Jaguar Land Rover have contained their network and stopped production after what appears to be a ransomware incident.

To back up ReliaQuest - this is the exploit LAPSUS guys have running around with on SAP Netweaver, just had a look this evening after acquiring the exploit. https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/

There’s a metric ton - over 5 figures - of these boxes directly internet facing. Worse; from version printing, less than 5% are patched for the two CVEs being exploited.

Liverpool Echo reports Jaguar Land Rover production still isn't running, with factory staff told to stay at home, and report it impacts all manufacturing locations. https://www.liverpoolecho.co.uk/news/liverpool-news/update-jaguar-land-rover-shut-32411513

Separately, the network border is also still offline (I have monitoring in place to see when they come back online).

If anybody runs into a LAPSUS$ incident at their org hit me up on Signal, I can try to help profile their MO as been there, done that.

They'll frequently not even bother to deploy ransomware, they'll also do crazy things (and like to write about poo, and send people poo packages in the mail). It's basically like fighting Mr Bean, who is also good at computers.

This isn't anything against the LAPSUS guys btw as they're basically having a five year ninja fight with Mandiant, DART, cyber standards and law enforcement while playing teenage Mr Bean and lets be honest... that's pretty funny and eye opening.

ITV reports Jaguar Land Rover has shut down car production in the UK, Slovakia, China, India and Brazil.
https://www.itv.com/news/2025-09-04/jaguar-land-rover-temporarily-halts-all-car-production-following-cyber-attack

ITV News 6pm lead story on Jaguar Land Rover

Key take away is anonymous source at JLR saying they may need UK government support for motor sector off the back of the incident.

https://www.youtube.com/watch?v=V4xQz0iKK4g

JLR is keeping all factory production suspended today, tomorrow, Sunday and at least Monday (possibly longer) in UK, Slovakia, China, India and Brazil.
https://www.liverpoolecho.co.uk/news/liverpool-news/jaguar-land-rover-staff-until-32413174

JLR direct employ 32k people in the UK so I imagine there's going to be ripple effects on the wider economy off the back of this one the longer it goes on.

Meanwhile the LAPSUS guys were busy posting large numbers of US defense Top Secret marked documents last night. They've since been deleted from Telegram.

One surprising thing with the Jaguar Land Rover incident - they've only isolated JAGUAR LAND ROVER AUTOMOTIVE PLC (AS205756), the UK network. The India, China etc networks are still online.

When I dealt with LAPSUS elsewhere they entered via a different country network/biz unit and then pivoted to target country/biz unit.

JLR UK have got one internet facing system back online - wslx.jlrext.com

Single factor auth only because that's how automotives roll. If you visit direct IP, it's still branded Ford - Ford sold the business in 2008.

Just checked in on JLR - factory production won't be resuming tomorrow (day 7).

Jaguar Land Rover car production is still shut down tomorrow, day 8. I’ve checked the network border, everything except one system in UK is also still offline.

JLR are keeping car production closed until least Monday. They also say “some data was impacted”, whatever that means.

https://www.liverpoolecho.co.uk/news/liverpool-news/jaguar-land-rover-issues-crisis-32447659

JLR have started switching border routers back on (don't ask me why SNMP, NTP and SSH are internet facing).

@GossiTheDog
Wouldn’t the uptime rather suggest that they just plugged the cable back in?
Doesn’t seem to even had bothered patching the routers beforehand.

The routers could potentially be CEs and thus the responsibility of the service provider.