Jaguar Land Rover (JLR), the U.K.-based automaker owned by Tata Motors, has extended production shutdowns after a cyberattack that disrupted global operations, halted manufacturing, and sent ripples across its supply chain. The company has shut down its IT networks in response to the attack. Industry sources have, in the meantime, warned that the disruption could last into November. A hacker group known for social-engineering campaigns has claimed responsibility.
“Today we have informed colleagues, suppliers and partners that we have extended the current pause in our production until Wednesday 24th September 2025,” according to a Tuesday statement from Jaguar Land Rover. “We have taken this decision as our forensic investigation of the cyber incident continues, and as we consider the different stages of the controlled restart of our global operations, which will take time.”
The statement added, “We are very sorry for the continued disruption this incident is causing and we will continue to update as the investigation progresses.”
According to Sophos researchers, a group claiming ties to Scattered Spider, Lapsus$, and ShinyHunters has taken credit for the attack. Scattered Spider has been linked to a recent surge of social-engineering campaigns aimed at retailers and other businesses in the U.S., the U.K., and beyond.
The hackers allegedly behind the Jaguar Land Rover intrusion said they disabled some of their infrastructure last week, amid suspicion that law enforcement was drawing closer to their operation. Security and law-enforcement experts warned, however, that the group’s claims were likely a diversion.
Chris McDonald, minister in the Department of Business and Trade, told Reuters he had met the company on Tuesday to ‘discuss their plans to resolve this issue and get production started again.’
“Our cyber experts are supporting JLR to help them resolve this issue as quickly as possible,” he added.
The attack triggered an urgent debate in the House of Commons. MPs drew comparisons to recent cyber incidents at Marks & Spencer, the NHS, and the British Library, raising alarms about the U.K.’s wider resilience.
The Minister stressed that cyber security is a ‘top priority for government’ and highlighted measures such as the Product Security and Telecommunications Infrastructure Act, the AI Cyber Security Code of Practice, and the Cyber Essentials scheme. Yet opposition MPs warned that the attack on a flagship manufacturer revealed systemic vulnerabilities, both in government preparedness and in industry adoption of resilience tools.
On Sept. 1, Jaguar Land Rover detected an intrusion in its IT systems and responded by shutting systems down to contain the damage. Sales, registration, and production lines were brought to a standstill. The company stressed that there is no evidence that customer data was stolen, though it acknowledged ‘some data’ was impacted and regulators have been notified.
“Since we became aware of the cyber incident, we have been working around the clock, alongside third‑party cybersecurity specialists, to restart our global applications in a controlled and safe manner,” the automaker said in a Sept. 10 statement. “As a result of our ongoing investigation, we now believe that some data has been affected and we are informing the relevant regulators. Our forensic investigation continues at pace and we will contact anyone as appropriate if we find that their data has been impacted.”
The shutdown, now extended through Sept. 24, is proving costly. JLR’s three UK plants produce around 1,000 vehicles daily, and each day of downtime amounts to millions in lost revenue. Suppliers across Europe have also been forced to scale back or pause production, underscoring how a breach in one manufacturer cascades through the automotive ecosystem.
While Jaguar Land Rover has invested heavily in IT transformation, including an £800 million cybersecurity and IT support contract with Tata Consultancy Services, the cybersecurity incident illustrates how even robust investments can falter against determined attackers. The technical picture remains unclear, but available details suggest a ransomware operation or a destructive intrusion targeting core IT assets.
The decision to power down systems points to attackers reaching sensitive infrastructure, raising the possibility of IT-OT crossover. Automotive production depends on tightly integrated manufacturing execution systems, logistics platforms, and supplier portals. Disruption in any of these could halt assembly lines, even without direct compromise of OT (operational technology) environments.
“It is possible that Scattered Lapsus$ Hunters used Jaguar Land Rover data obtained from earlier attacks on CRM and Database managers to make its vishing campaign more targeted and lethal,” Prayukth KV wrote in a Shieldworkz blog post last week. “Once the attack succeeded, the threat actor went about following its TTP playbook to move across the JLR’s network and escalate privileges across one or more key applications. Several queries for data theft were then deleted using TOR IP addresses. TOR traffic may have been blended with regular traffic to avoid detection. Data was also possibly exfiltrated via TOR exit nodes.”
He added that the origins of the attack can be traced back to a social engineering/Vishing campaign that threat actor ShinyHunters ran a few weeks ago. “ShinyHunters is known to target well-known brands globally across campaigns. The group began its activities by targeting known vulnerabilities across cloud applications and restricted-use databases, and then decided to change tracks when it realized its activities were not yielding the level of results it sought for.”
“ShinyHunters, in association with another threat actor, Scattered Spider, then began going after large-scale corporate database managers in order to get more relevant data and credentials,” according to Prayukth. “Scattered Lapsus$ Hunters (AKA SCATTERED SP1D3R HUNTERS AKA THE COMHQ), a group within ShinyHunters decided to use the database stolen by ShinyHunters to run large-scale ransomware campaigns targeting major global brands. It is one of these very campaigns that contributed to this attack on Jaguar Land Rover.”
He added that Scattered Lapsus$ Hunters is nothing but another brand identity of ShinyHunters and possibly a rebranded variant of AlphV. “The constant rebranding is designed to keep law enforcement agencies busy chasing empty trails. In fact, when one analysis the communications of these three threat groups, there is very little effort being placed in disguising their common origin.”
Prayukth did take into account that it could very well be that these three groups are not just sharing members but are also operating under a single banner under a single set of masterminds. “Since Scattered Lapsus$ Hunters also operates a Ransomware-as-a-service, it is possible that stolen credentials are being actively traded by this group. Scattered Lapsus$ Hunters has also placed a ransom threat to Google, asking them to fire two key security researchers and abandon an ongoing investigation against them or risk a potential data leak.”
He added that they are also known to run campaigns on social media to determine their next targets. “A recent campaign had them asking followers to indicate if they wanted to target the world’s largest beverage company and a food delivery service in India. Both these companies have been subsequently targeted by the group.”
link