therecord.media Alexander Martin
September 17th, 2025
Shares in a British automaker supplier plummeted 55% Wednesday as it warned that a cyberattack on Jaguar Land Rover (JLR) was impacting its business, adding to concerns that the incident is sending a “shockwave” through the country’s industrial sector, according to a senior politician.
Shares in Autins, a company providing specialist insulation components for Jaguar vehicles, opened 55% below its Tuesday closing price on the AIM exchange for smaller companies. As of publication the price recovered slightly to a 40% drop.
In a trading update the company acknowledged that JLR stopping all production since the cyberattack on September 1 was having a material effect on its own operations. Its chief executive, Andy Bloomer, told investors the attack was “concerning not just for Autins, but the wider automotive supply chain.”
Bloomer added the true impact of the disruption “will not be known for some time,” but that Autins was “doing everything possible to protect our business now and ensure we are ready to benefit as we come out the other side.”
These protective measures have included using banked hours for employees, delaying and cancelling raw material orders, as well as pausing discretionary spend across the business. Autins employed 148 people and recorded revenues of just over £31 million last year, according to its annual results.
It comes as Liam Byrne, a Labour MP for Birmingham Hodge Hill and Solihull North — one of the United Kingdom’s parliamentary constituencies in a region dominated by automotive manufacturing — warned the JLR disruption was “a cyber shockwave ripping through our industrial heartlands.”
“If government stands back, that shockwave is going to destroy jobs, businesses, and pay packets across Britain. Ministers must step up fast with emergency support to stop this digital siege at JLR spreading economic havoc through the supply chain,” stated Byrne.
It follows JLR announcing on Tuesday that its global operations would remain shuttered until at least the middle of next week. Thousands of JLR employees have been told not to report for work due to the standstill.
Reports suggest that thousands more workers at supply-chain businesses are also being temporarily laid off due to the shutdown. The Unite union has called on the government to provide a furlough scheme to support impacted workers.
The extended disruption is increasing the costs of the incident for JLR, which is one of Britain’s most significant industrial producers — accounting for roughly 4% of goods exports last year — and risks damaging the British economy as a whole.
Lucas Kello, the director of the University of Oxford's Academic Centre of Excellence in Cyber Security Research, told Recorded Future News last week: “This is more than a company outage — it’s an economic security incident.”
A spokesperson for the Department of Business and Trade did not respond to a request for comment. The Prime Minister's official spokesman previously stated there were "no discussions around taxpayers' money" being used to help JLR suppliers.
spycloud.com
We analyzed the VenusTech and Salt Typhoon data leaks to uncover the latest trends in the Chinese criminal underground.
In late May, two particularly interesting Chinese datasets appeared for sale in posts on DarkForums, an English-language data breach and leak forum that has become popular since BreachForums went dark in mid-April. These two posts, which we’re calling the VenusTech Data Leak and the Salt Typhoon Data Leak, had some interesting similarities. Both posts:
Were posted by new accounts that appear to have been created explicitly to sell a single dataset
Included data that allegedly came from companies in China’s large hack-for-hire ecosystem
Included data samples that, while limited, give us some insight into the companies they came from
While the samples provided on DarkForums were relatively small in comparison to previous data leaks of a similar nature (including Chinese IT contractor leaks, such as TopSec and iSoon), the latest leaks provide critical pivot points for assessing the state and structure of the Chinese cybersecurity contractor ecosystem.
We wanted to take a moment to analyze these two recent posts, dive into the sample data, and make some connections between this activity and some overall trends we are observing in our research into the Chinese cybercriminal underground.
Analysis of the VenusTech Data Leak
VenusTech is a major IT security vendor in China with a focus on serving government clients. It was founded in 1996 and is traded on the Shenzhen Stock Exchange. They have previously documented ties to the hack-for-hire industry including procuring services from XFocus, who created the original Blaster worm in 2003, as well as providing startup funding to Integrity Tech, the company responsible for the offensive hacking activity associated with Flax Typhoon.
On May 17, a post relating to VenusTech was created by an account called “IronTooth” and titled “Chinese tech company venus leaked documents.” The IronTooth account appears to have been newly created and simply uses the default profile image for DarkForums. The full post text reads:
selling sourced leaked documents dump of chinese tech company. includes papers, products sold to government, accesses, clients and more random shit sold to highest bidder after 48h. crossposted.
The uptick began in the fourth quarter of 2024 and continued into 2025, with the increases largely attributed to Clop’s exploitation of a popular file sharing service.
Jonathan Braley, director of cyber information sharing organization Food and Ag-ISAC, spoke at the RSA Conference on Thursday and warned of not only the increase in ransomware incidents but the continued lack of visibility into the full scope of the problem.
“A lot of it never gets reported, so a ransomware attack happens and we never get the full details,” he told Recorded Future News on the sidelines of the conference. “I wish companies would be more open in talking about it and sharing ‘Here's what they use, here's how we fixed it,’ so the rest of us can prevent that.”
The uptick began in the fourth quarter of 2024 and continued into 2025, with the increases largely attributed to Clop’s exploitation of a popular file sharing service. But Braley noted that even when they took out the attacks attributed to Clop, groups like RansomHub and Akira were still continuing to attack the food industry relentlessly.
The Food and Ag-ISAC obtained its numbers through a combination of open-source sites, dark web monitoring, member input and information sharing between National Council of ISAC members.
The industry saw 31 attacks in January and 35 in February before a dip to 18 attacks in March.
The 84 attacks seen from January to March were more than double the number seen in Q1 2024.
Delta CEO Ed Bastian said the company plans to seek compensation from Microsoft and CrowdStrike.
During the fall of 2022, a few friends and I took a road trip from Chicago, IL to Washington, DC to attend a cybersecurity conference and (try) to take a break from our usual computer work.
While we were visiting the University of Maryland, we came across a fleet of electric scooters scattered across the campus and couldn't resist poking at the scooter's mobile app. To our surprise, our actions caused the horns and headlights on all of the scooters to turn on and stay on for 15 minutes straight.
When everything eventually settled down, we sent a report over to the scooter manufacturer and became super interested in trying to more ways to make more things honk. We brainstormed for a while, and then realized that nearly every automobile manufactured in the last 5 years had nearly identical functionality. If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely.
