British automobile manufacturer Jaguar Land Rover (JLR) recently announced that they have been severely impacted by a cyberattack amidst a wave of ongoing disruptions for Salesforce users.
In a brief notice on Tuesday, the company said that they were forced to disconnect their systems, which affected their retail and manufacturing operations. JLR has not named Salesforce, but ShinyHunters – which the Google Threat Intelligence Group (GTIG) have named as the group potentially responsible for recent Salesforce instances attacks – has claimed responsibility for the incident.
Several reports have claimed that the JLR infiltrators are a group of teenage English-speaking hackers who have branded themselves as “Salesforce supply chain hackers”. They have been linked to a recent large-scale attack on British supermarket, Marks & Spencer.
SF Ben note: The potential for compromised connected apps in Salesforce orgs is ongoing. We at Salesforce Ben strongly recommend that all admins and org owners prioritize auditing the connected apps currently in use in their orgs. This includes identifying the origin of all connected apps, removing any unused or unknown apps, setting permissions for access to remaining apps, and removing the ability for any user to add connected apps without approval. We’ve published an article to help, and created a hub page for all the breaking Salesforce hack news.
“Where Is My New Car, Land Rover?”
JLR announced the disruption to their website on Tuesday, with the hack likely taking place over the prior weekend. They released a short statement, which stated that no sensitive customer data had been stolen.
“JLR has been impacted by a cyber incident. We took immediate action to mitigate its impact by proactively shutting down our systems. We are now working at pace to restart our global applications in a controlled manner. At this stage, there is no evidence that any customer data has been stolen, but our retail and production activities have been severely disrupted.”
The breach was detected by JLR while it was actively happening, which prompted JLR to proactively shut down its IT systems and production lines across its UK plants (particularly in Merseyside/Halewood and Solihull) to contain the incident. Workers were also told via email or internal communications not to report to work.
A hacking collective going by names such as Scattered Spider, Lapsus$, ShinyHunters, and the hybrid moniker “Scattered LAPSUS$ Hunters” is claiming responsibility for a cyber‑attack on JLR, according to reports. This same group has been linked to previous attacks on several different British retailers.
Identified by Google threat researchers in June under the moniker UNC6240 (for Shiny Hunters), the group is believed to be responsible for the recent wave of Salesforce attacks that have impacted such cybersecurity heavyweights as Palo Alto Networks, Cloudflare, and Zscaler in the last few weeks.
According to the Financial Times, the hackers took to Telegram – through a user known as “Rey” – and posted screenshots that purportedly show internal JLR IT system data, including administrative logs and documents such as troubleshooting instructions relating to car charging systems.
Per reports, they also taunted JLR, making comments such as “Where is my new car, Land Rover?”
Some of these posts also reportedly included AI-styled images mocking Salesforce staff/analysts, showing they deliberately tie their exploits back to the Salesforce ecosystem.
A spokesperson from JLR told Salesforce Ben: “We are aware of the claims relating to the recent cyber incident and we are continuing to actively investigate.”
Final Thoughts
Another day, another unfortunate hacking story. We reported a few weeks ago that this could potentially be the beginning of something much worse, and this ongoing wave of hacks from these collective groups suggests we’re not out of the woods yet.
We must once again preach that these leaks are not from any vulnerabilities within the core Salesforce platform.
You can monitor our hub post on the topic, which will be updated as news emerges, here.
