A group of English-speaking hackers linked to the Marks & Spencer cyber-attack has claimed responsibility for an attack on Jaguar Land Rover.
A channel on the Telegram platform posted a screenshot of what appeared to be the carmaker’s internal IT systems, as well as a news article detailing the hack.
The name of the Telegram channel is a combination of three English language speaking, or western-based, hacking groups known as Scattered Spider, Lapsus$ and ShinyHunters.
Scattered Spider, a collective of teenage and twentysomething hackers, has been blamed for attacks this year on British retailers M&S, Co-op and Harrods. Four people including three teenagers were arrested at UK addresses in July as part of an investigation into the retail cyber-attacks.
Britain’s biggest carmaker halted production at key sites on Monday after admitting its manufacturing and retailing activities had been “severely disrupted” by a cyber-incident. It said there was no evidence that any customer data had been taken but had “proactively” shut down its systems and taken “immediate action to mitigate” the impact.
JLR did not give more details about who was behind the incident, when it was discovered or how long it would take to recover from it.
Car industry sources said the incident had severely affected its suppliers, which normally make regular deliveries of parts to its factories. These suppliers could lose tens of millions of pounds in sales because of the halt in production, they added.
Aiden Sinnott, a security researcher at UK cybersecurity firm Sophos, said one of the personas on the Telegram group, Rey, shared the same name as a member of Hellcat, the ransomware gang that claimed to have extracted data from JLR earlier this year. Sinnott said Hellcat fitted the same mould as Scattered Spider and ShinyHunters.
“They speak English and they are keen on using social media channels,” he said, adding that Lapsus$ shared similar tactics and demographics as the Scattered Spider collective.
The cyber-attack at JLR comes amid disruption from the impact of US tariffs and declining sales.
The carmaker reported that underlying pre-tax profits fell by 49% to £351m in the three months to June, which included a period when the company temporarily paused exports to the US.
In 2023 an 18-year-old from Oxford and part of the Lapsus$ hacking group, Arion Kurtaj, who is autistic, was sentenced to an indefinite hospital order after stealing 90 clips of the unreleased Grand Theft Auto 6 game as part of a hacking spree.
Describing ShinyHunters and Scattered Spider, Sinnott said: “Consolidating them into a group is difficult because they are essentially individuals operating online, communicating via platforms like Telegram, who might sometimes work together.”
Sinnott said Scattered Spider was an “umbrella term for a kind of demographic” of hackers in their late teens or early 20s who are native English speaking and “don’t really fit into a box as a structure hierarchy”. Traditionally, groups that deploy ransomware – malicious software that locks up a target’s IT systems – are linked to eastern Europe and former Soviet Union countries including Russia.
The ShinyHunters group also has French links. Sebastien Raoult, a French man in his early 20s, was sentenced to three years in prison in the US last year for his activities as a ShinyHunters member.
The Telegraph first reported the activity on the Scattered Lapsus$ Hunters group.
A spokesperson for the National Crime Agency said: “We are aware of an incident impacting Jaguar Land Rover and are working with partners to better understand its impact.”
The carmaker, which is headquartered in Coventry, employs 32,800 people in the UK across 17 different sites.
JLR has been contacted for comment.
