2025.12Breach Analysis18 min read

The JLR Breach: When Smart Factories Become Attack Paths

Jaguar Land Rover was breached twice in 2025 using credentials harvested in 2021. The second attack halted global production for five weeks and cost £1.9 billion. The communication shape was visible the entire time — to anyone modeling the network as a system rather than as a stream of events.

TL;DR
What happened
JLR was breached twice in six months. Same 2021 credentials. Different attackers. £1.9 billion in losses.
Why it happened
Internet-exposed Jira. Flat IT/OT architecture. No isolation capability when detected. Credentials never rotated.
What was visible in the network
Connection graphs expanding from 3 peers to 47+. First-time IT→OT boundary crossings. Outbound transfer rhythms with no precedent in the network’s own behavior.
Why nothing saw it
Signatures were clean. The communication did not belong to JLR’s own dynamics — and no system was modeling that.

Jaguar Land Rover built one of the most connected manufacturing environments in the automotive industry. SAP systems orchestrated just-in-time logistics. Production lines communicated with enterprise IT in real time. Third-party contractors collaborated through cloud-accessible Jira.

That architecture enabled attackers to move from a stolen credential to global production shutdown.

JLR was not breached because it made bad decisions. It was breached because it made incomplete ones — optimizing for efficiency without instrumenting for the risk that efficiency created.

investigationjlr-2025-exfil-001open
  1. 2021.xxinfostealer-harvest
    source: lg-electronics-contractor
    • credentials: jlr.jira / jlr.confluence
    • status: dormant
  2. 2025.03.04authn.jiraHELLCAT
    successful login
    • src 198.51.100.xx · cred age: 4yr 2mo · mfa: none
    • → 712 documents exfiltrated (47 GB)
  3. 2025.03.06authn.jiraAPTS
    successful login
    • same credential set · src 203.0.113.xx
    • → 350 GB exfiltrated
  4. 2025.09.18vishing-successSCATTERED SPIDER
    cred disclosed by employee · admin scope
    • lateral: corp → mes → opcua
    • → production halt: uk, slovakia, brazil, india
  5. 2025.10.23production-resumed
    five weeks of zero output · estimated loss £1.9B
Two distinct intrusions exploiting the same underlying vulnerability — one credential source, three attackers, four years apart.

2025.03Credential compromise → data exfiltration

The HELLCAT ransomware group obtained credentials from an LG Electronics contractor. The credentials had been harvested by infostealer malware in 2021 — four years earlier. They still worked.

JLR’s Jira instance was internet-accessible. No VPN required. No MFA enforced. The attackers did not exploit a vulnerability. They logged in.

Once inside, HELLCAT had access to internal documentation, project tracking, and — critically — architectural knowledge about JLR’s systems. Within days, they exfiltrated approximately 700 internal documents. A second threat actor, APTS, followed using the same credentials and extracted an additional 350 GB.

2025.09Social engineering → production shutdown

Six months later, Scattered Spider affiliates targeted JLR through voice phishing. They called employees, posed as internal IT staff, and convinced them to disclose credentials. Some had administrative privileges.

The attackers moved laterally — from corporate IT into manufacturing infrastructure. The same connectivity that enabled real-time production optimization enabled unrestricted lateral movement.

When JLR’s security team detected the intrusion, they attempted to isolate compromised systems. They could not. The architecture that connected everything for efficiency could not disconnect anything for containment. The only option was a global shutdown — the “emergency brake” that halted production across the UK, Slovakia, Brazil, and India.

Five weeks of zero output. The Cyber Monitoring Centre estimated total losses at £1.9 billion — the most financially damaging cyber event in UK history.

The attackers did not create JLR’s vulnerability. They made it visible.
  1. 2.1

    Internet-exposed Jira

    JLR’s Jira instance — containing project documentation, infrastructure details, and internal communications — was accessible directly from the internet. Third-party contractors could authenticate without VPN, without MFA, using credentials that had not been rotated in four years.

    What should existApplication access through SSO with enforced MFA. Time-limited contractor credentials. Automatic rotation after any security incident.
  2. 2.2

    Flat IT/OT architecture

    JLR’s corporate IT systems were directly connected to manufacturing execution systems (MES), SAP logistics infrastructure, and production line controllers. The “smart factory” integration meant a compromise anywhere threatened systems everywhere.

    What should existNetwork segmentation following IEC 62443 or the Purdue Model. IT and OT separated by design. Connections between zones explicit, monitored, and revocable.
  3. 2.3

    No isolation capability

    When the September intrusion was detected, JLR could not isolate compromised segments without shutting down production. The interdependence was total.

    What should existMicrosegmentation enabling surgical isolation. Kill switches per zone. The ability to contain without catastrophic business impact.
  4. 2.4

    Credential lifecycle failure

    The March attackers used credentials stolen in 2021. After that breach, JLR presumably initiated remediation. Six months later, the September attackers found the same 2021 credentials still worked.

    What should existAutomatic credential expiration. Post-breach rotation of all potentially compromised accounts. Continuous monitoring for reuse of known-compromised credentials.
hostjira.jlr.internalT=00:00:00 → 00:18:42
timepeertag
  • 00:01:14mariadb.internalknown
  • 00:01:14ldap.internalknown
  • 00:04:21fileserver.corp.jlrnew
  • 00:04:33dc01.corp.jlrnew
  • 00:06:52backup.corp.jlrnew
  • 00:09:11mes-controller.prodnew · IT→OT
  • 00:09:48sap-pi.prodnew · IT→OT
  • 00:11:23opcua-broker.prodnew · IT→OT
  • 00:14:09198.51.100.42:443new · external
  • + 38 more first-contact peers
Jira’s peer-set during the compromise window. The communication shape diverged from the application’s own dynamics on every axis at once — peer count, cross-zone connections, and external destinations all departing simultaneously.

3.1Connection-graph divergence

Jira is a web application. Its endogenous communication is predictable: inbound requests from browsers, outbound connections to its database and authentication services. Three to five regular peers.

When attackers used Jira as a pivot, that shape diverged. The Jira server began initiating connections to file servers, domain controllers, backup systems, and manufacturing infrastructure — systems it had never contacted before. Not an anomaly in volume. An exogenous communication pattern imposed on a system whose own dynamics had been stable for years.

What modeling would showA server’s peer set expanding from 3 to 47+. First-time communications to systems across multiple security zones. The imposed pattern does not belong to any legitimate Jira instance — not at JLR, not anywhere.

3.2IT→OT boundary crossings

The September attackers traversed from corporate IT into manufacturing systems. That path — from project management infrastructure to production line controllers — had zero historical baseline. The network’s own dynamics never produced it.

What modeling would showCorporate IT systems initiating connections to MES, SAP production modules, and industrial control systems. No precedent in the network’s own behavior. No legitimate operation that would produce it.

3.3C2 beacon shape

Coordinating a global ransomware deployment requires persistent communication between attacker infrastructure and compromised systems. That communication has shape:

  • Regularity. Automated callbacks at intervals — not the irregular rhythm of human activity.
  • Persistence. Connections resume after interruption, maintained across hours and days.
  • Destination novelty. External endpoints with no prior organizational relationship.
  • Machine-timed cadence. Precise intervals that humans do not produce.
What modeling would showSystems maintaining persistent, regular connections to external destinations they have never contacted before — communication produced by a machine, not by the system’s own users or services.

3.4Exfiltration shape

350 GB does not leave a network all at once. Attackers chunk it, throttle it, time it for off-hours, route it through legitimate cloud infrastructure. Each individual transfer is unremarkable.

The dimensions of the communication diverge simultaneously:

alertexfiltration.multi-dimensionaljira.jlr.internal
  1. upload volume
    50 MB/wk350 GB/wk7000×
  2. destination
    3 known IPs1 first-contactnovel
  3. transfer rhythm
    irregular60s cadencemachine
  4. flow direction
    95% in95% outinverted
  5. time of activity
    09–1702–04off-hours
joint signal5/5 dimensions departed from endogenouscritical
Five dimensions of communication shape. Any single dimension is explainable; all five diverging together is not. The joint signal is the breach.
What modeling would showMulti-dimensional departure from the network’s own dynamics. The exogenous pattern is the joint signal — visible only to models that look at communication as a whole, not one event at a time.

Each layer of the inherited defense stack produced exactly the output it was designed to produce. None of those outputs included the breach.

  • Endpoint detection

    Valid credentials. Normal login flows. No malware to detect. No signatures to match.

  • Perimeter security

    HTTPS to cloud infrastructure. Indistinguishable from legitimate traffic at the protocol level.

  • SIEM

    Logs recorded successful authentications. Without a model of the network’s own dynamics, every event in isolation looked ordinary.

The signatures were clean. The communication did not belong to JLR’s own dynamics.
JLR’s Network Detection and Response capabilities were inadequate. Monitoring systems were unable to detect anomalous behaviors — such as the misuse of native tools or the unusual volume of data egress — suggesting an over-reliance on signature-based defenses rather than behavioral analytics.Post-incident analysis

The evidence was in the network communication:

  • Connection graphs expanding as attackers pivoted through systems.
  • IT→OT boundaries being crossed for the first time.
  • Data flowing toward exits in patterns the network had never produced.
  • Persistent external connections with machine-timed cadence.

Each is visible to a system modeling the network’s endogenous communication and detecting what does not belong.

JLR connected IT to OT because it made their factories faster. They gave contractors internet-accessible Jira because it enabled collaboration. They built integrated systems because integration drove efficiency.

None of those were wrong. They were incomplete — made without instrumenting for the risk they created.

You can have automation and segmentation. Efficiency and isolation capability. Connectivity and a system that models the network’s own communication deeply enough to recognize when something else is imposing communication into it.

The attackers did not create JLR’s vulnerability. They made it visible.
See pricingTalk to us

Sources

  1. 01Cyber Monitoring Centre — Statement on the JLR Cyber Incident
  2. 02CYFIRMA — Investigation Report on JLR Cyberattack
  3. 03Hudson Rock — HELLCAT Breach Analysis
  4. 04Push Security — Jira Credential Attacks
  5. 05The Guardian — Inside the JLR Hack