Cybersecurity Budget Allocation Challenges for Comprehensive Defense

Jaguar Land Rover (JLR) experienced a cyberattack that severely disrupted its production and retail operations. The incident forced the company to shut down several systems over the weekend, including those at the Solihull plant. Customer data appears to have been affected. JLR is working to restore operations but has not provided a timeline or details about the attack. The attack occurred during the launch of new registration plates, a busy period for JLR. This is the second cyberattack JLR has suffered this year. The incident had a global impact, affecting multiple manufacturing plants in the UK. No ransomware group has officially claimed responsibility, but a group called "Scattered Lapsus$ Hunters" has claimed involvement. JLR operates under Tata Motors India and produces over 400,000 vehicles annually, employing 39,000 people.

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the group known as Salt Typhoon, have been conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. This campaign targets telecommunications, transportation, lodging, and military networks, exploiting vulnerabilities in routers and taking steps to evade detection and maintain persistent access. The Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners, released a joint advisory detailing this ongoing malicious activity. The advisory provides actionable guidance and intelligence to help organizations defend against these sophisticated cyber threats. The advisory builds on previous reporting and incorporates updated threat intelligence from investigations conducted through August 2025, reflecting overlapping indicators with industry reporting on various Chinese state-sponsored threat groups. Salt Typhoon has been active since at least 2019, targeting at least 600 organizations, including 200 in the U.S., and 80 countries. The Czech Republic's National Cyber and Information Security Agency (NUKIB) issued a warning about data transfers to China, highlighting concerns over the transfer of system and user data to the PRC and the remote administration of technical assets. The Czech government previously accused China of targeting its critical infrastructure through APT 31, which began in 2022. China's offensive cyber activities include large-scale telco attacks by Salt Typhoon and positioning for potential destructive cyberattacks. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world, as well as how defenders can protect their own environments. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has assessed the risk of significant disruptions caused by China at a 'High' level, indicating a high probability of occurrence. NUKIB confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The Chinese government has access to data stored by private cloud service providers within the Czech Republic, ensuring that sensitive data is always within its reach. NUKIB warns about consumer devices, such as smartphones, IP cameras, electric cars, large language models, and even medical devices and photovoltaic converters manufactured by Chinese firms, as risky devices that can transfer potentially sensitive data to Chinese infrastructure. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, with the oldest domain registration activity dating back to May 2020.

Operation Serengeti 2.0, an INTERPOL-led international operation, resulted in the arrest of 1,209 cybercriminals across Africa and the UK. The operation targeted high-harm and high-impact cybercrimes, including ransomware, online scams, and business email compromise (BEC). Between June and August 2025, law enforcement seized $97.4 million and dismantled 11,432 malicious infrastructures linked to attacks on 87,858 victims worldwide. The operation involved investigators from 18 African countries and the UK, and utilized data from multiple private sector partners. Significant actions included the dismantling of 25 cryptocurrency mining centres in Angola, an online investment fraud operation in Zambia, and a transnational inheritance scam originating in Germany. Additionally, 45 illegal power stations and $37 million worth of mining and IT equipment were confiscated. A human trafficking network was also disrupted in Zambia. The operation also targeted a gang behind $300 million in investment fraud and a syndicate of Chinese nationals illegally mining cryptocurrency.

North Korean state-sponsored hackers have infiltrated companies by using fake or stolen identities to secure IT jobs. These actors have stolen virtual currency and funneled money to North Korea's weapons program. The practice has grown with the rise of remote work and AI, posing significant security risks to organizations. The Justice Department has disrupted several laptop farms enabling these activities, but the threat persists. The U.S. Treasury has imposed sanctions on individuals and entities involved in the scheme, highlighting the use of AI to create convincing professional backgrounds and technical portfolios. Organizations are advised to enhance supervision, access governance, and use AI tools to detect and mitigate these insider threats. Japan, South Korea, and the United States are cooperating to combat North Korean IT worker fraud schemes. The joint forum held on Aug. 26 in Tokyo aimed to improve collaboration among the three countries. The scheme involves thousands of operatives and facilitators with distinct roles, including setting up laptop farms, contacting recruiters, and processing stolen information. The North Korean remote-worker scheme has collected more than $88 million over six years. The number of North Korean operatives infiltrating companies by posing as remote IT workers has increased by 220% year-over-year. North Korean operatives have used AI-generated profiles, deepfakes, and real-time AI manipulation to pass interviews and vetting protocols. American accomplices have operated laptop farms to provide North Korean operatives with physical US setups, company-issued machines, and domestic addresses and identities. The threat of hiring fraud is escalating quickly, with over 320 cases of North Korean operatives infiltrating companies reported in August 2025.

A security flaw in Microsoft Windows, CVE-2025-29824, has been exploited by threat actors to deploy the PipeMagic malware as part of Play ransomware attacks. The vulnerability, a privilege escalation flaw in the Windows Common Log File System (CLFS), was patched in April 2025. PipeMagic, first documented in 2022, acts as a backdoor providing remote access and executing commands on compromised hosts. The malware has been observed in attacks targeting industrial companies in Southeast Asia, Saudi Arabia, and Brazil. It uses various techniques, including fake OpenAI ChatGPT apps and DLL hijacking, to deliver the malware. PipeMagic is a modular malware that uses a domain hosted on Microsoft Azure to stage additional components. The threat actor behind these attacks, tracked as Storm-2460, has been active across multiple sectors and geographies, including IT, financial, and real estate in the U.S., Europe, South America, and the Middle East. The PipeMagic backdoor has been updated to improve persistence and lateral movement within targeted networks. It uses a modified version of the GitHub ChatGPT Desktop Application project to disguise its malicious code and communicates with its C2 server over TCP. The backdoor has been observed targeting the Brazilian manufacturing sector and was the only one among the 121 vulnerabilities patched by Microsoft in April 2025 that was actively exploited in the wild.