In one of the most serious cyber incidents to hit British industry, investigators are probing whether a state-backed actor or an organised crime group was behind the crippling cyber attack on the UK operations of Jaguar Land Rover (JLR).
The breach forced the company to halt production for six weeks and caused billions of dollars in damage. The assault also exposed the growing vulnerability of Britain’s manufacturing sector to sophisticated digital threats.
UK security services, including MI5, which handles counter-intelligence, are looking closely into whether the targeted cyber attacks that paralysed the operations of the Tata Group-owned JLR and also earlier hit top retailer Marks & Spencer were aimed at disrupting major corporations, according to the Financial Times. JLR restarted production last Wednesday.
In the aftermath of the attack, the UK government gave JLR a state-backed £1.5 billion loan to cover heavy losses. The shutdown had severely hit its supply chain and brought production to a complete standstill. In addition, JLR secured a £2 billion credit line from a group of banks, most of which will be used to support its suppliers.
JLR’s supply chain is vast, employing more than 200,000 workers across several countries.
Britain’s National Crime Agency is leading the probe into the attack, working in coordination with the UK’s National Cyber Security Centre. Early findings indicate that the attackers may have been targeting JLR’s systems for over a year before finally carrying out the breach.
“It’s considered reasonably likely that there could be a hostile state behind this, although we don’t yet know either way,” a senior unnamed UK government official told the Financial Times. Britain’s security services suspect that state-sponsored or cybercriminal groups linked to China, Russia or Iran may have been involved.
JLR is Britain’s largest automobile manufacturer and one of the crown jewels of the UK industrial sector. The Tata Group, at one point, employed 60,000 workers in the UK.
The automaker is not alone in being targeted. Several leading UK companies, including Marks & Spencer, Harrods, Renault and Southern Water, have had their services disrupted by cyber attacks in recent months. Southern Water, which supplies 2.7 million homes, was also forced to suspend some operations after its systems were breached.
The timing of the incident compounded JLR’s troubles. The company was in the process of negotiating a cyber insurance deal when the attack took place, leaving it financially exposed.
The FT, in a sharply worded editorial, criticised JLR’s risk management policies, writing: “The automaker’s reckless lack of cyber insurance cover meant it had to burn through cash piles for several weeks and withhold payments to a sprawling domestic supply chain comprising around 200,000 workers.”
Cyber security research group Deep Specter Research, which conducted an independent analysis of JLR’s systems, concluded that the attacks on the company first began in late 2023. Its investigators found that during 2024, “large volumes of customer information and other data were leaked on to the dark web several times.” The group said the leaked material contained “details suggesting the data originated from JLR’s systems.”
Deep Specter also noted that “large data leaks were also spotted in 2024 at Tata Consultancy Services (TCS), which JLR uses for cyber security services.”
Both the security services and Deep Specter examined TCS’s role closely, noting that the firm had “provided services” to other companies that have been recent victims of cyber attacks such as Stellantis, Renault and Marks & Spencer.
TCS said it had cleared itself of wrongdoing following an internal probe. Other cyber security experts observed that because TCS has an “extensive market share” in corporate cyber security, its name has come up several times in connection with targeted companies.
Deep Specter’s co-founder, Shaya Feedman, stressed that the assault on JLR’s digital systems in August was far from random. “The hack which took place in August was definitely not a spontaneous attack,” he said. “We believe it was state orchestrated.”
Feedman added that his team’s conclusion was based on “the length of the campaign, the financial resources committed and the level of infiltration,” all of which pointed to a well-resourced and deliberate operation.
The researchers further suggested that even though TCS was not directly involved in the leaks, “the malicious activity targeting JLR appears to have started around the time that the carmaker started replacing its digital production systems with the help of various Tata Group technology units in late 2023.”
The situation was further muddied when, soon after JLR’s systems went down, a hacker calling himself “Rey” claimed responsibility, boasting that he had gained access to the company’s data. Cyber analysts believe Rey is connected to Hellcat, a hacking collective that also claimed to have breached JLR’s network. According to Deep Specter, state-backed groups or organised cybercriminal syndicates often employ individuals or smaller outfits like Rey and Hellcat as proxies to mask their own involvement and obscure the true source of an attack.
With state-sponsored and criminal hacking groups increasingly targeting major industrial players, experts warn that companies must strengthen their defences and reassess their dependence on shared digital infrastructure, or risk finding themselves, like JLR, abruptly brought to a halt.
For the UK government, the JLR breach underscores the escalating threat from cyber attacks capable of disrupting companies and supply chains, and the urgent need to bolster national defences against such breaches.
