Data I/O Experiences Ransomware Attack and System Outages

Jaguar Land Rover (JLR) has extended the production shutdown for another week following a cyberattack that severely disrupted its operations. The UK government has announced a £1.5 billion ($2 billion) loan guarantee for JLR to support its supply chain, which has been greatly impacted by the shutdown. The incident, which occurred over the weekend, forced the shutdown of several systems, including those at the Solihull production plant. Customer data appears unaffected, but some data was stolen during the breach. This is the second cyberattack JLR has experienced this year, following a previous incident in March. JLR operates under Tata Motors India and produces over 400,000 vehicles annually, with a revenue exceeding $38 billion. The attack impacted the ability to register new cars and supply parts at service points in the UK. The specific type of attack and timeline for recovery remain unspecified. A group identifying as "Scattered Lapsus$ Hunters" has claimed responsibility for the attack, posting screenshots of an internal JLR SAP system on a Telegram channel and stating that they deployed ransomware on the company's compromised systems.

The Pennsylvania Attorney General's Office has confirmed a ransomware attack that began on August 11, 2025, lasting three weeks. The attack resulted in a service outage affecting the AG's website, email, and phone systems. The AG office refused to pay the ransom and is currently investigating the incident with other agencies. The impact includes disruptions to court proceedings, though the AG office assures that criminal prosecutions and investigations will not be affected. The extent of data exfiltration, if any, remains unknown. The AG's office has confirmed the use of file-encrypting ransomware and that the attack was carried out by an outsider attempting to extort payment. The AG office has not disclosed any details about the ransomware group responsible. Partial recovery of email and phone services has been achieved, with staff operating through alternate methods.

A zero-day vulnerability in WhatsApp (CVE-2025-55177) was exploited in targeted attacks against specific users, chained with a separate iOS flaw (CVE-2025-43300). The flaw allowed unauthorized users to trigger content processing from arbitrary URLs on targeted devices. Apple issued threat notifications to users targeted in mercenary spyware attacks, which included individuals based on their status or function, such as journalists, lawyers, activists, politicians, and senior officials. The attacks highlight the risks of chaining multiple vulnerabilities to compromise targets, emphasizing the need for comprehensive security measures. WhatsApp patched the issue and notified affected users. Apple has sent threat notifications multiple times a year since 2021, alerting users in over 150 countries, including a fourth campaign in France in 2025. The attacks began with the exploitation of the WhatsApp zero-day vulnerability, which was chained with an iOS flaw in sophisticated attacks. Apple has been issuing threat notifications to users targeted in these attacks, advising them to enable Lockdown Mode and seek emergency security assistance. Apple introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities, and the number of U.S. investors in spyware and surveillance technologies has increased significantly.

Russian hackers, tracked as Static Tundra and associated with the FSB's Center 16 or Military Unit 71330, have been exploiting a seven-year-old vulnerability (CVE-2018-0171) in unpatched end-of-life Cisco networking devices to target enterprise and critical infrastructure networks in the U.S. and abroad. The attacks, ongoing since at least August 2024, have compromised thousands of devices, allowing the attackers to collect configuration files, change settings, and gain unauthorized access. The U.S. Department of State is offering a reward of up to $10 million for information on three FSB officers involved in these cyberattacks. The targets include organizations in the manufacturing, telecommunications, higher education, and energy sectors. The attackers use stolen SNMP credentials to control compromised devices, enabling them to run commands, change settings, and steal configurations while evading detection. They also create new local user accounts and enable remote access services like Telnet to maintain access. The attacks highlight the persistent threat of unpatched vulnerabilities and the need for robust cybersecurity measures to protect critical infrastructure. The three FSB officers, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, targeted more than 380 foreign energy-sector companies in 135 countries. The suspects targeted American and foreign oil and gas firms, nuclear power plants, renewable energy firms, utility and electrical grid entities, consulting and engineering groups, and advanced technology companies. In August 2021, these officers were indicted in the US with charges of computer fraud and abuse, wire fraud, and aggravated identity theft. The Dragonfly campaign involved obtaining persistent access to victim networks and infecting them with the Havex malware through supply chain compromise. In the second phase, known as Dragonfly 2.0, the three allegedly targeted over 3,300 users at more than 500 US and international companies and entities, including US government agencies, in spear-phishing attacks.

Jaguar Land Rover (JLR) has confirmed a data breach following a recent cyberattack that disrupted its operations. The attack, which forced JLR to shut down systems and instruct staff not to report to work, involved data theft. The company is collaborating with the U.K. National Cyber Security Centre (NCSC) to investigate the incident. A group called 'Scattered Lapsus$ Hunters', associated with Lapsus$, Scattered Spider, and ShinyHunters, has claimed responsibility for the breach, sharing screenshots of an internal JLR SAP system and claiming ransomware deployment. This attack is part of a broader pattern of Salesforce data theft attacks, which have impacted numerous organizations this year. The FBI has issued a flash alert on UNC6040 and UNC6395, groups targeting Salesforce platforms, exploiting OAuth tokens and using vishing campaigns. The group 'Scattered Lapsus$ Hunters 4.0' announced it is shutting down on September 12, 2025, possibly to avoid law enforcement attention. However, cybersecurity researchers believe the group will continue conducting attacks quietly despite their claims of going dark. ShinyHunters and Scattered Spider, two distinct cybercrime groups, have been collaborating on attacks, leveraging each other's strengths in large-scale data theft and social engineering. This collaboration has targeted major companies across multiple sectors, including retail, insurance, and aviation. The groups have used tactics such as vishing, domain spoofing, and VPN obfuscation for data exfiltration. Recent attacks have impacted Farmers Insurance, with 1.1 million customers affected by a breach involving a third-party vendor's Salesforce database. The group 'Scattered Lapsus$ Hunters' claimed access to Google's Law Enforcement Request System (LERS) and the FBI's eCheck background check system, raising concerns about potential impersonation of law enforcement to gain access to sensitive user data. Google confirmed the creation of a fraudulent account in its LERS platform but stated that no data was accessed. The groups have been observed using similar domain formats and registry characteristics, suggesting a coordinated effort. This collaboration poses a significant threat to organizations, requiring a shift in defensive strategies to focus on behavioral patterns and proactive detection measures. The groups are now targeting Salesforce customers and may expand to financial services and technology providers. A new Telegram channel emerged, conflating ShinyHunters, Scattered Spider, and LAPSUS$, claiming to develop a ransomware-as-a-service solution. BreachForums has been commandeered by international law enforcement and turned into a honeypot. Workday confirmed a breach involving a third-party CRM system, likely linked to ShinyHunters' Salesforce attacks. Attackers used social engineering to impersonate Workday's HR department, gaining access to business contact information. Workday quickly blocked access to the compromised system and adopted additional internal security measures. The attack on Allianz Life involved the theft of personal information of 1.1 million individuals, impacting nearly 1.4 million customers. The stolen data includes email addresses, names, genders, dates of birth, phone numbers, and physical addresses. The attackers used a malicious OAuth app to gain access to Salesforce instances, and the extortion demands were signed as coming from ShinyHunters, a known extortion group. The breach was first reported by TechCrunch and confirmed by Allianz Life on July 16. The compromised data was hosted on a Salesforce database, affecting multiple companies. Scattered Spider has resumed attacks targeting the financial sector, despite previous claims of going 'dark'. The group gained initial access by socially engineering an executive's account and resetting their password via Azure Active Directory Self-Service Password Management. They accessed sensitive IT and security documents, moved laterally through the Citrix environment and VPN, and compromised VMware ESXi infrastructure to dump credentials and further infiltrate the network. The group attempted to exfiltrate data from Snowflake, Amazon Web Services (AWS), and other repositories. Their recent activity undercuts claims of ceasing operations, suggesting a strategic move to evade law enforcement pressure. Scattered Spider is part of a broader online entity called The Com and shares significant overlap with ShinyHunters and LAPSUS$. The group's retirement claims are likely a strategic retreat to reassess practices, refine tradecraft, and evade ongoing efforts to disrupt their activities. Scattered Spider may regroup or rebrand under a different alias in the future, similar to ransomware groups. The group's farewell letter is viewed as a strategic retreat to complicate attribution efforts and evade law enforcement. Scattered Spider's recent activity includes targeted intrusions against a U.S. banking organization, using sophisticated tactics to evade detection. The UK National Crime Agency (NCA) has arrested two teenagers, Owen Flowers and Thalha Jubair, linked to the Scattered Spider hacking collective. Owen Flowers, 18, from Walsall, and Thalha Jubair, 19, from East London, are scheduled to appear at Westminster Magistrates Court. Flowers was previously arrested in September 2024 for his alleged involvement in the Transport for London (TfL) attack and was released on bail. Additional evidence links Flowers to attacks against U.S. healthcare companies, including SSM Health Care Corporation and Sutter Health. Thalha Jubair was charged with conspiracies to commit computer fraud, money laundering, and wire fraud, affecting at least 47 U.S. organizations. Jubair and his accomplices have received at least $115 million in ransom payments from victims. The TfL cyberattack in August 2024 disrupted internal systems and online services, and compromised customer data including names, contact details, and addresses. TfL provides transportation services to over 8.4 million Londoners through its surface, underground, and Crossrail transport systems. In May 2023, TfL experienced another security breach when the Clop ransomware gang stole data from one of its suppliers' MOVEit Managed File Transfer (MFT) servers. A member of the notorious cybercrime group Scattered Spider has turned himself in to authorities in Las Vegas. The suspect, identified by the FBI's Las Vegas Cyber Task Force, faces charges including extortion and computer-related crimes. The Clark County District Attorney's Office is seeking to transfer the juvenile to the criminal division to face charges as an adult. Meanwhile, two other suspected members, Thalha Jubair and Owen Flowers, were arrested in the UK for their involvement in the Transport for London (TfL) hack. Despite the group's announcement of shutting down operations, security researchers remain skeptical, pointing to evidence of continued activity. Three members of Scattered Spider were arrested in September 2025, following their announcement of shutting down operations. Noah Urban, a key member of Scattered Spider, was sentenced to ten years in prison for his role in SIM-swapping and cybercrime activities. Urban's role involved social engineering to gain access to sensitive systems, using tactics such as SIM-swapping and phishing. Urban's activities included breaching T-Mobile's customer service portal and exploiting a Twilio employee's credentials. The group 0ktapus, which includes Scattered Spider members, was involved in high-profile breaches, including the theft of personal information from Gemini Trust. A man from West Sussex was arrested in connection with a ransomware attack that disrupted operations at several European airports, including Heathrow. The ransomware variant used in the attack was identified as HardBit, described as an "incredibly basic" variant. The attack affected Collins Aerospace baggage and check-in software, causing flight delays at multiple airports. The Co-operative Group in the U.K. reported a loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack caused a revenue reduction of £206 million ($277 million) and additional losses of £20 million ($27 million) expected for the second half of 2025. The Co-op Group operates 2,300 food retail stores and 59 franchise stores. The cyberattack forced the Co-op to shut down parts of its IT systems, causing disruptions to back-office and call-center services. Scattered Spider affiliates were responsible for the Co-op cyberattack, stealing personal data of 6.5 million members. The Co-op had to rebuild its Windows domain controllers and extend system unavailability due to the attack. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response to the attack prevented encryption but resulted in significant financial impact and operational disruptions. The Co-op implemented manual processes, rerouted items, and offered discounts to mitigate the impact of the cyberattack. The Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco, due to the cyberattack. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.