In recent years, cybersecurity experts have warned that critical industry sectors were at higher risk of potentially catastrophic attacks if they were targeted by sophisticated ransomware or nation-state threat groups.
Those warnings appear to no longer be hypothetical scenarios, but increasingly have played out in real time as major industrial providers have seen their production capacities stalled for weeks and supply chains left in a state of paralysis.
The automotive sector, which is dependent on Internet of Things technology and wireless connections, and increasingly are built on AI, has experienced some of the most disruptive attacks in recent memory.
“The reality of modern cyber threats, particularly across critical infrastructure and manufacturing, demands a fundamental shift in mindset,” said Paul Shaver, Mandiant’s global practice lead for OT security at Google Cloud. “We need to stop seeing this as a game of pure prevention and start treating it as disaster preparedness.”
The global auto industry has become a prime target for sophisticated attacks from a variety of threat groups, said Matt Brady, senior principal researcher at Palo Alto Networks Unit 42.
“The auto industry is highly susceptible because of its extremely low tolerance for downtime, and the consequences are severe,” Brady told Cybersecurity Dive, naming “immediate, prolonged (weeks to months) production shutdowns, staggering long-term financial damage and even potential regulatory fines and credit rating downgrades.”
In recent years, the automotive industry has undergone a series of attacks interrupting critical supply chains.
A June 2024 attack against CDK Global, which provided management software for more than 15,000 dealerships across the U.S., led to widespread system outages. The incident impacted sales, inventory, customer relationship management and the ability to service vehicles.
In a report from Rockwell Automation that same year, auto manufacturers ranked cyber risk as their top external concern.
“From a cybersecurity liability perspective, there is cause for concern that the digital elements regularly used in new production cars are not secure by design, due to the lack of even basic foundational security controls,” said Chad Humphries, solution consultant, networks and cybersecurity, at Rockwell Automation.
The risk is compounded by the strong emphasis that OEMs place on the connected car experience, he added.
In one of its last major cyber-related actions during the Biden administration, the Department of Commerce in January of this year issued a final rule banning the sale of connected vehicles and related software and hardware from Russia and China. The administration cited concerns about hacking groups such as the state-linked Volt Typhoon that has been targeting critical infrastructure systems for disruptive attacks as well as concerns over mass surveillance of customer data.
These car-software restrictions are set to take effect starting with vehicles in the model year 2027, while hardware restrictions will begin for autos in the model year 2030.
The Trump administration also has been closely monitoring security issues related to the automotive sector, including the security of critical systems, such as steering and braking, and the growing use of software designed features in modern vehicles.
“While these trends support important safety features and satisfy consumer demand, they enable the potential for a bad actor to cause harm,” Peter Simshauser, chief counsel at the National Highway Traffic Safety Administration, said in a keynote address at the Automotive Information Sharing and Analysis Center conference in September.
Meanwhile, a wave of cyber-related disruptions to automakers in recent weeks has raised questions about whether the sector is being specifically targeted by threat groups.
Critical sectors
The Jaguar Land Rover attack was a stark example of how a successful hack can lead to catastrophic downstream impacts on third-party vendors, regional economies and even international supply chains.
With more than 34,000 workers in its home country, JLR is considered one of the largest exporters and employers in the U.K., according to the U.K. Department for Business and Trade. The company also has one of the largest supply chains in the U.K. auto sector, involving more than 120,000 workers.
During fiscal 2025, JLR reported $39 billion (29 billion pounds) in annual revenue and sold nearly 429,000 vehicles, according to the company’s annual report.
JLR has not specified how the hackers gained access to its systems, but security researchers said the automaker had been dealing with significant cyber risk problems in the months leading up to the attack. Like many modern car manufacturers, JLR has undergone significant technology upgrades in recent years to enable smarter, faster and more efficient production.
The company entered a partnership with Tata Technologies in 2023 to deliver end-to-end enterprise resource planning software and transform its logistics and supply chain. Under the agreement, SAP S4 HANA was integrated into the company’s existing software.
Researchers at Onapsis noted that the threat group ShinyHunters in August leaked exploit code related to an SAP vulnerability that was used in a wave of attacks this year, and researchers at Sophos previously told Cybersecurity Dive that a group affiliated with Scattered Spider, Lapsus$ and ShinyHunters had claimed credit for the JLR attack.
In March, researchers at Hudson Rock said that JLR was the target of a hack using infostealer malware. That incident was linked to a ransomware group known as Hellcat.
Supply chain disruption
The JLR cyberattack had a direct impact on auto production, as the company last week warned that retail sales fell 17%, to 85,495 units, during the second fiscal quarter, compared with year-ago figures.
Wholesale volumes were even worse, falling 24%, to 66,165 units, for the quarter ended Sept. 30, compared with year-ago totals.
A key supplier for JLR told Cybersecurity Dive that once JLR was forced to halt production after the attack, the company continued production of whatever stocks it had available on hand until they basically ran out.
“At the beginning you can continue with the production [in] stock, but it doesn’t last for long,” the vendor, who asked not to be identified, told Cybersecurity Dive. “So the longer the situation takes, the more difficult it becomes.”
Vertu Motors plc, a leading UK automobile dealership with 191 locations, warned in its six-month earnings report the JLR attack would have a $7.3 million [5.5 million pound sterling] impact on fiscal 2026 earnings, depending on the timing of restoration. Vertu, which has 10 locations that sell JLR vehicles, said it plans to file a claim on an insurance policy that includes business-interruption coverage for third-party disruptions.
“We will clearly update shareholders on the impact over the next few months on the cyberattack and indeed on the impact of any potential upside from an insurance claim,” Robert Forrester, CEO of Vertu Motors, told analysts on a conference call.
After visiting the company and key vendors, the U.K. Department of Business and Trade in September said it would support a $2 billion (1.5 billion pound sterling) loan guarantee to help restore JLR’s supply chain. The company had reportedly been in talks with insurance broker Lockton, but failed to secure cyber insurance coverage prior to the attack, according to a report by The Insurer.
JLR took its first major step toward full recovery last week, with a phased restart of two major operations at its Electric Propulsion Manufacturing Centre and its Battery Assembly Centre, in the West Midlands region of the U.K. Other key facilities relaunched, including its stamping operations, body and paint shops and its Logistics Operations Center, which sends auto parts to other manufacturing sites.
Analysts warned, however, that recovery from such a major cyberattack remains fraught with security risks, as the hackers have had access to JLR systems for an extended period of time.
“Most likely what they’re dealing with right now is, where can we recover to before the bad guys were in our environment,” said Mike Lipinski, a partner at Plante Moran, a wealth management firm that advises companies on risk management and other issues.
Moody’s, however, warned the cyberattack could have significant financial impacts on JLR and cut the company’s outlook to negative. The agency now forecasts JLR revenue could fall 14%, to less than 25 billion pound sterling, ($33.3 billion) for fiscal 2026.
Bridgestone Americas cyberattack
Bridgestone Americas, the U.S.-based subsidiary of Japan-based tire maker Bridgestone Corp., was the target of a separate incident in early September. The attack led to production halts at multiple facilities in the U.S., Canada and Latin America. The company operates more than 50 sites in the region and employs more than 55,000 people.
The company on Thursday said it had “successfully reconnected the impacted facilities” to its network. “We are actively working to restore production at these facilities to pre-incident production levels,” a spokesperson told Cybersecurity Dive.
The cyberattack forced Bridgestone to use imported shipments to help fill backlogs, Bloomberg reported, and will have impacts on the company during the second half of the year.
CEO Shuichi Ishibashi spoke to Bloomberg last week about the impact of tariffs, the attack and other issues. He said told the media outlet that Bridgestone Americas was closely monitoring the restart of production for any safety and security issues stemming from the cyberattack. Bridgestone is scheduled to report earnings in November, and the company is maintaining full-year guidance, according to the Bloomberg report.
Stellantis N.V. in recent weeks was also impacted by a cyber breach at a third-party customer service center that supports its North American business. Hackers related to ShinyHunters claimed more than 18 million records were obtained, according to researchers from Sophos.
Stellantis said the breach was limited to the exposure of customer contact data, but no sensitive financial data was stolen.
UK prioritizes cyber resilience
The cyberattack on JLR, combined with earlier ransomware incidents targeting Marks & Spencer and Coop Group, led U.K. authorities to take decisive action. The National Cyber Security Centre in the U.K. released its ninth annual review Tuesday showing a record 204 “nationally significant” cyberattacks, including 18 characterized as “highly significant.”
NCSC CEO Richard Horne in a presentation of the report Monday warned that businesses must take ownership for managing cyber risk at the highest levels of corporate leadership. He said they also must develop plans to maintain operations.
“Every leader, whether you’re one person at your kitchen table or the boss of thousands of people, you must have a plan to defend against criminal cyber attacks,” Horne said. “And ... you must have a plan for continuity.”
Horne and other U.K. officials also wrote a letter to corporate CEOs urging them to take direct action to prioritize cyber resilience as a board-level concern. In a September speech before the Billington Cybersecurity Summit in Washington, D.C., Horne had signaled that U.K. authorities planned to place new emphasis on business resilience in light of a series of high-profile disruptive attacks.
