The hacking group said to be behind the devastating rash of Salesforce supply chain attacks is claiming responsibility for this week's cyberattack on luxury automaker Jaguar Land Rover.
-
The newly rebranded “Scattered Spider, LAPSUS$, Shiny Hunters” hacker collective is allegedly behind the August 31st Jaguar Land Rover cyberattack.
-
On Telegram, the group mocked Jaguar, Google’s Mandiant team, Salesforce, and threatened future attacks on UK targets like Vodafone and government officials.
-
Experts say even with operational disruptions, the theft of sensitive data poses the greatest long-term threat.
The August 31st attack, which Jaguar Land Rover (JLR) confirmed in a statement on its website on Tuesday, forced the high-end auto manufacturer to "proactively shut down our systems," causing "severe disruptions to its retail and production activities."
Owned by India's Tata Motors, the UK-headquartered company said it was now "working to restart our global applications in a controlled manner," adding that there was no evidence that customer data was stolen.
Now, rumors abound that the cyberattack is the handiwork of a newly formed trio of notorious hacking groups, which includes Scattered Spider, a ransomware group most widely known for hitting Britain’s Marks & Spencer retail chain in April, among others.
Formerly known as Scattered Spider, LAPSUS$, and Shiny Hunters, the newly rebranded “scattered LAPSUS$ hunters” group has already wreaked havoc on more than 700 organizations worldwide this summer.
Identified by Google threat researchers in June under the moniker UNC6240 (for Shiny Hunters), the gang is believed to be responsible for the recent spree of Salesforce attacks that, in the last week alone, have impacted such cybersecurity heavyweights as Palo Alto Networks, Cloudflare, and Zscaler.
Meantime, Ryan Sherstobitoff, Chief Threat Intelligence Officer at SecurityScorecard, points out that while JRL has not disclosed the nature of the incident or a timeline for recovery, "the attack exposes the fragility of modern manufacturing environments, where tightly integrated systems support everything from factory output to retail logistics."
Disrupting operations across JLR’s global network, the attack “has left UK dealers unable to register new vehicles or supply parts, including shutdowns at its Solihull plant,” he noted.
About 33,000 factory staff at Solihull, the largest automotive employer in Britian, will stay at home until at least Tuesday, Reuters reported.
The fact that the attack happened on a Sunday "further amplifies the impact, exploiting gaps in response readiness and delaying containment, and reflects a growing trend of threat actors focusing on halting operations rather than stealing data," Sherstobitoff explains.
Sherstobitoff says that as attackers shift focus toward operational sabotage, resilience must be built across the entire supply chain.
Publicity stunt or serious threat?
The quite vocally active hacking group of said “teenagers” has been posting up a storm on its latest Telegram channel. However, Cybernews researchers acknowledge the entire effort could be just one big “PR stunt.”
The cybercriminal cartel, which likes to taunt its victims and law enforcement with provocative posts filled with jibberish and offensive language, has referenced the Jaguar Land Rover hack at least four times on its channel since Tuesday evening, citing several news articles that had identified them as the group behind the JLR attack.
The BBC was the first to report on Wednesday that two images posted by the group show apparent internal instructions for troubleshooting a car charging issue and internal computer logs.
The gang also threatened the UK's National Crime Agency with more targeted attacks.
"Just a matter of time till we lock Vodafone UK next and cut off peoples lines and internet, steal your call logs and leak your countries PMs and officials private conversations yayayay!!!" it said.
In several other ramblings posted on Wednesday, the group proceeded to directly reference the Salesforce attacks, making fun of the threat researchers at Google's Mandiant.
Playing to its newfound fan club of 52,000 subscribers, the group captioned what appears to be an AI image of a slovenly, chubby man sitting behind several computers with "Mandiant at salesforce hq watching the log files."
The hackers even thanked their "BFF foreber [sic]
" Shiny Hunters for "assisting in the Salesforce campaign."
Sensitive data is the real prize
Dr. Darren Williams, founder and CEO of ransomware prevention firm BlackFog, believes the “widespread disruption to Jaguar Land Rover’s operations has already had a serious impact, but the latest claims by the M&S hackers are likely to heighten concerns even further.”
“We know that for many criminal groups, disrupting operations is a byproduct but not the primary aim. Their real prize is sensitive data, which can be used as leverage for ransom or sold on underground markets,” he explains.
“Once attackers have their hands on personal or corporate data, the consequences extend well beyond immediate downtime. It can fuel phishing campaigns, identity theft, and further attacks across supply chains,” Williams said.
"Given what we know about cyberattacks, it is the protection of data, not just the prevention of breaches, that determines resilience in the face of a serious attack," he added.
The suspected Salesforce hackers have also claimed breaches at US insurance giant Allianz Life, the popular Workday CRM platform, and the ChangeNow crypto exchange.
Last Thursday, the TransUnion credit bureau informed 4.4 million customers their personal details may have been exposed due to a Salesforce-related attack.
Other major Salesforce victims in recent months have included Farmers Insurance, Air France, KLM, Coca-Cola, Cisco, Australia’s Qantas airline, Adidas, and Louis Vuitton luxury goods maker LVMH.
Your email address will not be published. Required fields are markedmarked