The Hellcat ransomware group has claimed responsibility for recent cyberattacks that hit two major companies — Swiss telecom giant Ascom and British carmaker Jaguar Land Rover (JLR), a subsidiary of India’s Tata Motors.
According to reports, Ascom suffered the breach on March 16. Just hours later, the attackers listed the company on their dark web leak site. Ascom responded swiftly, confirming that the cyberattack had specifically targeted its technical ticketing system.
In a statement, the company explained, “Our IT Cybersecurity Team is currently investigating the incident. The ticketing system was immediately shut down, and assessing the full scope of the breach remains ongoing.” Ascom emphasized that no other systems, including customer-facing platforms, were compromised. Business operations, they added, continue as usual.
However, the Hellcat ransomware group claims it made off with a significant amount of sensitive data. The stolen files — reportedly totaling 44 gigabytes — allegedly contain contracts, proprietary development tools, internal documents, and even source code.
JLR Data Breach Linked to Old, Exposed Credentials
At the same time, Hellcat also laid claim to a much larger data breach involving Jaguar Land Rover. Reports suggest the attackers extracted hundreds of gigabytes of data from the automaker.
Cybersecurity firm Hudson Rock revealed that the breach may have stemmed from stolen login credentials tied to JLR’s Atlassian Jira system. Alarmingly, these credentials were traced back to LG Electronics employees who had access to JLR’s Jira server. The information was reportedly siphoned using infostealer malware, a common tool among cybercriminals for harvesting credentials.
One of the hackers involved claimed on a forum that the compromised credentials dated back as far as 2021 — raising serious concerns over outdated but still active access. Hudson Rock highlighted that this isn’t the first time Hellcat has used infostealer-harvested credentials in high-profile cyber intrusions.
The group has previously leveraged similar tactics in attacks on companies like Schneider Electric and Telefonica. Stolen credentials — often traded or sold on the dark web — remain Hellcat’s weapon of choice.
“What makes the Jaguar Land Rover breach so alarming is the age of the credentials used,” Hudson Rock noted. Their research uncovered that the login details, stolen years ago, were still active. “Despite being exposed in earlier infostealer campaigns, these credentials were never updated or disabled,” the firm added.
The incident serves as a stark reminder of the lingering risk posed by credential reuse and poor cybersecurity hygiene — vulnerabilities that ransomware gangs like Hellcat continue to exploit.
