BLOG

Anatomy of an Attack: How ORDR Can Help Prevent Production Disruption

Oct 22, 2025

5Min Read

Pandian Gnanaprakasam, Srinivas Loke, Gowri Sunder Ravi

Jaguar Land Rover’s global production stopped on September 1st and remained shuttered for over a month, with losses potentially surpassing $1.5 billion. Supply chain partners laid off workers. The British government had to step in with emergency loans. But here’s what keeps security teams up at night: This wasn’t a smash-and-grab. This was a surgical, months-long operation. Let’s walk through what happened (based on current publicly available analysis of events)—and how ORDR can help prevent this in the future.

Phase 1: Initial Compromise — “Wait, Whose Laptop Is That?”

What Happened: Attackers used infostealer malware to compromise employee laptops and harvest Jira credentials. Picture it – An employee clicks a phishing link. Malware gets installed. Their laptop—a trusted device on your network—is now enemy territory.

The attackers then:

Installed hacking tools like remote access trojans and credential stealers

Disabled EDR (Endpoint Detection and Response) software

Turned off MDM (Mobile Device Management) controls

Tampered with firewall configurations

All of this happened on devices that were supposed to be “managed.”

The Billion-Dollar Question:

How can you not know there’s a compromised device in your network?

The Reality Check: If you can’t see every device—unmanaged laptops, contractor BYOD phones, IoT sensors, legacy PLCs, that random printer someone plugged in—you’re flying blind. Modern manufacturing networks contain thousands of connected devices, and most security teams don’t have a complete inventory.

What Should Have Happened (The ORDR Way):

ORDR continuously discovers and profiles every device the moment it touches your network. Not just what it is, but who’s using it, what it’s running, and whether it’s behaving normally. We track the owner, user, department, and organizational unit by correlating data from CMDB, Active Directory, and supply chain procurement systems. Pre-configured rules verify device legitimacy by validating attributes across these data stores, ensuring only authorized assets operate on your network. ORDR also tracks what devices are missing EDR, what config settings are not updated through MDM, when was the last scan on the device and other security controls a CISO has established as a base line.

When that compromised asset started acting weird—communicating with devices it never talked to before, generating unusual traffic patterns—ORDR would have flagged it immediately. Think of it as your network’s early warning system.

Phase 2: Reconnaissance — “What Are They Looking At?”

What Happened: Once inside, the attackers didn’t immediately smash windows and grab data. They played the long game. They mapped the network, identifying:

Other devices in the same VLAN

High-value targets like manufacturing control systems

Vulnerabilities in legacy equipment

Pathways to move laterally

The Critical Question:

How can you not know vulnerabilities are waiting to be exploited?

The Hard Truth: Reliance on legacy systems makes many similar environments particularly vulnerable. Manufacturing networks are full of old equipment that can’t be patched, can’t run security agents, and are basically sitting ducks. You probably have devices running Windows XP or industrial controllers from 2008. They’re not going away anytime soon.

What Should Have Happened (The ORDR Way):

ORDR doesn’t just find vulnerabilities—it tells you which ones matter. Through passive and active analysis, integrated with tools like Rapid7, Tenable, and Qualys, ORDR builds a risk-prioritized view of your exposure, including devices running on legacy operating systems.

ORDR also identifies and tags the presence of devices from prohibited manufacturers (According to Section 889 of the National Defense Authorization Act), such as Huawei Technologies Co., ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, and Dahua Technology Company.

That 15-year-old PLC controlling your assembly line? ORDR knows it’s there, knows it has 23 critical CVEs, knows it’s talking to the internet, and automatically helps you create a remediation ticket.

You also get the “Asset Graph” view showing the blast radius: if this device gets compromised, here’s everything else that falls like dominoes.

Phase 3: Lateral Movement — “How Did They Get THERE?”

What Happened: Armed with their network map and stolen credentials, attackers began moving laterally through the infrastructure. They pivoted from compromised laptops to:

Engineering workstations

Manufacturing execution systems

Production control networks

File servers with proprietary data

The lack of proper network segmentation allowed extensive lateral movement, letting attackers hop from the IT network into operational technology (OT) systems.

The Wake-Up-Call Question:

How can you not know when attackers are moving laterally through your network?

The Uncomfortable Reality: Traditional security tools focus on north-south traffic (in and out of your network). But the real danger is east-west traffic—device-to-device communication. When a laptop starts talking to an industrial controller, it has no business communicating with it. That’s not normal; that’s an attacker.

What Should Have Happened (The ORDR Way):

ORDR builds behavioral baselines for every device. It learns what normal looks like: This laptop usually talks to these three servers during business hours. This HMI only communicates with these specific PLCs.

When the attackers started moving laterally, ORDR would detect:

Unusual device-to-device communications

Access to prohibited VLANs

Monitor Connections from IT devices to OT systems

Traffic patterns that violate established baselines

Analyze and optimize segmentation in just a few clicks

And here’s the key: ORDR doesn’t just alert you—it can automatically contain the threat. Through integration with your switches, firewalls, and network access control systems, ORDR can instantly quarantine compromised devices, change VLANs, or shut down ports. The attacker tries to move laterally? Sorry, that door just locked.

Phase 4: Exfiltration — “Where Did The Data Go?”

What Happened: Attackers are estimated to have stolen over 700 internal documents, proprietary source code, employee data, and potentially 350GB of additional information.

But they were clever about it:

Used encrypted channels to hide data transfers

Exfiltrated data slowly to avoid triggering volume-based alerts

Routed traffic through legitimate cloud services

Made it look like regular business activity

The Question That Defines Your Defense:

How can you not know when gigabytes of data are walking out your door?

The Sobering Stats: 95% of modern attacks involve data exfiltration, and attackers increasingly focus on silent data theft rather than noisy ransomware. They’re not asking for ransom—they’re stealing your intellectual property, your competitive advantage, your reputation, your customers’ trust.

What Should Have Happened (The ORDR Way):

ORDR delivers deep traffic analysis, revealing communication patterns between devices and external entities. Its threat intelligence platform, continuously updated and powered by an IDS engine and URL reputation lookups, identifies:

Connections to known malicious IPs and suspicious domains

Communications with prohibited geographic regions

Anomalous outbound traffic volumes

Data exfiltration via unexpected protocols

When manufacturing blueprints started flowing to a server in Eastern Europe, ORDR’s behavioral analytics would catch it because that manufacturing controller had never sent data internationally before.

Back to Basics: Strengthen Your Controls

The attackers didn’t use some magical exploits. They used compromised credentials, moved laterally through a flat network, and exfiltrated data through encrypted channels. In other words, they exploited gaps in visibility and control that exist in most manufacturing networks.

100% Asset Visibility, Zero blind spots, and Seconds to contain a threat

Know What You Have — You can’t protect what you can’t see. Complete device visibility isn’t optional anymore.

Know What’s Broken — Risk and Vulnerability management that prioritizes based on risk, not just CVSS scores.

Know When Things Get Weird — Behavioral analytics that understand device-to-device communication patterns.

Know How to Contain It Fast — Network response capabilities that quarantine threats in seconds, not hours.

Know It’s Working — Schedulable dashboards and compliance reporting (NIST, CIS 20, etc.) with advanced AI search capabilities that prove your controls are present and functioning.

The Simple Truth

This attack highlights several critical points that could affect industries:

Production disruption:

Every hour of halted production results in significant revenue loss

Supply chain disruptions affect multiple stakeholders

Market confidence is directly impacted

Evolving Threat Landscape:

A significant percentage of modern attacks involve data exfiltration

Traditional perimeter defenses are insufficient

The attack worked because at every phase—entry, reconnaissance, lateral movement, exfiltration—there were blind spots. Devices that weren’t monitored. VLANs that were not segmented. Vulnerabilities that weren’t prioritized. Lateral movement that went undetected. Data transfers that looked legitimate. You need granular visibility into what’s actually happening in your network.

Because the scariest question isn’t “Can we prevent every attack?”

It’s “How long has someone been inside our network, and what do they have access to?”

ORDR brings visibility, control, and security to the devices that keep your business running. From manufacturing floors to healthcare facilities, from universities to financial institutions—if you have connected devices, you have risk.