The August 31 cyberattack that has paralyzed Jaguar Land Rover’s global production line for over three weeks is a stark reminder of the manufacturing sector’s exposure to cyber risks stemming from IT-OT convergence.
Summary
Jaguar Land Rover is in the grips of a massive cyberattack that has forced global production shutdowns for the past month, rippling through its vast supply-chain network. Early reporting links the breach to an emerging alliance of Gen Z English-speaking cybercriminal groups. Claims have emerged on cybercriminal Telegram channels that the JLR hackers exploited a zero-day in SAP NetWeaver—an entry point that underscores the fragility of IT-OT convergence in modern manufacturing environments. With daily sales losses exceeding $97 million and thousands of supplier jobs at risk, the attack highlights how operational dependence on tightly integrated IT and OT systems magnifies disruption. As adversaries increasingly target manufacturing with ransomware, supply-chain compromises, and living-off-the-land techniques, the JLR incident illustrates a sobering reality: the manufacturing sector’s interconnected digital transformation has expanded the attack surface faster than defensive controls can manage.
The latest reporting from the Financial Times cites an estimate from a University of Birmingham professor that pegs JLR’s breach-related profit losses at over $1.7 billion—and that’s just from immediate operational disruption and lost sales. Additionally, on September 28, the British government announced that it would guarantee a loan of up to £1.5 billion (~$2 billion) to JLR in a bid to 'give certainty to its supply chain' following the attack, according to a press release.
This devastating cyberattack also illustrates the rapidly growing threat posed by a new generation of English-speaking cybercriminals, namely the reported alliance between three notorious groups largely composed of teen and twentysomething digital deviants: Scattered Spider, Lapsus$, and ShinyHunters.
This allegedly allied trio, which has recently been in the news for a sprawling Salesforce supply-chain attack campaign, claimed responsibility for the JLR breach in a since-banned Telegram channel called “Scattered Lapsus$ Hunters” and in a hoax “retirement” message published on a revived Breach Forums.
Scattered/Shiny/Lapsus$ claim credit for the JLR breach, Source: Breach Forums
To date, there is no evidence that the JLR cyberattack is related to the Salesforce campaigns. In fact, an affiliated threat actor posted in the group’s since-banned Telegram channel that this breach was enabled by a zero day exploit targeting the SAP Netweaver application, a topic we will elaborate on later in this blog. Additionally, JLR had been the target of multiple data breaches earlier this year, with threat actors linked to the HellCat ransomware group leaking hundreds of gigabytes of sensitive company data on the dark web, noted Resecurity research.
According to The Conversation, the intrusion forced the automaker to shut down its manufacturing plants in the UK, Slovakia, Brazil, India and China beginning on August 31. Normally, JLR, which is owned by Indian conglomerate Tata Motors, makes around 1,000 cars a day within its three British factories, with the average price of a new vehicle listed around $97,000, reported The Conversation.
With the production shutdowns, JLR is missing out on daily sales of some $97 million, and profits of $6.75 million a day, The Conversation said. On September 23, JLR issued a statement saying that they expected the production shutdown to persist at least until October 1.
Wired reported that the knock-on impacts of the “breach are being felt at the hundreds of companies that supply JLR with parts and materials and risk turning the attack into a full-blown crisis.”
“Some firms have reportedly already laid off staff, with the Unite union claiming that workers in the JLR supply chain “are being laid off with reduced or zero pay.” Meanwhile, some of these disenfranchised auto workers have been told to sign up for government benefits, Wired said.
A Supply-Chain Crisis
On September 19, the UK’s Department of Business and Trade and the Society of Motor Manufacturers and Traders issued a joint statement on the cyber incident that said the breach has had a “significant impact on Jaguar Land Rover (JLR) and on the wider automotive supply chain.”
Part of the reason that this production shutdown has created such a crisis in the British auto sector is that these expansive auto supply-chain networks often rely upon so-called “just-in-time” manufacturing, according to Wired.
Wired noted that this term refers to a practice where “manufacturers order parts and services to be delivered in the specific quantities that are needed and exactly when they need them—large stockpiles of parts are unlikely to be held by auto makers.” Plant systems, which rely on deeply converged IT platforms and OT assets, are central to proper supply-chain tracking and planning.
Wired also noted that JLR is “one of the UK’s biggest employers, with around 32,800 people directly employed in the country.” Additionally, stats listed on JLR’s website also claim the automaker supports another 104,000 jobs through its UK supply chain and another 62,900 jobs “through wage-induced spending,” reported Wired.
The fact that thousands of jobs have been put at risk, whether temporarily or permanently, by the JLR cyberattack signifies “a different order of magnitude” to previous high-profile breaches, according to a RUSI think tank researcher interviewed by Wired.
Making matters even worse for the automaker, Reuters reported that JLR had “failed to finalize a cyber insurance deal brokered by Lockton ahead of the incident, and the company appears to be uninsured directly for the attack.
Manufacturing Sector in the Crosshairs
The JLR attack stands out as the most devastating episode yet in the broader and leading adversary trend of manufacturing sector attacks. According to BitSight’s 2025 State of the Underground report, the manufacturing sector was the “most targeted industry for the third consecutive year, accounting for 22% of the 4,853 cyberattacks where sector attribution was possible.”
Additionally, between 2024 and early 2025, Forescout Technologies research uncovered a 71 percent increase in threat actors targeting manufacturing entities, along with 29 unique adversary groups actively attacking the sector.
Of the threat actors tracked by Forescout, 79 percent were cybercriminals, and 45 percent were ransomware gangs. Additionally, RansomHub was the most active threat group with 78 victims. Other highly active ransomware-as-a-service (RaaS) groups observed by Forescout were Akira, LockBit, Play, and Clop.
Forescout also analyzed 17 significant incidents impacting manufacturing victims and highlighted the following sector-specific attack trends:
- An increased use of Initial Access Brokers (IABs)
- Exploitation of vulnerabilities in specific applications:
- VPNs
- Remote access solutions
- File transfer applications
- The use of legitimate remote monitoring and management (RMM) tools for persistence and execution
- A shift from malware obfuscators to endpoint detection and response (EDR) bypass tools
- The use of custom malware alongside living-off-the-land techniques
Manufacturers have become prime targets for attackers because they rely on continuous uptime and uninterrupted operations to “meet production targets, fulfill contacts, and avoid costly delays,” according to Hitachi Cyber.
Additionally, the ripple effects of an attack on a large manufacturer can be particularly severe due to the industry’s foundational role in global supply chains. As the JLR disaster illustrates, operational stoppages at a handful of key facilities can cascade into widespread shortages, lost output, and delayed product deliveries across industries and continents.
Attackers have thus realized that they can weaponize manufacturing victims’ inherently strict operating needs and fragile supply-chain dependencies against them. Specifically, attackers have determined that causing a production shutdown, like the one JLR is currently enduring, can help coerce victims into making a ransom payment more quickly and predictably.
The Fragility of Convergence
Manufacturers have also become increasingly more vulnerable to cyberattacks due to the accelerating trend of IT-OT convergence. According to Palo Alto Networks, IT-OT convergence is the “integration of data management systems (IT) with industrial operation systems (OT).”
Palo Alto noted that this integration enables “real-time data exchange, enhancing the efficiency and effectiveness of both systems.” By integrating their IT and OT networks manufacturers can optimize cost efficiencies via “improved decision-making and operational processes, grounded in accurate, timely data.”
However, this rapidly growing convergence materially expands manufacturers’ attack surface and renders their operations increasingly vulnerable to disruption. Once isolated, OT environments have now inherited the vulnerabilities and threat pathways of interconnected IT systems.
As digital transformation initiatives drive integration of cloud, industrial Internet of Things (IIoT), and supply-chain automation, legacy industrial control systems (ICS) are frequently brought online with inadequate defensive controls, creating easy vectors for attackers.
However, there is no proof that JLR’s OT systems themselves were directly exploited by Shiny/Scattered/Lapsus$ threat actors. Still, there are multiple indicators that this breach could have been partially enabled by an SAP Netweaver zero-day exploit, including an affiliated Scattered/Lapsus$/Shiny threat actor’s claim that this was the attack vector in a Telegram post earlier this month.
Going back further, the SCATTERED LAPSUS$ HUNTERS Telegram channel published a proof of concept (POC) for an SAP Netweaver zero day in August. This POC has been uploaded to GitHub. According to IBM X-Force, “many industrial organizations leverage SAP for enterprise resource planning (ERP) and supply chain management (SCM), which may interface directly with or indirectly influence OT systems.”
The vulnerability exploited by this POC is CVE-2025-31324 , a critical NetWeaver Visual Composer vulnerability (missing authorization on the metadata uploader) that lets unauthenticated attackers upload arbitrary files to the SAP Java stack. Public advisories and threat reports show active exploitation in the wild. In fact, IBM X-Force said this CVE was the second-most exploited security flaw that could have impacted OT/ICS environments in the first half of 2025.
While this exploit wouldn’t necessarily target OT systems directly, this is how the attack chain could have led to such a sweeping operational shutdown at JLR.
Initial Compromise
Attackers exploit the SAP metadata uploader bug to drop a malicious file (e.g., a web shell) on the server without needing credentials.
Foothold & Remote Code Execution
They trigger the uploaded file, gaining remote execution on the SAP Java stack. From here, they can explore the system and steal data like configs or credentials.
Credential Harvesting & Lateral Movement
Because SAP servers often connect to ERP, databases, file shares, and Active Directory (AD), attackers can use harvested accounts to spread deeper into IT systems.
Targeting Core IT & Orchestration Services
With access to AD or orchestration tools, they can disrupt logins, payments, scheduling, or ERP functions. Even without hitting factory controls directly, losing these systems forces production stoppages.
Ransomware / Data Theft
Once in control, attackers may encrypt systems or steal data to extort the company, further slowing recovery.
Operational Shutdown
Disrupted identity services, encrypted files, or offline ERP/payment systems cascade into halted production lines, dealer portals, and supplier payments — exactly the kind of IT outage and shutdown Jaguar Land Rover experienced.
It’s important to remember that the proposed attack chain is only theoretical at this stage. The possibility remains that JLR threat actors indeed manage to pivot into and sabotage highly specialized plant OT environments.
Mitigating Convergence Risks in Manufacturing Environments
While InfraShield cannot conclusively say the above attack chain caused the rapidly spiraling cyber crisis at JLR and its broader supply chain, conversations with leading cyber threat intelligence (CTI) specialists inform our view that an SAP Netweaver zero day is a possible culprit behind the carnage.
As incident responders investigate the root cause of the breach, it’s also important to consider the massive data leaks that surfaced in March, exposing hundreds of gigabytes of sensitive JLR data. In theory, attackers could have also operationalized sensitive data leaked on the Dark Web in the furtherance of the breach.
In their latest manufacturing cyber threat report, Forescout said they anticipate an increase in ransomware attacks targeting the sector, a heightened targeting of OT assets (as adversaries become more familiar with these environments), and more breaches influenced by geopolitics.
To the last point, there is no doubt in any security practitioner’s mind that the catastrophic impact of the JLR breach on the UK’s auto sector is not being closely monitored by nation-state actors. The notion that such a disaster could be orchestrated by a group of financially motivated Gen Z cybercriminals is astonishing, but appears to be nevertheless true.
Still, research from IBM X-Force said that CVE-2025-31324, which appears to have spelled ruin for JLR, has been aggressively exploited by Chaya_004, “a Chinese threat actor.” Additionally, the leading exploit that can impact OT/ICS systems that was observed by IBM X-Force in the first half of 2025, CVE-2025-0282, has reportedly been exploited by UNC5221, a “suspected China-nexus espionage actor.” So, the geopolitical stakes are indeed rising.
In this elevated threat environment, Forescout recommends that manufacturing firms take the following steps to protect their organizations. The first step is developing a complete inventory of network assets, identifying risk levels, and addressing known vulnerabilities. By prioritizing patching for internet-facing systems such as VPNs, RDP, and firewalls, enforcing strong password policies, and enabling multi-factor authentication (MFAs), organizations can reduce common attack vectors and harden their defenses.
Visibility across both IT and OT environments is also critical. Comprehensive logging through EDR solutions or native logging capabilities ensures activity is captured and monitored. Coupling this with security incident and event management (SIEM) platforms and advanced threat detection tools helps identify “living off the land” (LOTL) techniques and other anomalies before they escalate into full-scale incidents.
Protecting the IT/OT boundary is another key priority. Proper network segmentation and monitoring of cross-boundary traffic limit opportunities for exploitation. At the same time, addressing supply chain risk by enforcing baseline security standards for software and service providers—and monitoring for breaches in third-party tools—helps reduce external points of compromise.
Manufacturers must also prepare for resilience. Maintaining immutable, offline backups and testing recovery processes ensures rapid restoration in the event of a ransomware or data encryption attack. Meanwhile, leveraging tailored threat intelligence keeps organizations aware of adversary tactics, techniques, and procedures (TTPs) relevant to OT environments. This intelligence can also support the creation of OT-specific incident response playbooks, minimizing mean time to detect and respond.
Finally, as new technologies are adopted in manufacturing environments, security must not lag behind. Performing comprehensive risk assessments prior to deployment, holding vendors accountable to security maturity requirements, and implementing monitoring for novel attack vectors are essential steps to protect both legacy and emerging systems.
Now is the time to act. InfraShield specializes in helping manufacturing organizations evaluate and strengthen their OT security postures. Engage with our experts today to assess your defenses, close vulnerabilities, and build resilience against tomorrow’s threats.
