Podcast: Inside the Jaguar Land Rover Cyberattack: Supply Chain Failure, Scattered Spider, and the New Threat Ecosystem

Welcome back to the cyber resilience brief, a safe reach podcast. I’m your host, Tova Devoren. And with me today is my cohost, Adrienne Culley, and our very special guest, Steve Cobb, who’s CISO at SecurityScorecard. Steve, do you want to tell us a little bit about yourself? Sure. Yeah. I mean, I’m I’m the CISO for SecurityScorecard. I’ve been with SecurityScorecard for coming up on three years now shortly. But I’ve had thirty plus years in the advanced IT and and cybersecurity space. I was entrepreneur and drop dropped out of college and started my own IT and security consulting company way back in the early nineties. And, yeah, grew that company and then left sold that company and and left to win and start working in the enterprise. So I’ve worked for health care. I worked in finance. Worked for technology spaces, obviously. Been around the world, if you will, from a cybersecurity perspective and all the domains. Got a lot of experience like cyber threat intelligence, incident response, security operations. But I also have quite a bit of experience, and what my focus is on right now is a supply chain GRC, third party risk, supply chain risk, those sorts of things where I’m focused heavily on they because that’s part of what Security Scorecard does and what I’m speaking to a lot of peers and customers about these days. Thank you so much for being here, Steve. And today, we’re going to talk about the latest in supply chain attacks. As you all know, it’s the Jaguar Land Rover attack. Steve, Adrian, what can you tell us? So you’re probably aware, Steve, the independent assessment has said that this very much supply chain based attack has currently cost the UK at least two billion British pounds, somewhere north of two and a half billion US dollars on cost, lost sales, and it’s it’s been already pitched as the most significant cyber attack to hit the UK by a long way. Obviously, SafeBridge, we approach this from the attack techniques and the threat actor perspective. You focus on the supply chain itself and the third parties. What what’s your view of what’s going on here in the the statements between Jaguar Land Rover and Tata Consultancy Services? Yeah. It feels like to me, just based on some of the news coverage I’ve seen, and obviously a lot of this is still preliminary, we’re trying to figure out. And, you know, anytime these breaches happen, especially one this large, the victims are very sensitive and careful about what they release and what they share, which is understandable, but it also hinders us, I think, a little bit from a industry standpoint on how we can protect ourselves and maybe stop these things proliferating. Regardless, I I saw I know Adrian, I think, today that it said that in the UK part because of this incident, vehicle production was down twenty seven percent so far in the month. It’s fair to say, Steve, it’s become a critical infrastructure, critical national infrastructure, and national Yeah. Issue. So high is the impact. Yeah. And, I mean, if you think about this from the supply chain perspective, as you mentioned, this looks like it is what’s been called out as a third party company, this Tata Consulting that was had access into the JLR systems. Somehow there was a breach within that supply chain. And when we don’t know quite yet exactly what it was, but I think the from a supply chain perspective, what we look at is just consider and and what we try to tell customers and the industry as a whole is, you know, think about how these organizations or these applications or organizations manage services, whatever you may have that have very high level permission, very low very high level of access to data within your organization, what happens if they’re not protecting that data as well as they should be? And, you know, we we we always we’ve gotten very good in the US, and I think in in the UK and internationally as well. We’ve come a long way on protecting our first party cyber risk. Right? How we protect our house, our own firewalls and servers, and all those sorts of things. Things have come a long way, and it’s way better than what it was probably two or three years ago when for instance, in in our system, we scan the Internet every twenty four hours, and you could go in our system and look at the number of organizations that had RDP, which is a common remote desktop protocol, common remote access methodology used in the Microsoft Windows world where you expose a login to the Internet for someone to do work remotely, especially around COVID. It blew up quite a bit. We’re you’d see hundred, if not millions of companies who were doing that, and that was a common way threat actors may infiltrate and gain initial access to companies. Now you’ve seen that go down drastically or dramatically, which is a great thing. But the difference is for supply chain, many times, we’re treating these companies who are providing the service for us as trusted partners, and they have the direct access. We’ve somewhat, as an industry, overall, as community overall, somewhat stuck our head in the sand around who’s connected to our networks, what data we’re sharing, what how how do they have that access, and what could happen if they were breached. What would be the outcome for us? And that’s one of the things that we try to impress upon folks that we used to talk about is really considering that supply chain as essentially your first party risk because if we’re being honest, it really is first party risk. So that’s a brilliant point, Steve. Personally, I’m a great fan of the phrase trust but validate, and transfer of trust in third party supply chains are really interesting issue. We’ve what we’ve got in the UK at the moment is there’s been three high level breaches. Marks and Spencer’s the the the retailer, Broward, food retailer, and now Jaguar Land Rover. All very significant, and building an escalation in scale, all supported by Tata Consulting Services. Now I get quite passionate about abrogation in security, and what I mean by that is just because you outsource your IT contract, you can’t abrogate security. You can’t avoid that responsibility. Just yesterday, Marks and Spencer have cancelled their contract with Tata Consulting that was worth hundreds of millions of dollars. It’s gonna be interesting to see how that unrolls going forward for the other companies. The heart of this, we’ve got three hacking groups in parallel because so we’ve also got a a supply chain in hacking. We’ve got Scattered Spider, very high profile, claimed responsibility for Marks and Spencer. We’ve got Shiny Hunters, and we’ve got Lapsus. All of these are affiliated under the Become hacking group. And we’ve also got right now Scattered Lapsus, which is a rather confusing amalgamation of all of these, claiming responsibility for Jaguar Land Rover. Now the the lapses name itself is very interesting in terms of third party, Steven, and and your core business. I don’t know if everybody’s aware, but lapses is actually the the Latin word for lapse or breach. Lapsus with an extra dollar on the end makes it cyberfied a bit like pwn or on. The implication is it’s financially driven, but also they’re focusing on mistakes and breaches and human engineering. And we know the Marks and Spencer’s attack came from somebody getting into a Tata Consultancy email account and being able to send an email attack to Marks and Spencer’s that then got credentials, and as we’ve talked about before, a scattered spider don’t break in, they log on. What’s your view professionally of that chain of events, Steve? I I think it’s alarming. I’ll say it. Maybe that’s the best word I can say, Adrian, because now it feels like just from this one, if you step back now this is all conjecture on my part, but if you step back and look at it, especially the the news that you mentioned that there was a Telegram channel that was using the name scatter lapses hunters as the name in the Telegram channel that claimed responsibility for the attack. It it it feels to me like there’s starting to be some coordination and collaboration among these threat actor groups. And we know that to a degree that’s happened in the past, right, where especially when you think about ransomware as a service and how rent brokers and and ransomware a lot of these smaller companies would or smaller organizations, which could be one person or two people. These smaller ransomware crime groups would execute ransomware and then get paid out as a agent, if you will, of the ransomware games or the larger ransomware consortiums. So we’ve seen some type of work together. This seems a little more coordinated, though, to me. It seems like these organizations are essentially sharing secrets or sharing information. The danger is the people who are being involved in these outsourcing contracts don’t understand cybersecurity. And if it’s somebody’s not taking ownership and acknowledging who is doing what between all the entities around cybersecurity, the danger is that everybody thinks that somebody else is doing it and nobody is. I don’t know how many it’s a great point, Adrian. I don’t know how many times I’ve spoken with our legal team internally and had audiences of legal providers when we think about contracting procurement and supply chain and what those things look like. A lot of times, we have come to that fact, well, if this is a large company or, you know, this is a reputable company, We’re just assuming they’re doing the right things, and our contracts will just be less complete or comprehensive as they should be around what happened when these attacks or these supply chain issues come up. And I think a part of the reasons we kinda put our head in the sand about supply chain is this is complex. It’s difficult. There is a lot of map. There’s also a lot of legal and procurement and contract terms that are involved there, and that’s place where we’ve gotta do the hard work. We’ve gotten to a place, at least in the US from a culture standpoint, where we just wanna outsource, and we wanna we want the easy button. There there’s a a retailer here in the US that has this commercial about the easy button. Just hit the easy button, and we’ll take care of it for you. And that’s great. But the easy button doesn’t work for everything, so I think we’ve gotta get back to doing the hard work of making sure we understand who our suppliers are and who their suppliers are and what happens down the supply chain ecosystem if there’s a breach or even an availability issue like what we saw earlier this week or last week. And I personally think it’s fascinating, Steve. We’ve got a parallel mirror now between the commercial business world and the world of threat actors and intelligence. Intelligence agencies have long liked using proxy agents because it’s a great way of getting away with things. Interesting nexus right at the heart of the com scattered spider, scattered lapses, shiny hunters, which is in ransomware as a service terms, there is a ransomware as a service called black cat. Black Cat is fairly and squarely attributed to the Russian Federal Security Service, meaning APT, advanced persistent threat very quickly. What does that actually mean? Advanced means they know more than we do. That’s implicit that they’ve got into your computer system and you didn’t know they were there. Persistence describes intelligence agencies. Their task, they have a collection plan. They have resources. They have finance, and they will keep going until they succeed or they’re told to stop. And threat means they’re hostile. You almost certainly don’t have an advanced persistent friend unless you’re on specialist stalking forums or other very strange places. APT, the clue’s in the name, but it’s worth reiterating. And if these people get you in their crosshairs, until they’re told to stop, they will not stop. Wow. Thank you, Adrianne. Thank you, Steve. I think we’re running out of time. Is there anything else that both of you want to mention about all of these various interconnected issues, the changing threat landscape, supply chain, the specifics of of Jaguar Land Rover? So quick from me to Steve Tover, what what would you advise for folks listening to us, Steve, about resilience and how what what steps can they take to boost their resilience here? What I tell peers and customers who are interested is that from a supply chain perspective, you really have to get visibility, and then you have to make connections and build relationships with these critical third party vendors and fourth party vendors. And I think you really sometimes don’t understand the fourth party vendors until you understand all your third party vendors and can make those interconnects. Once you do that, once you kill those relationships, then you start asking the difficult questions. Hey. Who are you relying on for DNS, for instance, or who are you relying on for your critical services, and how do we back into a place where we can become more resilient should something break down along that supply chain. It’s a difficult process, but you have to be intentional about it. You have to be focused on it. And in many times, we’ve seen customers people need help with this because this may be outside of their expertise or skill set. And that’s where I’d say, look for a partner, look for a company like security scorecard or others that can help you really wrap your heads around what your supply chain looks like and where the risks may be popping up. Excellent advice. Great advice, Steve. Steve, thank you so much for being on the podcast with us. We look forward to hopefully speaking with you again in the future. In the meantime, to our listeners, stay safe, stay safe with SafeReach. Take care. The Cyber Resilience Brief is a SafeBreach podcast, executive produced by Tova Devoren and Adrian Cully. Sound provided by Adobe Music. Editing done with Adobe Podcasts. Distribution and tracking provided by Podbean. If you enjoy the podcast and like to learn more, please check us out at w w w dot safe breach dot com. S a f e b r e a c h dot com. And don’t forget to leave us a five star review on Spotify, Apple Podcasts, or wherever you get your podcasts.