Jaguar Land Rover Breached by HELLCAT Ransomware Group Using Its Infostealer PlaybookThen a Second Hacker Strikes InfoStealers

pHome Articles Jaguar Land Rover Breached by HELLCAT Ransomware Group Using Its Infostealer PlaybookThen a Second Hacker StrikesppBy Alon Gal  March 2025ppIn a repeat of a nowfamiliar playbook the HELLCAT ransomware group has claimed responsibility for a massive data breach targeting Jaguar Land Rover JLR leaking gigabytes of sensitive information including proprietary documents source codes and employee and partner data ppThe breach executed by a threat actor known as Rey mirrors a pattern of attacks Hudson Rock researchers have previously detected against highprofile victims like Telefónica Schneider Electric and OrangeppAt the heart of this latest incident lies a technique that has become HELLCATs signature exploiting Jira credentials harvested from compromised employees that were infected by InfostealersppWhat makes this breach particularly alarming is its reliance on a technique that has proven devastatingly effective the use of infostealer malware to harvest credentials which are then weaponized to infiltrate critical systems like Atlassian JIRA ppIn this case the compromised credentials belonged to an LG Electronics employee infected by an infostealer who had third party credentials to JLRs Jira serverppJust days after Reys initial announcement the Jaguar Land Rover breach took an even darker turn A second threat actor operating under the alias APTS emerged with his own thread on the forum claiming to have exploited infostealer credentials that date all the way back to 2021 also belonging to an LG Electronic employee to access JLRs systems and exfiltrate an even larger amount of data from the companyppAPTS shared a screenshot of a Jira dashboard and displayed additional sensitive data they also confirmed that the credentials that were used matched the ones we have in Hudson Rocks databaseppAPTS leaked a further tranche of dataestimated at an even more worrying scale of 350 gigabytescontaining data that did not exist in Reys data dumpppHELLCATs modus operandi is very efficient Infostealer malwaresuch as Lumma which was implicated in the Schneider Electric breachsilently infects employees devices often through phishing emails malicious downloads or compromised websites Once embedded the malware exfiltrates sensitive data including login credentials for corporate systems These stolen credentials are then sold or hoarded on the dark web waiting for threat actors like Rey and APTS to exploit themppIn the Jaguar Land Rover breach following the thread posted by APTS and a short confrontation between the threat actors Rey himself confirmed publicly that the entry point was an Atlassian Jira instance while referencing Hudson Rocks research on his Telefonica hack ppWhat sets the JLR breach apart is the age of the compromised credentials Hudson Rock which has tracked infostealer infections since at least 2018 had previously identified the employees stolen login details as part of its vast database of exposed credentials Despite their age the credentials remained valid and unchanged within JLRs systemsa lapse that hackers exploited years later This delay between infection and exploitation is a reminder of the long tail of infostealer campaigns where stolen data can linger as a latent threat until the right buyer comes alongppThe Jaguar Land Rover breach is the latest in a string of highprofile attacks that expose the devastating potential of infostealer malware Telefónicas breach demonstrated how such infections could enable social engineering while Schneider Electrics ordeal revealed the blackmail potential of stolen data Oranges case illustrated how AI could amplify these leaks into hacker paydays Now JLRs breach adds a new layer the enduring danger of legacy credentials left unaddressedppFor organizations the lesson is clearinfostealer infections are not oneoff incidents but ticking time bombs The credentials they harvest can remain viable for years especially if companies fail to implement robust monitoring multifactor authentication MFA or timely credential rotationppAtlassian Jira while a powerful tool has become a prime target for attackers due to its centrality in enterprise workflows and the wealth of data it houses Once inside threat actors like HELLCAT can move laterally escalate privileges and extract sensitive information with alarming easeppAs Jaguar Land Rover scrambles to assess the damage and secure its systems the cybersecurity community braces for the fallout The leaked datasource code employee details and partner informationcould fuel further attacks from targeted phishing campaigns to intellectual property theft This is especially true as threat actors begin utilizing AI to take advantage of large unorganized data breaches to create a bigger impactppMeanwhile HELLCATs success is likely to inspire copycat operations with infostealer credentials remaining a hot commodity on the dark webppTo learn more about how Hudson Rock protects companies from imminent intrusions caused by infostealer infections of employees partners and users as well as how we enrich existing cybersecurity solutions with our cybercrime intelligence API please schedule a call with us here httpswwwhudsonrockcomscheduledemoppWe also provide access to various free cybercrime intelligence tools that you can find here wwwhudsonrockcomfreetoolsppThanks for reading Rock Hudson RockppFollow us on LinkedIn httpswwwlinkedincomcompanyhudsonrockppFollow us on Twitter httpswwwtwittercomRockHudsonRockppppppppTo completely understand whats going on in a market that has been growing in the last years I found mandatory to know which players areppWhat is an Infostealer An infostealer is a type of malware designed to stealthily extract sensitive information from infected devices It operates in the backgroundppWith cyber espionage on the rise opportunistic Infostealer malware designed to harvest credentials indiscriminately is being repurposed by Advanced Persistent Threat APT groups to devastatingppStay informed with the latest insights in our Infostealers weekly report Explore key findings trends and data on infostealing activitiesp