action to isolate its systems likely limited the damage. Many organizations hesitate, paralyzed by the fear of disrupting business operations, but this delay can be catastrophic. Companies must pre-authorize who can isolate systems, revoke access, or shut down connections in the event of an attack. These decisions should be agreed upon at the board level and regularly rehearsed.
Ex-NSA bad-guy hunter listened to Scattered Spider's fake help-desk calls: 'Those guys are good' [7]READ MORE
2. Diversify your tech stack
Many businesses rely entirely on Microsoft's ecosystem – 365, Azure, and Active Directory. While this offers seamless integration, it creates vulnerabilities, including increased supply chain risk and dangerous vendor lock-in.
Monocultures breed risk and major software supply chain incidents are becoming more prevalent. When attackers compromise one component, like a legacy test account, Microsoft's deep interconnectedness allows them to move laterally and gain access to other critical systems, as seen in the "Midnight Blizzard" attack on Microsoft itself.
[8]
[9]
Furthermore, companies shouldn't be forced to stay with vendors due to restrictive licensing and prohibitive switching costs. This lock-in problem is so severe that it has prompted significant regulatory scrutiny, but the Competition and Markets Authority (CMA) must go further on its enforcement, ensuring businesses can diversify without punitive exit costs.
3. Secure Active Directory
Attackers often target identity systems like Active Directory in Microsoft 365. The Marks & Spencer breach reportedly involved the theft of an Active Directory database, which is essentially a master key to every password.
The Microsoft breach began with a simple "password spray" attack against a forgotten system. The hackers exploited a legacy test account that was not protected by phishing-resistant multi-factor authentication (MFA). This highlights a foundational flaw. Businesses must eliminate weak and legacy authentication methods and roll out phishing-resistant logins, such as FIDO2 keys, for all users. You also need to implement robust monitoring for unusual login attempts. The Microsoft incident underscores that attackers will find and exploit the weakest link, no matter how small or seemingly insignificant.
4. Understand who has access
A new frontier of attacks bypasses users entirely by exploiting the trust given to connected apps. This was seen in the [10]Salesloft/Drift incident . OAuth tokens, which grant one application access to another, must be treated like passwords — scoped tightly, rotated often, and monitored for suspicious activity. Businesses need to know what apps have access to their data and why that access is necessary.
[11]You say Cozy Bear, I say Midnight Blizzard, Voodoo Bear, APT29 …
[12]CVE fallout: The splintering of the standard vulnerability tracking system has begun
[13]Oh, great. Three notorious cybercrime gangs appear to be collaborating
[14]Cyber fiends battering UK retailers now turn to US stores
5. Zero trust model
Adopting a Zero Trust model is also something that companies should be moving toward. The core idea is that no user, device, or system is trusted by default, and access is granted only when identity, posture, and context are verified. For well-established businesses with decades-old legacy systems, this is a significant undertaking, but it is a necessary one.
The final takeaway
JLR's quick decision to isolate its systems hopefully saved it from deeper harm. That decisiveness should serve as a model for other organizations. But containment alone is not enough.
The Microsoft "Midnight Blizzard" attack is a powerful case study in how a single, unpatched vulnerability or unprotected legacy system can lead to a widespread and deeply-damaging breach. Until businesses harden their identity systems, lock down integrations, and ensure they have choice over their tech providers to avoid vendor lock-in, these cyberattacks will keep coming.
Attackers need patience. Defenders need urgency. ®
[15]
Bill McCluggage is a technology advisor and senior exec. He served as the first Chief Information Officer for the Irish Government beginning in 2013, previously holding roles such as Deputy UK Government CIO, Executive Director for IT Policy & Strategy in the UK Cabinet Office, Director of eGovernment and CIO in Northern Ireland, and CTO for EMC (Dell EMC) Systems in the UK and Ireland.
Get our [16]Tech Resources
[1] https://www.bbc.com/news/articles/c15k9gjg05go
[2] https://www.theregister.com/2025/07/23/lawsuit_clorox_vs_cognizant/
[3] https://www.theregister.com/2025/08/11/ms_restores_click_collect_following/
[4] https://www.theregister.com/2023/08/15/clorox_cleans_up_security_breach/
[5] https://www.theregister.com/2025/06/03/microsoft_crowdstrike_cybercrew_naming_clarity/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aMFMOKRR5ifQvEwfL4W3KgAAAFE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[7] https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMFMOKRR5ifQvEwfL4W3KgAAAFE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aMFMOKRR5ifQvEwfL4W3KgAAAFE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2025/09/08/drift_breach_entry_salesloft_github/
[11] https://www.theregister.com/2025/06/03/microsoft_crowdstrike_cybercrew_naming_clarity/
[12] https://www.theregister.com/2025/04/18/splintering_cve_bug_tracking/
[13] https://www.theregister.com/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/
[14] https://www.theregister.com/2025/05/15/cyber_scum_attacking_uk_retailers/
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMFMOKRR5ifQvEwfL4W3KgAAAFE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[16] https://whitepapers.theregister.com/
The attack stalled production and dealer operations across its global network when attackers hit on August 31, leading to shutdowns at its Solihull plant, and meant that UK dealers couldn't register new vehicles or supply parts. Its factories will reportedly remain closed until Wednesday at the earliest, according to reports [1]earlier this week .
$380M lawsuit claims intruder got Clorox's passwords from Cognizant simply by asking [2]READ MORE
Since the attack, a group calling itself "Scattered Lapsus$ Hunters" has claimed responsibility – the same group claiming to be behind the [3]Marks & Spencer breach. These hackers, believed to be teens, are now taunting the company and bragging about their actions on Telegram, sharing screenshots of information from supposedly inside JLR's IT system.
What makes JLR's case noteworthy is its speed of response. The company quickly shut down IT across its distributed operations, presumably to prevent attackers from moving laterally through their system and causing wider damage. It was disruptive, no doubt, but in the face of a live attack, it was a bold and necessary call.
Attacks on the manufacturing sector are not new. [4]In August 2023 , US manufacturer Clorox suffered a breach that disrupted production, forced it to revert to manual order processing, and was tracked back to a compromise by its third-party IT service provider. Third-party software suppliers have also been targeted. And Microsoft's troubles with the Russian state-backed " [5]Midnight Blizzard " attackers showed how even one overlooked legacy system can give attackers access to senior executives' inboxes and even source code.
[6]
The lesson is clear. It's not if an organization will be tested; it's when. So, how can businesses across the UK be better prepared?
1. Act quickly
JLR's swift action to isolate its systems likely limited the damage. Many organizations hesitate, paralyzed by the fear of disrupting business operations, but this delay can be catastrophic. Companies must pre-authorize who can isolate systems, revoke access, or shut down connections in the event of an attack. These decisions should be agreed upon at the board level and regularly rehearsed.
Ex-NSA bad-guy hunter listened to Scattered Spider's fake help-desk calls: 'Those guys are good' [7]READ MORE
2. Diversify your tech stack
Many businesses rely entirely on Microsoft's ecosystem – 365, Azure, and Active Directory. While this offers seamless integration, it creates vulnerabilities, including increased supply chain risk and dangerous vendor lock-in.
Monocultures breed risk and major software supply chain incidents are becoming more prevalent. When attackers compromise one component, like a legacy test account, Microsoft's deep interconnectedness allows them to move laterally and gain access to other critical systems, as seen in the "Midnight Blizzard" attack on Microsoft itself.
[8]
[9]
Furthermore, companies shouldn't be forced to stay with vendors due to restrictive licensing and prohibitive switching costs. This lock-in problem is so severe that it has prompted significant regulatory scrutiny, but the Competition and Markets Authority (CMA) must go further on its enforcement, ensuring businesses can diversify without punitive exit costs.
3. Secure Active Directory
Attackers often target identity systems like Active Directory in Microsoft 365. The Marks & Spencer breach reportedly involved the theft of an Active Directory database, which is essentially a master key to every password.
The Microsoft breach began with a simple "password spray" attack against a forgotten system. The hackers exploited a legacy test account that was not protected by phishing-resistant multi-factor authentication (MFA). This highlights a foundational flaw. Businesses must eliminate weak and legacy authentication methods and roll out phishing-resistant logins, such as FIDO2 keys, for all users. You also need to implement robust monitoring for unusual login attempts. The Microsoft incident underscores that attackers will find and exploit the weakest link, no matter how small or seemingly insignificant.
4. Understand who has access
A new frontier of attacks bypasses users entirely by exploiting the trust given to connected apps. This was seen in the [10]Salesloft/Drift incident . OAuth tokens, which grant one application access to another, must be treated like passwords — scoped tightly, rotated often, and monitored for suspicious activity. Businesses need to know what apps have access to their data and why that access is necessary.
[11]You say Cozy Bear, I say Midnight Blizzard, Voodoo Bear, APT29 …
[12]CVE fallout: The splintering of the standard vulnerability tracking system has begun
[13]Oh, great. Three notorious cybercrime gangs appear to be collaborating
[14]Cyber fiends battering UK retailers now turn to US stores
5. Zero trust model
Adopting a Zero Trust model is also something that companies should be moving toward. The core idea is that no user, device, or system is trusted by default, and access is granted only when identity, posture, and context are verified. For well-established businesses with decades-old legacy systems, this is a significant undertaking, but it is a necessary one.
The final takeaway
JLR's quick decision to isolate its systems hopefully saved it from deeper harm. That decisiveness should serve as a model for other organizations. But containment alone is not enough.
The Microsoft "Midnight Blizzard" attack is a powerful case study in how a single, unpatched vulnerability or unprotected legacy system can lead to a widespread and deeply-damaging breach. Until businesses harden their identity systems, lock down integrations, and ensure they have choice over their tech providers to avoid vendor lock-in, these cyberattacks will keep coming.
Attackers need patience. Defenders need urgency. ®
[15]
Bill McCluggage is a technology advisor and senior exec. He served as the first Chief Information Officer for the Irish Government beginning in 2013, previously holding roles such as Deputy UK Government CIO, Executive Director for IT Policy & Strategy in the UK Cabinet Office, Director of eGovernment and CIO in Northern Ireland, and CTO for EMC (Dell EMC) Systems in the UK and Ireland.
Get our [16]Tech Resources
[1] https://www.bbc.com/news/articles/c15k9gjg05go
[2] https://www.theregister.com/2025/07/23/lawsuit_clorox_vs_cognizant/
[3] https://www.theregister.com/2025/08/11/ms_restores_click_collect_following/
[4] https://www.theregister.com/2023/08/15/clorox_cleans_up_security_breach/
[5] https://www.theregister.com/2025/06/03/microsoft_crowdstrike_cybercrew_naming_clarity/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aMFMOKRR5ifQvEwfL4W3KgAAAFE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[7] https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMFMOKRR5ifQvEwfL4W3KgAAAFE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aMFMOKRR5ifQvEwfL4W3KgAAAFE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2025/09/08/drift_breach_entry_salesloft_github/
[11] https://www.theregister.com/2025/06/03/microsoft_crowdstrike_cybercrew_naming_clarity/
[12] https://www.theregister.com/2025/04/18/splintering_cve_bug_tracking/
[13] https://www.theregister.com/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/
[14] https://www.theregister.com/2025/05/15/cyber_scum_attacking_uk_retailers/
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMFMOKRR5ifQvEwfL4W3KgAAAFE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[16] https://whitepapers.theregister.com/
stewrogers
At the very least remove their staff from the password reset process.
segfault188
Only the Land Rover part of the business will be affected by the production shutdown. JaGUar don't produce actual cars at the moment, only an awful concept car and advertisements featuring dayglow clothed fashionistas. So, nothing of value will be lost by JaGUar.
Ol'Peculier
I know a few people that work for one of their suppliers, they are furloughing workers due to lack of work.
Maybe add to this list
6. Don't rely on one manufacturer if you provide parts to the automotive sector
Anonymous Coward
or work in the eggs or basket manufacturing industry?
Admiral Grace Hopper
My father worked for GKN Automotive Fasteners, which did not survive the decline in the UK car industry in the early 80s. If the order for the miniMetro had arrived sic weeks earlier it might have saved the factory and several hundred jobs.
cipnt
Jaguar was always a small, niche manufacturer. While they might not be assembling any cars at the moment, there is plenty of manufacturing and logistics needed for the existing fleet.
John_Ericsson
Air gap everything that can be air gapped.
Then
Listen to it security team who role their eyes at the concept of air gapped network and tell you on 2025 and everything is on the internet, but not to worry as they will protect you.
julian_n
"Defenders need urgency. "
I think Defenders first and foremost need reliability - like the rest of the range.
Step 1. do not use TCS