How cyber attacks on JLR, European airports hurt India

How did the cyber attacks disrupt global airports this weekend?

Early on Saturday, the first reports started surfacing about regular operations such as flight check-ins and baggage drops being disrupted at London-Heathrow airport (LHR). In 2024, it was the world’s fifth-busiest airport, handling nearly 84 million travellers annually, according to Airports Council International.

Soon afterwards, news of disruptions emerged at Germany’s Berlin and Belgium’s Brussels international airports, too. Reports of customers stranded on the tarmac, and airlines checking users in for their flights and tagging their bags manually started flooding social media.

Within hours, it emerged that the reason behind the disruption was a cyber attack on a software platform called Muse, run by Collins Aerospace—which in turn is owned by American aerospace and defence conglomerate, RTX Corp.

While details are slim, the extent of the breach has been sweeping. In a press statement, Collins Aerospace confirmed the cyber attack, but said that the issue has affected “select airports”. However, the company has not detailed if it is already aware of who was behind the attack, what the motive was, and if there have been breaches of customer data involved as well.

Muse, the software platform in question, is used for digitized flight check-in, baggage drop and coordination, and the sharing of boarding gate information across airlines—including allowing small airlines without their dedicated check-in and boarding infrastructure to save costs. An attack on it, therefore, has now led to many flights cancelled, and at least rescheduled, across Europe—leading to chaos among travellers and airlines alike.

Did the cyber attack on Jaguar-Land Rover have a similar story?

Not quite. On 31 August, specific manufacturing sites of the iconic British automotive firm started reporting signs of disrupted software. By the next day, JLR shut down its software platforms across both retail and manufacturing, around the world. This included manufacturing sites in Brazil, the UK and India. As per company statements, operations are halted at least until 24 September.

While a detailed diagnosis report of the cyber attack has not been divulged, at least four cybersecurity experts that Mint spoke with over the past week said that all signs point to the potential loss of customer data from the system, as well as a malware breach at a deep level on one of the common smart factory coordination platforms used by JLR. It remains unclear if this involved the breach of a third-party software platform—or something more closely integrated within Jaguar and Land Rover’s internal systems.

Most experts, interestingly, have pointed to a targeted breach of the company, instead of a typical software exploit where JLR just incidentally happened to be in the middle of. Open-source intelligence platforms have reported that a group of malicious cyber attackers, who had also claimed responsibility for holding UK retailer Marks & Spencer to ransom this March, are behind the JLR hack as well.

Who targeted these massive operations and why?

The root of the cyber attack has not been determined, but early third-party analysis has experts pointing at the hack being a nation-backed attack on strategic European operations—with links to geopolitical conflicts. One faction has highlighted that the breach of the Collins Muse platform was conducted by a government-backed group of hackers from Russia, to distract resources and governments across Europe at the same time when Estonia—an immediate geographical neighbour of Russia—claimed that the latter violated its aerospace.

Concerns were immediately raised with North Atlantic Treaty Organization (Nato), especially in light of Russia’s history with annexation of Crimea, and its subsequent invasion of Ukraine that has been ongoing since February 2022. The possibility of the cyber attack on airport operations being tied to geopolitical conflicts is not ruled out as yet.

The JLR breach, meanwhile, is prima facie financially motivated. While the top brass of JLR and its parent, Indian auto conglomerate Tata Motors, are yet to divulge any ransom demand, open-source intelligence reports of the above-cited group, ‘Scattered Spider’, boasting of the breach on dark web platforms as well as in groups on social media platform Telegram, have pushed cyber security experts to ascertain that in some way or form, there will be a monetary claim made at some point.

Is India also affected by these cyber attacks?

A senior government official, requesting anonymity, told Mint that the Ministry of Electronics and Information Technology (Meity), the nodal ministry for all cyber security-related activities, is keeping an active track of the evolving situation at European airports.

“The Delhi airport is using Collins’ Muse software platform, but has so far not faced any impact. There is no clear communication from the vendor as yet, but the airport authorities remain in touch with them. So far, Indian airports have faced no disruption, but we are keeping a close eye on the proceedings,” the official said. He also affirmed that Bengaluru airport, which also deploys Muse, has faced no disruption. Meanwhile, Mumbai airport uses a different software platform.

In terms of the JLR breach, parent firm Tata Motors is expected to take a hit in terms of its September quarter financials. JLR, to be sure, accounts for over 70% of the group’s consolidated revenue—in which only about 27% is contributed by Tata’s passenger cars and commercial vehicles business. Its share price, however, has not baked in the cyber attack factor as yet. Shares of Tata Motors are up 6% on the BSE since the hack.

At least two of the four cyber security experts cited above suggested that this may be a sign that the breach might not be as bad as what M&S had faced earlier this year—but three weeks of sustained production blackout could hit the company hard in the last nine days of this month.

Have such massive cyber attacks happened before as well?

Yes. The three biggest examples include 2017’s ‘WannaCry’ ransomware, which brought down airports, hospitals, companies and even select government operations around the world—including some in India as well.

A similar attack in the same year, ‘NotPetya’, also wreaked similar havoc—with an estimated impact of $10 billion. In terms of data breaches, a series of attacks on Yahoo compromised details of 3 billion people between 2013 and 2014.

Is there no defence against such cyber attacks?

Typically, cyber attacks backed by nations, as is the allegation in Europe’s airport breaches, deploy massive amounts of money and brute force computing power to overwhelm unsuspecting operations. Most such breaches originate at some vulnerability in a software platform, which may not have been discovered as yet—and is then exploited actively by hackers.

In JLR’s case, experts said that such hacks may grow in frequency in future due to the emergence of ransomware as a service platforms—such as DragonForce used in the M&S hack. These platforms allow any malicious individual to use a ready-to-deploy cyber attack infrastructure, to either just disrupt a company or walk away with finances at hand.

Don’t mission-critical operations typically have redundancies?

Yes. However, in many specialized operations such as airports, a specific software platform ends up with market monopoly. This means that airports may not always have resources to deploy multiple siloed software platforms for the same purpose. What companies and public operations do, as is advised by cybersecurity platforms, is that they use air-gapped data centres and external cybersecurity teams to shore up cybersecurity.

All of this, however, is easier to say in theory—in most cases, cost efficiencies and the complexities of cyber attacks mean that these strategies are mainly reactive rather than proactive. This is not due to a lack of effort—but because of how exploits in cyberspace function.