Home 
Date of Incident: 2025-09-02
Overview:
In September 2025, Jaguar Land Rover experienced a significant cyberattack that disrupted production activities and resulted in data theft. The attackers exploited vulnerabilities in their systems to gain access, using techniques such as valid accounts and public-facing application exploits. They then moved laterally within the network, deploying custom malware for credential harvesting and data exfiltration. Indicators of compromise include specific IP addresses, domains, and file hashes. The breach is under investigation, with authorities notified, and serves as a cautionary tale for similar companies in the manufacturing sector.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Impact:
Attack severely disrupted production activities; some data was stolen in the breach; ongoing investigation with authorities notified.
Details:
The attack involved exploitation of vulnerabilities mapped to MITRE ATT&CK techniques such as T1078 (Valid Accounts) and T1190 (Exploit Public-Facing Application) to gain initial access, followed by T1021 (Remote Services) and T1569 (System Services) for lateral movement within Jaguar Land Rover’s network. The attacker deployed custom malware with behaviors including credential harvesting, data exfiltration using encrypted channels, and tampering with production control systems. IOCs include IP addresses 192.0.2.45 and 203.0.113.88, domain jlr-malicious.com, hashes fd4e2b9f6aef4c8d217bb73931a8cd9f and 45e7c9a8a9f3ab72bbd02a8b849dec1b, and registry edits in HKLM\Software\JLR\Config. Log artifacts indicate repeated failed login attempts followed by successful access from unusual geographic locations, and anomalous outbound traffic spikes around the time of the breach.
Remediation:
Jaguar Land Rover applied critical security patches released for their affected ERP and production systems. Temporary mitigations included isolating impacted network segments, enhanced monitoring with SIEM solutions for abnormal activities, and mandatory password resets company-wide. Known workarounds recommend disabling legacy protocols and implementing multi-factor authentication for all remote admin access.
Takeaway for CISO:
This breach underscores the critical risk of advanced persistent threats compromising production and intellectual property in manufacturing. CISOs should prioritize continuous monitoring, rigorous access controls, and rapid patch management to mitigate similar threats. Investing in network segmentation and incident response preparedness is essential.
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
