Monday, April 21, 2025
HomeCyber Security NewsJaguar Land Rover Hit by HELLCAT Ransomware Using Stolen Jira Credentials

Jaguar Land Rover Hit by HELLCAT Ransomware Using Stolen Jira Credentials

Published on

SIEM as a Service

Follow Us on Google News

The HELLCAT ransomware group has claimed responsibility for a significant data breach at Jaguar Land Rover (JLR), exposing vast amounts of sensitive data including proprietary documents, source codes, employee information, and partner details.

This attack follows a pattern previously observed against prominent companies like Telefónica, Schneider Electric, and Orange, highlighting the group’s reliance on exploiting compromised employee credentials, specifically those harvested from Atlassian Jira instances.

The Breach

At the core of this breach is a technique that has become increasingly effective: using infostealer malware to steal credentials, which are then used to infiltrate critical corporate systems.

- Advertisement - Google News

In this case, the compromised credentials belonged to an LG Electronics employee who was infected by an infostealer and had access to JLR’s Jira server.

Hundreds of internal files from the company are found in the leak
Hundreds of internal files from the company are found in the leak

The attack allowed the threat actor, known as “Rey,” to leak hundreds of internal files from JLR.

Hudson Rock, a cybersecurity firm tracking infostealer infections, noted that thousands of companies have Jira-related compromised credentials from such infections.

Hudson Rock’s cybercrime intelligence database composed of over 30,000,000 computers infected with Infostealers shows thousands of different companies have Jira related compromised credentials from Infostealer infections
Hudson Rock’s cybercrime intelligence database composed of over 30,000,000 computers infected with Infostealers shows thousands of different companies have Jira related compromised credentials from Infostealer infections

The firm’s database of over 30 million infected computers underscores the widespread nature of this threat.

Days after Rey’s initial announcement, a second threat actor, operating under the alias “APTS,” emerged, claiming to have exploited similar credentials from 2021 to access JLR’s systems.

This led to an even larger data exfiltration, estimated at 350 gigabytes. APTS shared screenshots of a Jira dashboard, displaying additional sensitive data and confirming that the credentials used matched those in Hudson Rock’s database.

The Attack Method: Infostealers and Jira

HELLCAT’s modus operandi involves the silent infection of employee devices through phishing emails, malicious downloads, or compromised websites.

The login credentials that were used to perform the breach, detected years ago by Hudson Rock’s Cavalier
The login credentials that were used to perform the breach, detected years ago by Hudson Rock’s Cavalier

Once embedded, the infostealer malware like Lumma (implicated in the Schneider Electric breach) extracts sensitive login credentials for corporate systems, which are then sold or traded on the dark web.

In the JLR breach, following Rey’s confirmation of the Atlassian Jira instance as the entry point, it became clear how easily these stolen credentials can be used to escalate privileges and extract sensitive data.

A Credential Time Bomb

What makes the JLR breach particularly alarming is the age of the compromised credentials. Hudson Rock had previously identified these stolen login details as part of its vast database.

The fact that these credentials remained valid and unchanged within JLR’s systems highlights a critical oversight in managing and rotating corporate credentials.

The breach demonstrates the long-lasting threat posed by infostealer malware.

It joins a string of high-profile attacks (Telefónica, Schneider Electric, and Orange) that show how such infections can facilitate social engineering, blackmail, and AI-amplified leaks.

JLR’s case illustrates the enduring danger of unaddressed legacy credentials.

APTS leaking additional data from Jaguar Land Rover
APTS leaking additional data from Jaguar Land Rover

For organizations, the lesson is clear—infostealer infections are not isolated incidents but ongoing threats.

Credentials harvested can remain viable for years unless robust monitoring, multi-factor authentication (MFA), and timely credential rotation are implemented.

Atlassian Jira, critical in enterprise workflows, has become a prime target due to its centrality in data storage. Threat actors like HELLCAT can easily escalate privileges and extract data once inside.

As JLR assesses the damage and secures its systems, the cybersecurity community prepares for potential follow-up attacks. The leaked data could fuel targeted phishing campaigns or intellectual property theft, especially with AI tools capable of amplifying the impact of such breaches.

Given HELLCAT’s success, copycat operations are likely, with infostealer credentials remaining highly sought after on the dark web.

This incident serves as a stark reminder of the importance of proactive cybersecurity measures, including robust credential management and the integration of cybercrime intelligence APIs to enhance existing cybersecurity solutions.

For organizations seeking to protect against imminent intrusions due to info-stealer infections, Hudson Rock offers solutions to enrich cybersecurity solutions with its cybercrime intelligence API. 

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Speedify VPN Vulnerability on macOS Exposes Users to System Takeover

A major security flaw in the Speedify VPN application for macOS, tracked as CVE-2025-25364, has...

Critical PyTorch Vulnerability Allows Hackers to Run Remote Code

A newly disclosed critical vulnerability (CVE-2025-32434) in PyTorch, the widely used open-source machine learning...

ASUS Router Flaw Allows Hackers to Remotely Execute Malicious Code

ASUS has acknowledged multiple critical vulnerabilities affecting its routers that could allow hackers to...

Cybercriminals Exploit Google OAuth Loophole to Evade Gmail Security

A sophisticated phishing attack exploiting a loophole in Google’s OAuth infrastructure has surfaced, raising...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Speedify VPN Vulnerability on macOS Exposes Users to System Takeover

A major security flaw in the Speedify VPN application for macOS, tracked as CVE-2025-25364, has...

Critical PyTorch Vulnerability Allows Hackers to Run Remote Code

A newly disclosed critical vulnerability (CVE-2025-32434) in PyTorch, the widely used open-source machine learning...

ASUS Router Flaw Allows Hackers to Remotely Execute Malicious Code

ASUS has acknowledged multiple critical vulnerabilities affecting its routers that could allow hackers to...