2 hours ago
6
Joe TidyCyber correspondent, BBC World Service
A group of young English-speaking hackers are claiming to be behind the cyber attack which has halted the global production lines of Jaguar Land Rover (JLR).
The group is bragging about the hack on the messaging app Telegram, sharing screenshots apparently taken from inside the car maker's IT networks.
The gangs is also responsible for a wave of cyber attacks on UK retailers including M&S in the spring - and are calling themselves "Scattered Lapsus$ Hunters".
"Where is my new car, Land Rover," the hackers - who are thought to be teens - posted to taunt the company.
The BBC has approached JLR for comment.
In private text conversations with one of the criminals, who claims to be the spokesperson for the group, they said they are trying to extort the car company for money.
But the hacker would not say if they have successfully stolen private data from JLR or installed malicious software onto the company's network.
The hacker wouldn't provide any more evidence they are responsible for the hack - and they are known to lie to get attention.
But two images posted by the group show apparent internal instructions for troubleshooting a car charging issue and internal computer logs.
One security expert has speculated the screenshots suggest the criminals have access to information they should not have.
"Based on the information provided by the attackers and open source intelligence, the attack has access to JLR's internal systems and network," security researcher Kevin Beaumont said.
A spokesperson for the Information Commissioner's Office said: "Jaguar Land Rover has reported an incident and we are assessing the information provided."
Car production at sites including the Halewood plant in Merseyside and another in Solihull have been heavily disrupted since the attack was discovered on Sunday.
Staff have been sent home and JLR has said it's working to get manufacturing back online.
The company has not disclosed the nature of the attack.
"We took immediate action to mitigate its impact by proactively shutting down our systems, it said in a statement.
"We are now working at pace to restart our global applications in a controlled manner.
"At this stage there is no evidence any customer data has been stolen but our retail and production activities have been severely disrupted."
The hackers chose the name Scattered Lapsus$ Hunters to reflect the merging of various youth-orientated cyber criminals who are all associated with a network called The Com.
Earlier this year the National Crime Agency warned of the growing threat from cyber criminals in The Com.
The newly named group is a mixture of hackers who have been part of the groups Shiny Hunters, Lapsus$ and Scattered Spider - all notorious young hacking groups of the last few years that emerged from The Com.
The Telegram channel used by the criminals now has nearly 52,000 subscribers. The group has been bragging about hacks and sharing incomprehensible in-jokes for days.
It's the forth such Telegram channel as previous ones have been closed down.
Scattered Spider is name of a loosely linked group of hackers responsible for high profile attacks on M&S, Co-op and Harrods in April and May.
In July the National Crime Agency arrested 4 people in connection to the hacks.
A 20-year-old woman was arrested in Staffordshire, and three males - aged between 17 and 19 - were detained in London and the West Midlands. All have since been released on bail.
