When cybercriminals can shut down both a luxury carmaker and a major beer producer in the same month, it’s clear that no sector is safe from operational disruption.
Jaguar Land Rover (JLR), now backed by emergency government funding, is preparing to resume production after what’s been called one of the UK’s worst cyber incidents. Meanwhile, Japanese brewer Asahi is grappling with a production halt due to a malicious cyberattack.
Experts say the attackers’ goal is no longer just about stealing sensitive data; threat actors are aiming for all-out paralysis of a business, resulting in tangible, real-world consequences.
“These recent incidents exemplify how supply chain compromises are now being targeted in the critical manufacturing sector with an explicit goal of shutting down production, sales, or logistics until the target victim pays or folds,” said Erik Avakian, a technical counselor at Info-Tech Research Group.
Protecting JLR’s “greatly impacted” supply chain
The attack on JLR began on August 31, prompting the company to pause production the next day (September 1). Tens of thousands of workers have been temporarily laid off due to the attack, and the company is estimated to be losing ₤50 million ($67.3 million) a week.
The Scattered Lapsus$ Hunters group has claimed responsibility and is believed to have employed voice phishing (vishing) to trick employees into handing over system credentials.
JLR is one of the UK’s largest exporters and operates the biggest supply chain in the UK automotive sector, which employs around 120,000 workers.
The company’s supply chain has been “greatly impacted” by the shutdown, prompting the UK government to float JLR £1.5 billion ($2 billion) via a loan guarantee. The money comes from a commercial bank, and JLR is required to pay it back over five years. JLR has confirmed that it will restart car production in the “coming days” thanks to the financial boost.
“This cyberattack was not only an assault on an iconic British brand, but on our world-leading automotive sector and the men and women whose livelihoods depend on it,” said UK Business and Trade Secretary Peter Kyle.
JLR says it continues to “work around the clock” with cybersecurity specialists, the UK Government’s National Cyber Security Centre (NCSC), and law enforcement to ensure that the restart is completed in a “safe and secure manner.”
Taps no longer flowing at Asahi
Meanwhile, Asahi Group Holdings this week announced a “system failure” caused by a cyberattack. The beer brewer has suspended order, shipment, and call center operations, including customer service desks, at group companies in Japan.
Asahi said that, as of now, there has been “no confirmed leakage” of personal information or customer data. The company is actively investigating the cause and is working to restore operations, but has no estimated recovery timeline.
Attacker ‘feeding frenzy’
David Shipley of Beauceron Security called these incidents “symptoms,” rather than root causes, of cyber risk trends in manufacturing; it is essentially the “cost of the global cybercrime tax” and is what happens when companies declare “cyber defense bankruptcy,” he said.
IT and security spending is being cut, causing organizations to “fall off the threat treadmill, and injury results,” he said. Firms are pouring capital investment into automation to make themselves more competitive, but that also makes them even more vulnerable to cyber disruption.
“These organizations’ defenses are being lowered at the worst possible time because they can’t afford to keep them up,” he said. “Threat actors see the opportunity to hit these organizations, and there’s a bit of a feeding frenzy happening now as they realize many firms are in the same situation as JLR.”
Roger Grimes, CISO advisor at human risk management platform KnowBe4, agreed that there is a concerning lack of cybersecurity investment. “After over three decades of watching malicious hacking get worse and worse, I can’t even imagine what ‘tipping point event’ would have to happen for the world to wake up and finally implement truly better cybersecurity,” he said.
Attackers still succeed with common attack methods
Although Asahi has not yet revealed how attackers penetrated its systems, JLR was the victim of a tried-and-true phishing attack.
Threat actors continue to use phishing and spear phishing simply because they work, exploiting human psychology and error, Info-Tech’s Avakian noted. When layered controls are not in place, “one click on a malicious attachment is still really all it takes for a successful compromise, without the targeted user even knowing what has occurred.”
“Ransomware can be quite disruptive,” agreed KnowBe4’s Grimes. Between 70% and 90% of successful hacks involve social engineering, he claimed, yet companies aren’t motivated to improve cybersecurity and human risk management.
The same goes for patching; Google Mandiant has reported that unpatched software and firmware are involved in 33% of successful hacks (often blended with social engineering), he pointed out, yet companies still have thousands of unpatched elements across networks and critical infrastructure.
Hackers continue to focus on unpatched VPNs, network security devices, and middleware, and perform privileged escalation through Active Directory modifications, Avakian noted. Further, they are increasingly exploiting third-party software supply chain compromises.
Once they gain unauthorized access, attackers can hide their presence and cover their tracks, and wait patiently “just for the right time” to further penetrate systems. “Some groups sit for weeks to map the business, ensuring maximum disruption,” he said.
Enterprises need a multi-layered approach
Enterprises must adopt a robust, multi-layered approach to security controls, response, and cyber hygiene, and embrace zero trust where access is “isolated, monitored, and revocable,” said Avakian. Map ERP, logistics, warehouse, and other business-critical systems, he advised, and apply safeguards like micro-segmentation, privileged user management (PAM), and multi-factor authentication (MFA).
An “assume breach” mindset is critical; this means conducting regular tabletop exercises, continuous monitoring, and threat hunting. Resilience also means reviewing incident response plans and playbooks, and employing air-gapped backups, said Avakian.
“At the end of the day, attackers are still able to succeed because they can target the chokepoints in business operations and leverage ransomware/extortion to force quick business decisions,” he said.
AI brings even more sophistication, he noted, allowing attackers to work at “tremendous speed and scale,” whether it’s faster generation of phishes, scanning, or control weakness testing.
In fact, Grimes estimate that by 2026, nearly all hacking will be AI-enabled. Organizations must meet hackers on this turf with the use of agentic AI-enabled cyber defense tools. “Good actors’ AI bots against bad actors’ AI bots, and the best algorithms will win,” he said.
