In a recent podcast interview with Cybercrime Magazine host, David Braue, Scott Schober, Cyber Expert, Author of "Hacked Again," and CEO of Berkeley Varitronics Systems, covers the recent Jaguar Land Rover hack, the following production halt, what the incident says about the current hacking landscape, and more. The podcast can be listened to in its entirety below.
Welcome to the Data Security Podcast, sponsored by Cimcor. I'm your host, David Braue. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real time, while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way.
You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
David: Joining us today is Scott Schober, a cyber expert, CEO of Berkeley Veritronics Systems, and author of the popular books "Hacked Again" and "Senior Cyber." Scott, thanks so much for joining me today.
Scott: Yeah, wonderful to be here with you, David.
David: So another day, another big breach that we find is making news headlines these days. This time, the target is Jaguar Land Rover, or JLR, as the company's known in the biz. It's the largest carmaker in the UK. It sells over 400,000 vehicles per year in a normal year, but thanks to some very persistent hackers at the moment, that number has dropped considerably. What's going on?
Scott: Yeah, this is a… I think a major breach, major disruption. I guess it started, what, September 1st, I believe. So now we're talking the likes of about 4 weeks now.
When something drags on this long, now it starts to affect not just a company, but it really starts to affect, in this case, you think about the supply chain.
Everybody that works with and supports Jaguar Land Rover is going to be affected one way or another, because they have to pause and stop because they've really had people come to a halt and say, hey, they can't work, and now the losses are kind of… that they're incurring are just increasing dramatically to the point where there's… there's even some articles I read, there were some… risks of some of their specific suppliers possibly facing maybe even bankruptcy, because they can't ship the goods, can't get paid, so on and so forth, so it's a terrible, terrible problem, and I think this is probably going to go on, David, for a bit longer before there's some resolve to this.
David: It's amazing to think that just one attack could so comprehensively compromise, you know, the systems of a company like this. I mean, this is not a fly-by-night operation. This is a major established manufacturer of, you know, vehicles. As you said, there's quite a considerable supply chain in place. There are companies that… their whole purpose in existing is to supply parts to Jaguar Land Rover, and now the company's had to shut down production.
Apparently, they've got sites in the UK, Slovakia, Brazil, and India. So this is not even, like, a localized thing. This is a global outage, which really is… has fundamentally disrupted the business. I mean, how do you get from one, you know, one cybercrime gang just deciding to attack a company to the point where it, you know, it hasn't been able to operate for a month there? It's clearly… would that have been the intention to start, or do they just kind of plant something in and see where it goes?
Scott: Well, I think to your point, the fact that they're such a global company. I mean, they're owned by Tata Motors, which is, I think, headquartered out of India. So now you've got this global presence, a large brand that owns many strong brands underneath it, and then you've got… It's not like you have a half dozen companies that are supplying parts, and engines, and brakes, and this and that, and you're talking about probably tens of thousands of suppliers that are all interconnected, and they mentioned that I think over 200,000 workers were directly affected by this, so…
It's a massive amount of people that are affected, and on a global scale, so you're talking now millions upon millions in revenue lost each and every day, and it totals somewhere, I think it was 72 million lost per day. 72 pounds, I guess that is, right? A million pounds, that's a lot of…
That's a lot of money, and not to mention how much profit, but really the disruption of the supply chain with all the interconnections between all these different locations and supply chain logistics just becomes just frozen, basically, and I think that's really what's happened there. They can't survive much longer, the supply chain. A big company, sure, they've got X number of dollars in the bank and contingency plans and so on and so forth, but your supply chain, those that keep the funnel going, that's what they gotta watch out. If they lose those, they stop making cars, and they'll take a tremendous hit beyond what we see right now.
David: Well, this is the thing, isn't it? Because these suppliers, I mean, they are businesses, they're often small businesses with just a few employees that make a particular, I don't know, a particular headlight, or a particular switch that goes into a particular, you know, few models of Jaguar. I mean, this is what they exist for. If they don't have a customer to sell to anymore, they're gonna have to change their business and start making switches for someone else, or whatever it is. I mean, they've got to survive in some way as well.
Your point about the 200,000 workers is a very significant one as well, because so many areas of the British economy, and this is the same, I think, with any car manufacturer, jobs are designed specifically to service the supply chain. If you tell 200,000 people to stop coming to work and you can't pay them, it's gonna cause quite a major thing. I understand that there's discussion of, you know, even government rescue packages going on with the UK, they recognise that this is such an imminent and massive threat to the national economy.
Scott: Yeah, I think that they realize if they don't step in, there will be jobs lost, there will be significant losses across many companies, and then you're trying to… you're kind of, like, in the prevention mode to prevent these companies from all declaring bankruptcy and going under, which then, in turn… a lot of times, they sell to multiple companies. It's not just a single company, but there could be. There could be some small businesses. I'll never forget, a number of years ago, I was looking for a mold maker, and I went and visited a few places, and I… one guy was local, and it was… he had, like, a super garage in the back of his house, and he made a little yellow push button, and I'm looking, I said.
There's, like, boxes with millions of them around. I said, what is this for? He goes, oh, I'm one of the approved suppliers for making the release, and it was in the glove box, I guess a trunk release or something like that. This was many years back.
And I said, that little plastic, that's your whole business? He goes, yeah. And he goes, the funny thing is, they can't count on that I'll always be here and can produce enough of them, so they actually have multiple people doing the same thing I'm doing. Their whole business is just making this button, and that's it. Because it's so important not to disrupt the supply chain, because if you're missing that one button, they can't move the car down the line and sell their X number of automobiles, and it kind of stuck with me, and I said, wow. That's one out of tens of thousands of little pieces on an automobile. You disrupt that supply chain, it really does come to a halt. Now, what we're talking about here, David, is the entire company is kind of frozen in time, and 200,000+ workers, and all of the companies that supply to them. It's just a disaster. So, in my opinion, government intervention is essential right now, just to move in so those jobs are not disappearing, and these companies don't go under, because this group, and I guess the group attributed to this is "Scattered Lapsu$ Hunters," or whatever, which I thought was kind of funny, and they're… they're English-speaking, they're hackers, and they're a group of adolescents, it said, which is kind of interesting, so…
They're techy nerds that are doing enough just to cause mayhem here. And what are they going for? I'm curious. Are they… I didn't see if there's any ransom demands or other things like that, but I'm sure we're gonna see things unfold a little bit more. What has been very interesting with Lapsu$ Hunters, and I should note that Lapsu$ apparently has a dollar sign in there as well, I'm not sure how to pronounce that. It sounds like a rapper name or something, but, Lapsu$…money hunting? I just don't know exactly what it is. I mean, I don't know, when you and I were young, I think the most rebellious things that we would get up to would be, like, you know, toilet papering the neighbor's trees or something like that.
Scott: Exactly. All of which I've done, yeah.
David: Who hasn't, really?
Scott: Yeah, of course.
David: And these days, it seems like, sort of, resistance of choice is to take down a major multinational company just because you feel like it, really.
Scott: Yeah, and I think it's interesting, if you look back at one of some of the other nefarious activities that, Scattered Lapsu$ Hunters have been involved in. It talked about insurance companies, airlines, casinos, tech companies like MGM Resorts and Clorox and Coinbase, so these are well-known brands that are sizable companies with a large market capitalization, so… In my opinion, they're going after something big. They're not just looking to get some tiny ransom paid, or just cause some disruption, and for bragging rights, they're looking for some serious return here. I think that's why, to your point, this will not just end after 4 weeks or something, this will probably drag on for some period of time until we understand what the bigger picture is as it unfolds, but… serious, serious breach. My prediction is we're going to be reading about this one for years to come, perhaps in how to respond to a breach, what to do, what not to do, what could have been done differently, how they could have protected things differently, so on and so forth. So, it's going to be a teaching example for all of us.
And I think especially to the point we keep kind of circling back to, that supply chain fragility, if that's a word, how it really affects some of these large companies so much.
We'll be right back after a quick word from our sponsor.
Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real time, while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak. That's C-I-M-C-O-R.com/C-I-M-T-R-A-K.
And now, back to the podcast.
David: It's still an ongoing issue a month later, who knows when it's gonna actually finish, you know, to start then figuring out what happened, about what was so bad about the response. It must really irk the management of this company to think that there are a bunch of teenagers that have a key on their computer just sitting on a desktop that would make all this go away, you know? It's terrible, and particularly, I mean, Lapsu$ Hunters has been around, they've been attacking, you know, airlines, and all sorts of other businesses, but apparently in mid-September, so this is two weeks into the Jaguar shutdown, apparently they decided that they're gonna stop operating.
The cybercriminals, I don't know, did they have to go back to school or something? Or who knows what exactly happened, but they made this public announcement that they're gonna stop operating. By the way, Jaguar is on its knees, and yeah, we'll see y'all later.
Scott: I was thinking maybe that maybe they were moving in on them, and they realized, hey, if we don't say something and just disband and run, they're gonna catch us, and then we're gonna be serving some serious time, because the amount of damage they're doing here is beyond significant, and I don't think law enforcement, nor some of the companies involved, will have much patience or go lenient from the disruptions that they've caused.
David: Well, this is a thing, and maybe they've realized that this went way more out of control than what they were expecting. I mean, that's one way of looking at it, although if they were really contrite, they might have supplied a decryption key, or whatever, you know, things like that. And other people are saying, you know, that they're just making it very clear that law enforcement doesn't scare them.
Which is a little bit scary in its own right, isn't it? Because if it's, you know, if they're not scared now, and, certainly not anticipating the response of a breach that has cost, I think the estimate was something like nearly $4.7 billion of damage. If they're not scared about the repercussions of that, you know, what's gonna be next?
Scott: And I often wonder what prompted them or motivated them to target them. I mean, first thoughts I had was, oh, it must be a grievance, an ex-employee, or this or that, but I don't think that's the case here.
Or was it a competitor? You start to wonder, did a competitor hire this hacker group and said, hey, take down our competitor? Man, it's possible, I'm not saying that's the case, but could you imagine how, how devastating that could be, and how helpful that could be from a competition standpoint, if the future of competitive issues end up in the, you know, by hiring a hacker to take that advantage. Anything is possible, and that's where… I think it now borderlines national economic security, when cyber attacks of this nature affect just everybody in so many different ways. We're talking about it. People have been talking about this for weeks, and… And the number of companies affected and jobs affected is just… just astounding.
David: And even if they restore operations, the way that these car companies work, they're manufacturing in a just-in-time manner, so they're only producing… or they're only getting their suppliers to produce the parts they need, like for today's cars, basically. They don't keep big, inventories anymore.
So then they're going to have to basically jumpstart that entire supply chain, get it working again. This is a months-long process, and these are popular cars. Land Rovers, for Instance, are something that a lot of people buy, as they've been innovating with new models and features. This is going to set them back a long, long way.
Scott: Yeah, and to your point, I didn't really think about that, but so true. Think about just brand erosion, because they've built up a solid brand. If you just watch movies, and not that we believe everything we see in the movies, but it does kind of set the pace, and you look at governments from around the world, what are they always driving in? A Land Rover. One way or another, it's usually a black one with tinted windows, and… all done up, this and that. That will affect a brand if they can't now deliver cars, and you've got all kinds of problems. People will start to search elsewhere, and they're gonna look for the competitors, and it may take years to build that brand back up again, and that is… that is just tragedy.
David: Yeah, it truly is. And it's worth mentioning as well, this isn't only about manufacturing the cars. You know, as soon as this happened, the entire, sort of, dealer support networks were shut down as well, so this meant that even existing customers couldn't book services, couldn't get replacement parts for their cars. I mean, basically anything to do with Jaguar Land Rover is on pause at the moment, and that's terrible for people that just are trying to drive their car to work and, you know, get their car fixed and that sort of thing, apart from the implications on the supply of new vehicles. That really is a very significant thing.
Now, it's interesting as well about this group, and you're saying, what do they want? It's not entirely clear, but what they have been discovering is that there seem to have been, particularly this year, a sort of a staged series of attacks on a number of companies in an industry. So we had a bunch of airlines targeted earlier this year, Air France, American, British Airways. There's been other car makers. Volvo, BMW, and Stellantis have all been hacked in the past few months as well, so it seems to be that they're just rolling through different types of industries.
What would you do if you were in an industry that's being attacked and worried that you might be next?
Scott: Yeah, that's a great point, and I think anybody that's looking at this, especially the larger companies that maybe have similar type of model that they operate under, where they're highly interconnected and large pools of workers and such, must be looking at it and saying, okay, guys, we need to carefully look at our cyber resilience here. Let's look at our plans, let's make sure that we've, you know, done everything we can within our network. Is it segmented? Have we done vulnerability assessment, penetration testing? Let's tighten up our security and look at everything across the board.
Because they're going to be targeting, obviously, other industries and companies that likely parallel the airlines, casinos, and tech companies. It's probably going to happen since, if you look back at the history of the last few years, that's what they've been doing. Despite the fact that they said they're going to be shutting down operations, many hacker groups have honestly said that, and I kind of laugh, and then you see them pop up, and they just come up with a clever name that's slightly different, and it's usually the same tactics, the similar types of attacks, similar demands.
So I think they're just reinventing themselves, and it's gonna happen tomorrow, it's gonna happen next month. They're not going away, they're not just all going back to school innocently and saying, hey, we were bad, we gotta stop doing this, it's affecting people.
David: Oh, why would you? They're having so much fun.
Scott: Oh, sure.
David: Maybe next time it'll be Lapsu$ with two dollar signs, Hunter, or something.
Scott: Yes.
David: Who knows? Who knows? And of course, the sting in the tail of all of this, as you said, you'd be kind of watching your resilience plans, checking out, seeing what you could do to avoid being hit by this.
Revelations, subsequent to this shutdown. Apparently, Jaguar Land Rover wasn't even insured for a cybersecurity attack. They were negotiating coverage with someone when this attack happened, but no insurance, which means they're going to be paying out of pocket for this.
You'd think they might have seen it coming a little bit earlier.
Scott: That I'm a little surprised at. I mean, I'm running a small company where we're 25+ engineers. We have cybersecurity insurance. Everybody I talk to has some level of cybersecurity insurance training, even if they're not in the industry.
Because they realize it's really offsetting risks to some extent. It's not going to solve your problems. Hopefully it'll make you do a better job to reinforce things and be more, you know, proactive and prevent being victims of a cyber attack, because you want to check all the boxes off and make sure you're doing all of those things, and that's good! But part of that plan, I think, is always having some cybersecurity insurance there. I thought about this, maybe the only company that might be smiling, let's say, would be Ford, because back in, I think it was 2008 Ford sold Jaguar Land Rover to Tata Motors, and Ford may be going, whew, glad it's not us this time, and pass it off to someone else, but who knows where the shoe will drop next, and who might be the next victim? We don't know.
David: There but for the grace of Lapsu$ Hunters go, right?
Scott: Yes.
David: Interesting times, as always, Scott. Thank you so much for your time today.
Scott: Yeah, thank you. Nice conversation there, David.
David: I'm David Braue, and joining me today was Scott Schober, cyber expert, CEO of Berkeley Veritronics Systems, and author of the popular books "Hacked Again" and "Senior Cyber".
The Data Security Podcast is sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, and virtual IT assets in real time, while providing detailed forensic information about all changes.
Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak. To hear our other podcasts and to watch our videos, visit us at cybercrimemagazine.com.
