Feature Jaguar Land Rover (JLR) is the latest UK household name to fall victim to a major cyberattack. IT systems across multiple sites have been offline for over a week after what the company described as a “severe disruption.”
The attack stalled production and dealer operations across its global network when attackers hit on August 31, leading to shutdowns at its Solihull plant, and meant that UK dealers couldn’t register new vehicles or supply parts. Its factories will reportedly remain closed until Wednesday at the earliest, according to reports earlier this week.
## $380M lawsuit claims intruder got Clorox’s passwords from Cognizant simply by asking
READ MORE
Since the attack, a group calling itself “Scattered Lapsus$ Hunters” has claimed responsibility – the same group claiming to be behind the Marks & Spencer breach. These hackers, believed to be teens, are now taunting the company and bragging about their actions on Telegram, sharing screenshots of information from supposedly inside JLR’s IT system.
What makes JLR’s case noteworthy is its speed of response. The company quickly shut down IT across its distributed operations, presumably to prevent attackers from moving laterally through their system and causing wider damage. It was disruptive, no doubt, but in the face of a live attack, it was a bold and necessary call.
Attacks on the manufacturing sector are not new. In August 2023, US manufacturer Clorox suffered a breach that disrupted production, forced it to revert to manual order processing, and was tracked back to a compromise by its third-party IT service provider. Third-party software suppliers have also been targeted. And Microsoft’s troubles with the Russian state-backed “Midnight Blizzard” attackers showed how even one overlooked legacy system can give attackers access to senior executives’ inboxes and even source code.
The lesson is clear. It’s not if an organization will be tested; it’s when. So, how can businesses across the UK be better prepared?
### 1. Act quickly
JLR’s swift action to isolate its systems likely limited the damage. Many organizations hesitate, paralyzed by the fear of disrupting business operations, but this delay can be catastrophic. Companies must pre-authorize who can isolate systems, revoke access, or shut down connections in the event of an attack. These decisions should be agreed upon at the board level and regularly rehearsed.
## Ex-NSA bad-guy hunter listened to Scattered Spider’s fake help-desk calls: ‘Those guys are good’
READ MORE
### 2. Diversify your tech stack
Many businesses rely entirely on Microsoft’s ecosystem – 365, Azure, and Active Directory. While this offers seamless integration, it creates vulnerabilities, including increased supply chain risk and dangerous vendor lock-in.
Monocultures breed risk and major software supply chain incidents are becoming more prevalent. When attackers compromise one component, like a legacy test account, Microsoft’s deep interconnectedness allows them to move laterally and gain access to other critical systems, as seen in the “Midnight Blizzard” attack on Microsoft itself.
Furthermore, companies shouldn’t be forced to stay with vendors due to restrictive licensing and prohibitive switching costs. This lock-in problem is so severe that it has prompted significant regulatory scrutiny, but the Competition and Markets Authority (CMA) must go further on its enforcement, ensuring businesses can diversify without punitive exit costs.
### 3. Secure Active Directory
Attackers often target identity systems like Active Directory in Microsoft 365. The Marks & Spencer breach reportedly involved the theft of an Active Directory database, which is essentially a master key to every password.
The Microsoft breach began with a simple “password spray” attack against a forgotten system. The hackers exploited a legacy test account that was not protected by phishing-resistant multi-factor authentication (MFA). This highlights a foundational flaw. Businesses must eliminate weak and legacy authentication methods and roll out phishing-resistant logins, such as FIDO2 keys, for all users. You also need to implement robust monitoring for unusual login attempts. The Microsoft incident underscores that attackers will find and exploit the weakest link, no matter how small or seemingly insignificant.
### 4. Understand who has access
A new frontier of attacks bypasses users entirely by exploiting the trust given to connected apps. This was seen in the Salesloft/Drift incident. OAuth tokens, which grant one application access to another, must be treated like passwords — scoped tightly, rotated often, and monitored for suspicious activity. Businesses need to know what apps have access to their data and why that access is necessary.
### 5. Zero trust model
Adopting a Zero Trust model is also something that companies should be moving toward. The core idea is that no user, device, or system is trusted by default, and access is granted only when identity, posture, and context are verified. For well-established businesses with decades-old legacy systems, this is a significant undertaking, but it is a necessary one.
### The final takeaway
JLR’s quick decision to isolate its systems hopefully saved it from deeper harm. That decisiveness should serve as a model for other organizations. But containment alone is not enough.
The Microsoft “Midnight Blizzard” attack is a powerful case study in how a single, unpatched vulnerability or unprotected legacy system can lead to a widespread and deeply-damaging breach. Until businesses harden their identity systems, lock down integrations, and ensure they have choice over their tech providers to avoid vendor lock-in, these cyberattacks will keep coming.
Attackers need patience. Defenders need urgency. ®
Bill McCluggage is a technology advisor and senior exec. He served as the first Chief Information Officer for the Irish Government beginning in 2013, previously holding roles such as Deputy UK Government CIO, Executive Director for IT Policy & Strategy in the UK Cabinet Office, Director of eGovernment and CIO in Northern Ireland, and CTO for EMC (Dell EMC) Systems in the UK and Ireland.
**Get our** Tech Resources
Feature Jaguar Land Rover (JLR) is the latest UK household name to fall victim to a major cyberattack.
And Microsoft’s troubles with the Russian state-backed “Midnight Blizzard” attackers showed how even one overlooked legacy system can give attackers access to senior executives’ inboxes and even source code.
Companies must pre-authorize who can isolate systems, revoke access, or shut down connections in the event of an attack.
The Microsoft breach began with a simple “password spray” attack against a forgotten system.
For well-established businesses with decades-old legacy systems, this is a significant undertaking, but it is a necessary one.
Feature Jaguar Land Rover (JLR) is the latest UK household name to fall victim to a major cyberattack. IT systems across multiple sites have been offline for over a week after what the company described as a “severe disruption.”
The attack stalled production and dealer operations across its global network when attackers hit on August 31, leading to shutdowns at its Solihull plant, and meant that UK dealers couldn’t register new vehicles or supply parts. Its factories will reportedly remain closed until Wednesday at the earliest, according to reports earlier this week.
$380M lawsuit claims intruder got Clorox’s passwords from Cognizant simply by asking
READ MORE
Since the attack, a group calling itself “Scattered Lapsus$ Hunters” has claimed responsibility – the same group claiming to be behind the Marks & Spencer breach. These hackers, believed to be teens, are now taunting the company and bragging about their actions on Telegram, sharing screenshots of information from supposedly inside JLR’s IT system.
What makes JLR’s case noteworthy is its speed of response. The company quickly shut down IT across its distributed operations, presumably to prevent attackers from moving laterally through their system and causing wider damage. It was disruptive, no doubt, but in the face of a live attack, it was a bold and necessary call.
Attacks on the manufacturing sector are not new. In August 2023, US manufacturer Clorox suffered a breach that disrupted production, forced it to revert to manual order processing, and was tracked back to a compromise by its third-party IT service provider. Third-party software suppliers have also been targeted. And Microsoft’s troubles with the Russian state-backed “Midnight Blizzard” attackers showed how even one overlooked legacy system can give attackers access to senior executives’ inboxes and even source code.
The lesson is clear. It’s not if an organization will be tested; it’s when. So, how can businesses across the UK be better prepared?
1. Act quickly
JLR’s swift action to isolate its systems likely limited the damage. Many organizations hesitate, paralyzed by the fear of disrupting business operations, but this delay can be catastrophic. Companies must pre-authorize who can isolate systems, revoke access, or shut down connections in the event of an attack. These decisions should be agreed upon at the board level and regularly rehearsed.
Ex-NSA bad-guy hunter listened to Scattered Spider’s fake help-desk calls: ‘Those guys are good’
READ MORE
2. Diversify your tech stack
Many businesses rely entirely on Microsoft’s ecosystem – 365, Azure, and Active Directory. While this offers seamless integration, it creates vulnerabilities, including increased supply chain risk and dangerous vendor lock-in.
Monocultures breed risk and major software supply chain incidents are becoming more prevalent. When attackers compromise one component, like a legacy test account, Microsoft’s deep interconnectedness allows them to move laterally and gain access to other critical systems, as seen in the “Midnight Blizzard” attack on Microsoft itself.
Furthermore, companies shouldn’t be forced to stay with vendors due to restrictive licensing and prohibitive switching costs. This lock-in problem is so severe that it has prompted significant regulatory scrutiny, but the Competition and Markets Authority (CMA) must go further on its enforcement, ensuring businesses can diversify without punitive exit costs.
3. Secure Active Directory
Attackers often target identity systems like Active Directory in Microsoft 365. The Marks & Spencer breach reportedly involved the theft of an Active Directory database, which is essentially a master key to every password.
The Microsoft breach began with a simple “password spray” attack against a forgotten system. The hackers exploited a legacy test account that was not protected by phishing-resistant multi-factor authentication (MFA). This highlights a foundational flaw. Businesses must eliminate weak and legacy authentication methods and roll out phishing-resistant logins, such as FIDO2 keys, for all users. You also need to implement robust monitoring for unusual login attempts. The Microsoft incident underscores that attackers will find and exploit the weakest link, no matter how small or seemingly insignificant.
4. Understand who has access
A new frontier of attacks bypasses users entirely by exploiting the trust given to connected apps. This was seen in the Salesloft/Drift incident. OAuth tokens, which grant one application access to another, must be treated like passwords — scoped tightly, rotated often, and monitored for suspicious activity. Businesses need to know what apps have access to their data and why that access is necessary.
5. Zero trust model
Adopting a Zero Trust model is also something that companies should be moving toward. The core idea is that no user, device, or system is trusted by default, and access is granted only when identity, posture, and context are verified. For well-established businesses with decades-old legacy systems, this is a significant undertaking, but it is a necessary one.
The final takeaway
JLR’s quick decision to isolate its systems hopefully saved it from deeper harm. That decisiveness should serve as a model for other organizations. But containment alone is not enough.
The Microsoft “Midnight Blizzard” attack is a powerful case study in how a single, unpatched vulnerability or unprotected legacy system can lead to a widespread and deeply-damaging breach. Until businesses harden their identity systems, lock down integrations, and ensure they have choice over their tech providers to avoid vendor lock-in, these cyberattacks will keep coming.
Attackers need patience. Defenders need urgency. ®
Bill McCluggage is a technology advisor and senior exec. He served as the first Chief Information Officer for the Irish Government beginning in 2013, previously holding roles such as Deputy UK Government CIO, Executive Director for IT Policy & Strategy in the UK Cabinet Office, Director of eGovernment and CIO in Northern Ireland, and CTO for EMC (Dell EMC) Systems in the UK and Ireland.
Get our Tech Resources
