Skip to content

Safe Tuesday with SNOK: When Teenagers Paralysed the British Automotive Industry – Anatomy of the Cyberattack on Jaguar Land Rover

Sunday, 31 August 2025. IT monitoring teams at Jaguar Land Rover detect suspicious activity on internal networks. No one yet knows that the company stands…

Sunday, 31 August 2025. IT monitoring teams at Jaguar Land Rover detect suspicious activity on internal networks. No one yet knows that the company stands on the brink of the largest operational catastrophe in its history. The decision to preventively shut down all IT systems worldwide will turn out to be the beginning of a month-long paralysis that halts production of 30,000 vehicles, threatens 200,000 jobs, and forces an unprecedented intervention by the British government with a £1.5 billion credit guarantee. It is the first time in history that a state has provided financial support to a company hit by a cyberattack.

Five months of preparation for the attack

The attack on JLR was the culmination of a five-month campaign whose roots go back to March 2025. At that time, the ransomware group HELLCAT used credentials stolen four years earlier for the Jira system - belonging to an LG Electronics employee who had access as a contractor - to exfiltrate 350 GB of sensitive data, including source code, internal documentation and employee data.

On 1 September, production halted at all plants worldwide - Solihull, Halewood, Castle Bromwich and Wolverhampton in the United Kingdom, as well as plants in Slovakia, China, India and Brazil. Thirty thousand employees in the UK were sent home. The attack coincided with “New Plate Day” - the largest day for new vehicle registrations in the United Kingdom - which intensified the chaos.

On 2 September, JLR publicly confirmed a “cyber incident”. Tata Motors filed a regulatory report on the Bombay Stock Exchange. The company stated it had no evidence of customer data theft, but that sales, production and dealer service systems were severely disrupted. On 3 September, the group “Scattered Lapsus$ Hunters” claimed responsibility for the attack on Telegram, publishing screenshots from JLR’s internal SAP systems.

On 10 September, JLR revised its earlier position, admitting that some data had been compromised, and notified the relevant regulatory authorities. On 23 September, the company extended the production halt for a second time - now until 1 October. The forensic investigation continued in full swing.

Unprecedented state support

On 29 September, the British government announced an unprecedented guaranteed loan of £1.5 billion - the first time a state has provided financial support to a company specifically because of a cyberattack. In early October, JLR began a controlled, phased restart of production. The engine plant in Wolverhampton was the first to resume operations, on 6 October.

Who are the perpetrators?

Responsibility for the attack lies with a loose network of young, English-speaking hackers operating under the joint banner “Scattered Lapsus$ Hunters” - an amalgamation of three groups: Scattered Spider, Lapsus$ and ShinyHunters. This is the same coalition that earlier in 2025 attacked British retail chains Marks & Spencer, with losses reaching £300 million, as well as Co-op and Harrods.

The group’s characteristics are striking: it consists mainly of teenagers and people in their twenties who use social engineering, vishing (voice phishing) and sophisticated helpdesk attacks. Their arsenal includes tools such as SliverC2, Lumma Stealer for credential theft, and PowerShell scripts bypassing AMSI protections. They operate as part of a loose network called “The Com” - an online community of cybercriminals.

In July 2025, four members of the group, including three teenagers aged 17-20, were arrested in the United Kingdom in connection with earlier attacks on retail businesses. Noah Urban, a leading member of Scattered Spider, was sentenced to 10 years in prison in the US in August 2025 for cryptocurrency theft.

How did they get in?

Cybersecurity experts point to several likely points of entry. First, the credentials stolen in March 2025 - the hackers probably never lost access after their initial Jira breach. Second, a vishing attack on the helpdesk - impersonating IT staff using data from earlier breaches to convince the helpdesk to grant access. Kevin Beaumont, a cybersecurity consultant, comments: “The hackers called the helpdesk and asked for access - and got it with ease.”

Third, a possible compromise of Tata Consultancy Services, JLR’s IT services provider for £800 million a year, which also serves M&S and Co-op - all attacked by the same group. Fourth, an unconfirmed vulnerability in SAP NetWeaver, which the hackers claimed to have exploited.

The scale of the damage

The consequences of the attack were devastating. Production halted for more than 30 days meant the loss of 24,000-30,000 vehicles at a normal production rate of a thousand units per day. Total financial losses are estimated at £1.7-4.7 billion, or $2.3-6.3 billion. Revenue losses amounted to $50-70 million per week. Arrears owed to suppliers reached £300 million, paid out at the end of September.

A lack of cyber insurance proved to be a critical problem. JLR did not have an active policy at the time of the attack - the company was negotiating terms with broker Lockton when the incident occurred. Unlike Marks & Spencer, which recovered £300 million from insurance, JLR bears the full cost. For context: JLR’s pre-tax profit for the 2024/25 financial year was £2.5 billion. Potential losses could wipe out one to two years of profit.

The stock market reaction was immediate. On 25 September 2025, Tata Motors, JLR’s owner, recorded a decline of 2.6-4% within a single day. Over five days, the decline reached 6.5% after details of the losses and lack of insurance were disclosed. Since the start of the year to the end of September, shares had fallen by 11%. JLR accounts for around 70% of Tata Motors’ consolidated revenue, so the impact on the company’s value was enormous.

Shockwaves through the supply chain

The jobs at risk were not limited to JLR’s 30,000 direct employees in the United Kingdom. The supply chain accounts for 100,000-200,000 jobs, and the total ecosystem supports around 200,000 positions. One in six companies in JLR’s supply chain implemented layoffs. One smaller supplier laid off 40 employees - nearly half its workforce. Order systems were unavailable, payments were frozen, and the just-in-time model collapsed entirely. Employees were advised to apply for Universal Credit.

JLR accounts for 4% of UK goods exports and 4.7% of the West Midlands economy, contributing £8.7 billion in 2024. Local businesses, restaurants and services reported a 30% drop in revenue. This was not merely one company’s problem - it was a regional economic catastrophe.

An epidemic of attacks on the automotive sector

The attack on JLR is not an isolated incident, but part of an unprecedented wave of cyberattacks on the automotive sector in 2024-2025. In June 2024, CDK Global, a software provider serving 15,000 dealers across North America, was attacked by the BlackSuit ransomware group. A three-week outage affected dealers of GM, Ford, BMW, Stellantis, VW and Mercedes-Benz. The ransom paid was approximately $25 million, and losses reached $944 million to $1 billion in business interruption.

Toyota experienced multiple incidents between 2023 and 2024. In November 2023, Toyota Financial Services was attacked by Medusa ransomware, with a demand of $8 million. In August 2024, a breach exposed 240 GB of information. In May 2023, it was revealed that 2.15 million customers had had their vehicle location data exposed for ten years.

Hyundai Motor Europe fell victim to a BlackBasta ransomware attack in January 2024, in which allegedly 3 terabytes of data were stolen. Volkswagen Group experienced a data breach affecting 800,000 owners of electric vehicles in December 2024, due to an Amazon cloud misconfiguration. BMW was indirectly affected through an attack on its supplier JTEKT North America in October 2024, where BlackSuit claimed responsibility for stealing 894 GB of data.

The numbers speak for themselves. In 2024, 409 cyber incidents were recorded in the automotive sector, a 39% increase from 295 incidents in 2023. More than 60% of them affected thousands to millions of assets. Ransomware accounted for 45% of all incidents in 2025.

The escalation in financial impact is alarming. In 2022, total costs of cyberattacks on the automotive sector amounted to $1 billion. In 2023, they rose to $12.8 billion. In 2024, they reached $22.5 billion, of which data breaches cost $20 billion, system downtime $1.9 billion, and ransomware damage $538.2 million.

Why are carmakers targets?

Automotive companies hold high-value assets: customer data, intellectual property, supply chain information. Connected vehicles generate massive amounts of valuable data. Major manufacturers have significant financial resources, and the high cost of production downtime encourages rapid ransom payments. In JLR’s case, estimated losses ranged from £50-500 million per week.

The complex attack surface encompasses more than 400 million connected vehicles in use by 2025. Multiple entry points include onboard systems, the cloud, mobile applications, electric vehicle charging systems, over-the-air updates and telematics. Intel 471 warns that automotive companies have been caught in “opportunistic cybercrime resulting from inadequate security practices”. Legacy systems were not designed with cybersecurity in mind, security measures are outdated, software is unpatched, and response protocols are slow.

Supply chain complexity presents another problem. The extensive network of suppliers, manufacturers and service providers means that smaller partners often have less rigorous security protocols. A single weak link can compromise the entire ecosystem. The widening gap between regulatory compliance and actual security resilience - the so-called “cyber gap” - means that cyber threats are evolving faster than regulatory measures, and attackers are outpacing the industry’s ability to respond.

SAP security vulnerabilities: a 10/10 on the threat scale

While JLR has never officially confirmed exactly which vulnerabilities the hackers exploited, the group claimed to have exploited vulnerabilities in SAP systems - ERP systems that manage critical business operations in finance, HR, supply chain and logistics.

CVE-2025-31324 is a vulnerability in SAP NetWeaver Visual Composer with a CVSS score of 10.0, the maximum rating. Status: actively exploited in attacks. A patch was released on 24 April 2025, but it had already been exploited since January. It concerns a lack of authorisation checks leading to unrestricted file upload. The attack vector is network-based via HTTP or HTTPS, requiring no authentication. The attacker sends crafted requests to the metadatauploader endpoint, uploads malicious JavaServer Pages webshells to the application directory, executes them remotely, and gains full remote command execution with operating system administrator privileges, achieving total compromise with full database access.

Exploitation in the wild began with reconnaissance activity in honeypots in January and February 2025. The first wave of successful compromises deploying webshells occurred in March. The vulnerability was publicly disclosed on 22 April 2025, and on 29 April it was added to the CISA Known Exploited Vulnerabilities catalogue. In August 2025, a public exploit chain was released. Those behind the attacks include Russian ransomware groups such as BianLian, RansomEXX and Qilin, as well as China-linked APT groups such as UNC5221 and Earth Lamia, along with initial access brokers and opportunistic attackers.

CVE-2025-42957 is another critical vulnerability, in SAP S/4HANA, with a CVSS score of 9.9, also actively exploited. ABAP code injection was detected in the RFC function module. It requires only a low-privilege user account. The attacker needs a basic SAP account with access to the vulnerable module, injects arbitrary ABAP code via an RFC call, bypasses basic authorisation checks, and escalates to full administrative privileges.

Post-exploitation, it becomes possible to modify or delete data directly in the SAP database, create superuser accounts with SAP_ALL privileges as persistent backdoors, extract password hashes, alter business processes, gain full control of the host operating system, and deploy ransomware or data-stealing malware. SecurityBridge verified actual exploitation in customer environments, Pathlock detected unusual activity consistent with exploitation attempts, and exploitation activity surged sharply following the patch release in August 2025. The Dutch NCSC warned of active exploitation in September 2025.

How these vulnerabilities could have been exploited in the attack on JLR

The attack chain for an enterprise compromise unfolded in four phases. In the initial access phase, attackers scan internet-facing SAP NetWeaver systems, identify systems with Visual Composer, unpatched RMI-P4, or exposed services, and exploit critical vulnerabilities to gain an initial foothold.

In the persistence and privilege escalation phase, they upload webshells for persistent access, execute commands as a user with full SAP privileges, exploit further vulnerabilities to inject ABAP code and create backdoor admin accounts, gaining SAP_ALL privileges for total system control.

In the lateral movement phase, they gain unrestricted access to the SAP database, pivot to connected SAP systems, move on to other internal infrastructure using SAP as a foothold, and exploit trust relationships between SAP systems.

In the data exfiltration and impact phase, they exfiltrate sensitive data such as financial records, personal data and intellectual property, extract password hashes to harvest credentials, modify business processes and financial data, deploy ransomware within the SAP environment, and disrupt critical business operations.

Polish expertise in SAP security

SNOK, founded in May 2021 in Warsaw, is a strategic partner specialising in comprehensive SAP BASIS administration, S/4HANA conversions and implementations, and SAP systems security. The company offers advanced SAP-specific cybersecurity services, penetration testing, security audits, and a round-the-clock Security Operations Centre. It is an official SAP partner, a Microsoft Solution Partner for Azure Infrastructure, and a strategic partner of SecurityBridge, a partnership announced in September 2021.

SecurityBridge is the first and only seamlessly integrated cybersecurity platform native to SAP, headquartered in Ingolstadt, Germany. Certified to ISO 27001 and SAP Certified, it is trusted by more than 150 customers worldwide, securing more than 5,000 SAP systems. The platform offers 360-degree security coverage, real-time threat monitoring and intrusion detection, vulnerability management and automated scanning, automation of GDPR, NIST and CISA compliance, user behaviour monitoring and identity theft detection, and custom code security analysis in ABAP and Fiori.

Jacek Bugajski, CEO of SNOK, explains the philosophy of SAP security: “The biggest mistake is to view SAP cybersecurity solely through the lens of roles and authorisations. Of course, these are very important issues, but they by no means exhaust the topic. Today, ensuring effective protection of SAP environments requires securing every layer of that architecture - from proper network architecture and access, through operating system parameterisation, to database and application server security, all the way to the user layer.

On the subject of ransomware threats, Bugajski warns: “One of the most underestimated threats is ransomware. We have already seen a number of such attacks targeting our clients. Ransomware does not necessarily have to target endpoints. Today, every element of infrastructure can be exploited if it is not properly secured. A chain is only as strong as its weakest link.

On the subject of ABAP code security, he reveals some troubling facts: “We have encountered backdoors written directly into SAP system code at some clients. Paradoxically, this is a fairly common practice. Put simply, a developer or consultant, probably for convenience, left a conditional statement granting a specific user full system privileges, for example SAP_ALL, bypassing authorisation checks - in a way that is impossible to detect without ABAP code analysis.

Jaroslaw Kamil Zdanowski, Partner for SAP Cybersecurity at SNOK with more than 12 years of experience in SAP Cybersec/BASIS, explains the evolution of SAP security: “The SAP R/2 system was created more than 50 years ago and naturally carries a certain legacy. At the time when SAP’s foundations were laid, no one paid particular attention to cybersecurity. Initially, these were primarily closed environments running on mainframe platforms, accessible and comprehensible only to privileged individuals. The need to place greater emphasis on security only emerged after 2000.

On the implementation of SecurityBridge, Zdanowski says: “Our first contact with SecurityBridge convinced me that it is an essential solution for any organisation that wants to take a deliberate approach to SAP system security. We launched the SecurityBridge environment in production within three weeks. This solution proved so valuable that we based our entire SAP security policy on the recommendations and functionalities provided by the SecurityBridge platform.

On the business impact, he warns: “For a would-be hacker, gaining access to an SAP environment is like breaking into a vault. Not only can they steal valuable information about customers, products, formulas or finances and sell it on the black market, pass it to competitors or use it for blackmail, but they can also disable the entire system, and with it, the business operations of substantial organisations.

RISE with SAP: a fortress that even teenage hackers cannot breach

In the context of the Jaguar Land Rover drama and the epidemic of cyberattacks on the automotive industry, a question arises: is it even possible to create an SAP environment that can effectively withstand even the most sophisticated attacks? The answer is: yes, but it requires combining modern cloud architecture with advanced security tools and deep expertise.

The RISE with SAP model, combined with SNOK’s expertise and the SecurityBridge product, creates exactly such an impenetrable fortress. RISE with SAP is a transformative SAP offering that moves ERP systems to the cloud with built-in infrastructure-level security mechanisms. However, cloud migration alone is only the beginning of the journey. The real strength lies in the security layer provided by SecurityBridge, which acts as a digital early warning and defence system.

SecurityBridge within a RISE with SAP environment operates seamlessly, scanning every line of ABAP code in real time for backdoors, which - as Jacek Bugajski admits - are surprisingly common in SAP systems. The platform automatically detects attempts to exploit critical vulnerabilities such as CVE-2025-31324, which paralysed JLR, alerting security teams within a fraction of a second of detecting suspicious activity. Every file upload to the metadatauploader endpoint, every ABAP code injection attempt, and every unusual RFC call is immediately identified and blocked.

SNOK’s expertise adds a human element to this equation that no automation can replace. Jaroslaw Zdanowski’s team not only implements SecurityBridge within three weeks, but above all designs a comprehensive security strategy covering every layer of SAP architecture - from the network, through the operating system and database, to the application and user layer. This holistic approach closes all the loopholes through which the Scattered Lapsus$ Hunters group gained access to JLR’s systems.

SNOK’s round-the-clock Security Operations Centre monitors systems continuously, analysing behavioural patterns that could signal a helpdesk vishing attack or an attempt to exploit stolen credentials. SNOK’s proprietary SneakEye solution tracks technical parameters and system performance, detecting anomalies that may indicate the activity of malware such as Lumma Stealer or SliverC2. Integration with SIEM platforms reduces log volume by up to 70%, eliminating information noise and allowing analysts to focus on genuine threats.

In practice, this means that an attacker who managed to steal four-year-old credentials, as in the case of JLR, would encounter a system with automatic password rotation and multi-factor authentication. An attempt to exploit a vulnerability in SAP NetWeaver would be blocked by automatic system patching managed by SNOK as part of its SAP BASIS services. Any attempt to upload a webshell would be detected by SecurityBridge, which analyses every uploaded file. Even if an attacker managed to breach the first line of defence, user behaviour monitoring would detect unusual activity, and the system would automatically restrict the privileges of the suspicious account before escalation to SAP_ALL level could occur.

The RISE with SAP model, supported by SNOK and SecurityBridge, is not just technology - it is a paradigm shift. Instead of reacting to incidents as in the JLR case, organisations gain proactive defence that anticipates and blocks attacks before they can cause damage. Instead of a month-long production paralysis, a potential attack is stopped within seconds. Instead of billions in losses, the company incurs only the cost of implementing safeguards that pay for themselves many times over with the very first incident blocked.

In an era when teenage hackers can paralyse Britain’s largest carmaker, the combination of RISE with SAP, SecurityBridge and SNOK’s expertise ceases to be a luxury and becomes a necessity. It is the difference between a company that, after a cyberattack, asks the government for billions in aid, and an organisation that never allows itself to reach a point where hackers could threaten its operations. It is the difference between an open vault and an impenetrable fortress.

Conclusions: lessons from the most costly cyberattack in UK history

The attack on Jaguar Land Rover marks a turning point in the history of industrial cybersecurity. For the first time in the history of the United Kingdom, a cyberattack caused such widespread economic consequences that it required direct state intervention with billions in financial support.

SAP systems are indeed a treasure trove for hackers, as confirmed by Polish specialists. They manage the most important business processes, and their compromise can paralyse an entire organisation. Vulnerabilities in SAP are not theoretical - CVE-2025-31324, with a CVSS score of 10.0, has been actively exploited by ransomware groups since March 2025. Companies that failed to apply the patch exposed themselves to inevitable compromise.

Cyber insurance is a necessity, not an option. The lack of a policy at JLR meant bearing the full costs, unlike Marks & Spencer, which recovered £300 million. This is no longer an optional safeguard, but a critical element of risk management.

The supply chain is the weakest link. The suspicion that hackers gained access through Tata Consultancy Services - the same IT provider that served all the companies attacked: M&S, Co-op and JLR - confirms experts’ warnings about the risks of outsourcing critical IT functions.

Teenagers can cause billion-pound losses. “Scattered Lapsus$ Hunters” is largely a group of teenagers and young adults. Using social engineering, stolen credentials and publicly available exploits, they caused effects comparable to state-sponsored attacks.

Just-in-time production is a vulnerability. A model that for decades was a symbol of efficiency turned out to be an Achilles heel. A single IT attack can immediately halt physical production and paralyse hundreds of suppliers.

Polish expertise in SAP security is critical. Companies such as SNOK Security Lab and their partnership with SecurityBridge offer exactly the solutions that JLR lacked: automatic vulnerability detection, real-time monitoring, and rapid threat response.

Jacek Bugajski of SNOK put it aptly even before the attack on JLR: “There is nothing to wait for” when it comes to implementing SAP security. As the JLR case demonstrated, the cost of delay is not just financial - it is jobs, regional economic stability, and reputation built over decades. In an era when teenage hackers can trigger an economic crisis requiring state intervention, cybersecurity has ceased to be merely an IT issue - it has become a cornerstone of national security.

Get in touch