Jaguar Land Rover (JLR) has been wrestling with the consequences of a cyberattack for almost a month now. It’s a huge problem that’s halted production and screwed up business not just for the automaker directly, but also for its many suppliers and distributors. You might not think a company as mature as JLR could be crippled for so long by a computer problem, but the deeply networked nature of the car business makes automakers especially susceptible to this type of trouble.
As The Guardian reported earlier this month, “Managers at a factory in Halewood, Merseyside, told industry contacts there might have been a hack—although it was not clear then just how bad the situation was.” Soon after, it seems that the company realized the incident was severe enough to effectively shut down its entire operation.
At the beginning of September, reports started circulating about a JLR cyberattack. Known (and feared) hacker groups Scattered Spider and LAPSUS$, operating as a combined entity identified as Scattered Spider Lapsus$ Hunters, claimed responsibility, sharing screenshots of the automaker’s background interface to prove access.
Cyfirma has the most comprehensive analysis I’ve found about what may have happened, from a technical exploit perspective. “The exposed code reveals authentication logic, which may include potential vulnerabilities in how user profiles are linked to vehicles,” the site reported. “This information could be used to reverse-engineer or exploit connected services, particularly if weaknesses exist in token handling or validation mechanisms.”
It’s unclear, and unlikely to ever be publicly reported by JLR, exactly how much of the disruption was a direct result of the attack versus how much was a preemptive shutdown to try to contain the unauthorized system access. There’s also been some confusion about the motivation of the hack, due to so many wannabes falsely taking responsibility in the aftermath. We haven’t seen any specific ransom price posted anywhere, nor has JLR shared anything along those lines.
But Land Rover factories (Jaguar isn’t building any cars right now) sitting idle is said to have cost the company as much as £50 million ($67 million) per week, according to the BBC. Last week, the British government’s Department for Business and Trade issued a statement acknowledging that the “recent cyber incident is having a significant impact on Jaguar Land Rover (JLR) and on the wider automotive supply chain.” There has been talk of the government subsidizing the situation by buying supply parts in the interim. It looks like factories still won’t be running again for at least a few more days, but the company is claiming it’s now on the road to recovery.
A spokesperson for JLR replied to my inquiries with this official statement:
“As part of the controlled, phased restart of our operations, today we have informed colleagues, suppliers and retail partners that sections of our digital estate are now up and running. The foundational work of our recovery programme is firmly underway.
- We have significantly increased IT processing capacity for invoicing. We are now working to clear the backlog of payments to our suppliers as quickly as we can.
- Our Global Parts Logistics Centre, which supplies the parts distribution centres for our retailer partners in the UK and around the world, is now returning to full operations. This will enable our retail partners to continue to service our clients’ vehicles and keep our customers mobile.
- The financial system we use to process the wholesales of vehicles has been brought back online and we are able to sell and register vehicles for our clients faster, delivering important cash flow.
These are important initial steps as our dedicated teams work around the clock alongside cybersecurity specialists, the UK Government’s NCSC and law enforcement to ensure we restart in a safe and secure manner. Our focus remains on supporting our customers, suppliers, colleagues and our retailers. We fully recognise this is a difficult time for all connected with JLR and we thank everyone for their continued support and patience.”
Now, a few sub-stories are circulating, like how JLR might not be insured for what just happened, that outsourced cybersecurity could have created vulnerabilities, and that technical mismanagement from top executives may have made it possible for hackers to work their way across the company’s platforms easily.
Well, not “easily,” per se. All the research I did, and the cybersecurity expert I chatted with (who spoke under the condition of anonymity), indicated that this hack was not the work of some lone basement-dweller messing around. The consensus is that the attack was carried out by a professional network of savvy actors, possibly preying on high-access accounts. JLR, it seems, was particularly vulnerable because of how its tech management is (or was) organized. As Forbes posted this week, “Tata allowed three directors to oversee both sides of related party transactions. Natarajan Chandrasekaran (Chandra) chairs the boards of Tata’s holding company and every subsidiary. Maybe worse, two of the other five non-executive Jaguar Land Rover directors, tech executive Al-Noor Ramji and supply chain maven Hanne Sorenson, also serve on TCS’s (Tata Consultancy Services’s) board.”
So—how the heck does a hack like this even happen?
Well, my new contact in cybersecurity told me to take any news about an attack, at this stage, with a grain of salt. But they also said that a few factors are almost definitely at play in an incident like this.
As far as access goes, a common entry point for a bad actor into a system is simple social engineering. Somebody places a call to an IT department in a panic, pretending to be someone important needing to bypass things like two-factor login, and wiggles their way in that way. Not necessarily what happened here, but it certainly seems plausible given what’s been reported about the company’s tech management.
Then there’s the highly networked and globalized nature of the car business. As the expert told me, “An enterprise [the size of JLR] comprises of, typically, hundreds or thousands of systems that were never intended to work together, that you’re integrating through core security tools.”
You know how you can make accounts at all kinds of websites with your Google, Facebook, or Apple login? It’s the same with a large company, and a large company that works with other large companies is going to have an even more convoluted web with far more points of entry. JLR’s suppliers and product recipients will all have ways to log into the company’s proprietary systems, creating many vectors for intrusion.
As my contact put it, “in any large enterprise, a lot of those systems might be bought, might be old, might be built in-house, or might be a combination of all of those things. And a lot of times, older systems don’t have modern security conveniences built in. So you have this whole world, where, in order to do your job, you need to have your identity. Systems have to understand it so you can log in and do your job … so [hackers] like this tend to target people that have what we call ‘administrative access,’ ‘privileged access.’ So like, you might be able to log into a system that’ll show you your paycheck. [But someone] with administrative access might be able to log into the same system and determine who gets paid and how much. And so what [operations like] Scattered Spider tend to do is they look for people that they kind of know have privileged access. They can do large things. So they tend to look at people who run your identity and access management security tools or your clouds or other significant systems.”
Another thing this individual brought up is the huge speed differential between how fast a hacker can pull levers versus how fast a multinational megacorporation can make changes. Once granted access, a hacker can propagate themselves across a system rapidly, creating new logins and entryways. Meanwhile, a company like JLR, at a minimum, will have multiple stakeholders to confer with before making a decision as dramatic as taking factories offline. And a lot of companies, even in this era of digital everything, are simply not prepared to contend with this stuff.
It’s not like a car company can regularly run drills that stop their assembly lines—it’d cost a fortune. But that also leads to a level of unpreparedness that, when something does happen, creates the chaos that we’re seeing here.
My contact described this as “the next frontier that the adversaries are pushing us into,” meaning, large corporations are going to have to make serious practical investments in cybersecurity and disaster prep to keep up with bad actors in this space, or risk more events like this happening.
By the time JLR realized its computer system had an uninvited guest, it would have been extremely difficult or impossible to truly understand the extent of its penetration with complete certainty. That’s why the company went as far as to shut down its factories and operations, and why the mess is taking so long to clean up. A lot of the company’s digital infrastructure may have to be rebuilt, and its cybersecurity protocols are definitely going to need a revamping.
Got a tip? Send us a note at tips@thedrive.com.