Pirates targeted “Jaguar Land Rover” months before the breach that paralyzed its production

Khaberni – It appears that Jaguar Land Rover was targeted by hackers more than a year before the cyberattack that occurred last August, which forced the luxury car manufacturer to halt production, as investigators determine whether a state-sponsored entity or an organized criminal group was behind the breach.

Few details have emerged from the investigation, led by the National Crime Agency, into the attack that disrupted Jaguar Land Rover’s supply chain, leading to the company—owned by Tata Motors of India—receiving a state-backed loan of 1.5 billion British pounds. The National Cyber Security Centre is also involved in the investigation.

A source directly acquainted with the Jaguar Land Rover investigation into the attack said that neither organized crime groups nor state-backed entities could be ruled out, according to a report seen by Financial Times and accessed by “Al Arabiya Business”.

A senior government official said, “It is reasonably likely that a hostile state is behind this, although we do not yet know which one.”

According to an analysis conducted by the cybersecurity consulting firm “Deep Specter Research,” malicious activity targeting Jaguar Land Rover seems to have begun when the automaker started replacing its digital and production systems with various tech units from the Tata group in late 2023.

The analysis found that large amounts of employee and customer data, along with other information, had been leaked to the dark web several times in 2024, with details indicating that the data originated from Jaguar Land Rover systems.

Large data leaks were also detected in 2024 at Tata Consultancy Services, which is used by Jaguar Land Rover for cybersecurity services.

Shaya Vidman, co-founder of “Deep Specter” and former head of information security at the digital unit of Porsche, said the August breach “was definitely not a spontaneous attack.”

He added, “We believe it was orchestrated by a state,” pointing to the length of the campaign, allocated financial resources, and the level of penetration that halted Jaguar Land Rover’s production for a month. The company only resumed production of the Range Rover and Range Rover Sport at its Solihull plant last week.

However, other cybersecurity experts say it is unclear whether any previous leaks are related to the August attack.

“Jaguar Land Rover” said it is investigating the attack but declined to comment further. It added, “Our focus is on recovery and safe return across all our global operations.”

Shortly after the attack, a hacker who goes by the name “Rey” claimed to have breached Jaguar Land Rover systems. Cybersecurity experts believe “Rey” is the same individual previously linked to the hacker group “Hellcat” and claimed to have hacked “Jaguar Land Rover” in March, stealing confidential data.

“Deep Specter” said that state-sponsored groups often try to conceal their tracks by sharing access codes with others. Other cybersecurity experts said that hacker groups sometimes operate with larger criminal organizations or receive support from them.

A recent spate of cyberattacks on British companies, including retail stores “Marks & Spencer,” “Co-op,” and “Harrods,” prompted Finance Minister Rachel Reeves to warn against involvement by hostile states.

Reeves recently said, “A number of these attacks originate from Russia by entities backed by Russia.”

The wave of breaches has led to scrutiny of Tata Consultancy, which provided services to companies that were recently targeted, including “Marks & Spencer,” “Co-op,” “Stellantis,” and “Renault.”

Some cybersecurity experts noted that Tata’s significant share in the cybersecurity market could explain its connection with many of the targeted companies.