Unfortunately this thread broke in half due to me forgetting to bookmark a toot - here’s the original half https://cyberplace.social/@GossiTheDog/115134898389127599
The lapsus guys continue to go nuts on IRC^H^H^HTelegram https://www.bbc.co.uk/news/articles/c4gqepe5355o
Jaguar Land Rover have contained their network and stopped production after what appears to be a ransomware incident. VPNs and network border in UK all down.
To back up ReliaQuest - this is the exploit LAPSUS guys have running around with on SAP Netweaver, just had a look this evening after acquiring the exploit. https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
There’s a metric ton - over 5 figures - of these boxes directly internet facing. Worse; from version printing, less than 5% are patched for the two CVEs being exploited.
Liverpool Echo reports Jaguar Land Rover production still isn't running, with factory staff told to stay at home, and report it impacts all manufacturing locations. https://www.liverpoolecho.co.uk/news/liverpool-news/update-jaguar-land-rover-shut-32411513
Separately, the network border is also still offline (I have monitoring in place to see when they come back online).
If anybody runs into a LAPSUS$ incident at their org hit me up on Signal, I can try to help profile their MO as been there, done that.
They'll frequently not even bother to deploy ransomware, they'll also do crazy things (and like to write about poo, and send people poo packages in the mail). It's basically like fighting Mr Bean, who is also good at computers.
ITV News 6pm lead story on Jaguar Land Rover
Key take away is anonymous source at JLR saying they may need UK government support for motor sector off the back of the incident.
One surprising thing with the Jaguar Land Rover incident - they've only isolated JAGUAR LAND ROVER AUTOMOTIVE PLC (AS205756), the UK network. The India, China etc networks are still online.
When I dealt with LAPSUS elsewhere they entered via a different country network/biz unit and then pivoted to target country/biz unit.
JLR UK have got one internet facing system back online - wslx.jlrext.com
Single factor auth only because that's how automotives roll. If you visit direct IP, it's still branded Ford - Ford sold the business in 2008.
JLR are keeping car production closed until least Monday. They also say “some data was impacted”, whatever that means.
https://www.liverpoolecho.co.uk/news/liverpool-news/jaguar-land-rover-issues-crisis-32447659
Unite are calling on the government to urgently intervene over the Jaguar Land Rover cyber incident, to introduce a furlough scheme for JLRs suppliers.
If anybody is interested, TCS’ website says JLR outsourced cybersecurity (not sure which bits) to it a few years ago.
TCS also run security operations and monitoring for Co-op (my old team) along with their IT and IT helpdesk, and M&S secops monitoring, IT and IT helpdesk.
In my own story, I discovered JLR outsourced different cybersecurity areas to TCS and then made many of the UK team redundant 6 months ago.
Liam Byrne MP, the chair of the Commons business and trade committee has said "We think this is an attack which is much, much worse than the attack that took down Marks and Spencer."
He's calling for the government to insure suppliers via taxpayer money when orgs get hit with ransomware.
https://www.bbc.co.uk/news/articles/cwyrqxj3eqqo
This is JLR's parent company, and this is JLR's network border today - personally, I think there's no way the government should have the obligation to bail out this situation.
JLR just made their most profits in a decade, after making cybersecurity staff redundant in March. JLR need their suppliers to resume production. JLR should pay their suppliers: they can afford it, and need them.
JLR isn't on the stock market, but their parent company, Tata Motors, is. Their share price has gone up consistently since the cyber incident began.
The share price of one of JLR's key suppliers, however, has plunged 55% since the incident began.
Jaguar Land Rover’s Slovak plant has been brought to a standstill for a third consecutive week after a cyberattack, sending shockwaves through the carmaker’s local supply chain and raising calls for state support for suppliers from the Slovakian government.
The factory is actually owned by Tata Motors, JLR’s parent company. Tata Motors haven’t actually disclosed it, but they too are impacted.
31 British MPs have written to UK government asking for government support for JLR’s suppliers.
I should loop this into the thread as it may well be relevant later: https://www.bbc.co.uk/news/articles/c62z8k14kxxo
Although it only mentions TfL, they're also implicated in M&S and a metric ton of other breaches. https://krebsonsecurity.com/2025/07/uk-charges-four-in-scattered-spider-ransom-group/
Including reportedly JLR -- the LAPSUS$ guys were trying to start their own home brew ransomware at the time but weren't very good at it. https://www.bbc.co.uk/news/articles/c4gqepe5355o
The Guardian have a look inside the crisis at Jaguar Land Rover.
There's no new information, other than sources at the company saying they don't realistically know when they will be able to restart production.
https://www.theguardian.com/business/2025/sep/20/jaguar-land-rover-hack-factories-cybersecurity-jlr
One awkward element to all of this is the UK Prime Minister launched his growth strategy, with the banner Securing Our Future, at Jaguar Land Rover.
It was supposed to be how AI and automation would secure the UK economy.
Edit: thread broke, it continues here: https://cyberplace.social/@GossiTheDog/115252536089032550
@GossiTheDog
``This allowed us to listen to suppliers directly and understand the challenges and concerns they are facing.''
... and?
Or business could improve their IT Security rather than worrying about paying shareholders ever-increasing dividends.
Why should taxpayers subsidise incompetent or careless businesses? 🤔
Fucking annoying how every business person in distress or difficulties becomes a rampant socialist once there is free government money potentially on offer.
If JLR picked the wrong external suppliers for their IT outsourcing, then sue the arseholes to cover the costs or claim on their insurance.
I thought it might be TCS but I wasn't sure, without checking 🙂
Say Tata to your business.
So JLR don't have business interrupion and or Consiquential Losses insurance? 🫤
Or money in the bank? 🤔
If JLR's workers we're getting paid (and they should be) then that's partial mitigation for some employees service providers (local businesses, shops etc).
Those business to business service providers should have their own mitigations in place for business interruption issues as JRL should.
Ultimately it is an interconnected market economy, not largely state controlled. Although JLR might be heading that way, if it remains viable.
If UK Gov needs to hand out "free" cash it then perhaps it needs to own part or all if the business? Before it's later sold to VW Group or Stalantis 🤔🤷♂️
@simonzerafa @womble “Those business to business service providers should have their own mitigations in place for business interruption issues as JRL should.”
What’s interesting in this case is most automotive is on a JIT delivery model so they don’t warehouse components. e.g. Mini bumpers arrive in colour order at Oxford to match the cars going down the assembly line. They don’t just get a truckload of red ones, then blue ones, etc. Suppliers incur fines if parts don’t arrive (halting production) and conversely Mini can cop large fines if they have to request a shipping pause (because the suppliers also have no warehousing for finished parts and need them out the door, or *they* have to halt production). JLR will have similar provisions and I’d be fascinated to know what liabilities they’ve incurred stopping prod for weeks. Presumably claiming force majeur and saying “no one gets anything”, which will be fun for the lawyers.
@GossiTheDog as a tax payer, but also a union member: screw that.
JLR should have insurance to cover this.
It isn't JLR that's affected here though (although they are, and friends of mine who work for them are currently having nightmares) - it's their suppliers. By that argument, they should also have insurance.
I guess tying a small company's entire output to one upstream behemoth used to be a safe bet, but not now.
Kevin Beaumont
Maki 🔻
narpoleptic
Myles Eftos
G
I love this, so I
Alex Turff
Khleedril
Alun Jones
Bartosz
Konrad
#/usr/sbin/rtheren
AndroidDreamer
tekhedd
The Turtle
The Penguin of Evil
Alastair Temple
fuzzyfuzzyfungus
Rairii 
Third spruce tree on the left
effectuator
Simon Zerafa
Neil Craig
Fazal Majid
I can’t believe its not @twcau
b3lt3r
Darryl Ramm
Martin Boller 
Brian Clark
Sleeper_cell_spy
lnxgeek
Matt Palmer
richh
Gary 
Greem (Graeme. Not Graham!)
T1- Push The Button