Last year, hackers infiltrated the computer systems of Jaguar Land Rover, a jewel of British manufacturing. It was one that forced Jaguar to lock down its computers and suspend production for five weeks. The hack even affected the broader economy, becoming the costliest cyberattack in the country’s history.
The attack was alarming, but also mysterious. There was never a request for money, as is common in this type of invasion. A loose collective of hackers, which included some in the UK, claimed responsibility. The allegation led to speculation in the press that they were responsible.
They weren’t. A group of Russian hackers was responsible, according to five people familiar with the investigation into the attack. They spoke on condition of anonymity due to the sensitivity of the case.
Authorities and private sector cyber response experts in the United Kingdom and United States concluded that the attack was different in method and motivation from the hacker collective initially targeted, four of the people said.
Authorities are still trying to clarify the murky details of the case to determine whether the attackers acted at the behest of the Kremlin or with its tacit consent.
The attack, which took place at the end of August 2025, and its economic impact were widely reported. In October, the newspaper The Telegraph reported that authorities were investigating whether Russia was involved. The conclusion of government and private sector investigators that the group was Russian had not been previously disclosed.
Continues after advertising
Attacks carried out by Russian groups are nothing new. Still, the attack on Jaguar — and the possible involvement of the Russian state — raises the hypothesis that this was not a typical ransom attack, but rather an offensive against the economic basis of a sovereign state. The episode fueled long-standing fears that an adversary country could remotely paralyze critical infrastructure, such as a power grid or strategic manufacturers, generating chaos and economic damage.
The infiltration of Jaguar had profound consequences. It slowed manufacturing in the third quarter of 2025, causing a estimated impact of US$2.5 billion on the British economyand cost the company about $350 million in fiscal 2026.
It also carried strong symbolism. King Charles III and Queen Camilla use Jaguar vehicles, and the British Armed Forces have depended on the iconic fleet of Land Rovers for decades.
Continues after advertising
A new investigation of the The New York Times revealed other details of the investigation. Microsoft (), for example, had been monitoring the Russian group and alerted Jaguar about who had hacked its systems, according to four people familiar with the case. The hackers used unprecedented ransomware, with an encryption algorithm that some cybersecurity experts had never seen in previous attacks. One described it as “stunning”.
Inside a hastily assembled crisis room during the episode, Jaguar brought together cybersecurity investigators and private sector experts. Participants included the National Crime Agency and the National Cyber Security Centre, from the United Kingdom, as well as Palo Alto Networks and Google’s Mandiant unit. The FBI also helped. Everyone rushed to contain the malware while hackers hurriedly tried to cover their tracks.
The Jaguar attack came amid the increasingly hostile relationship between Russia and the United Kingdom, whose military support for Ukraine has angered the Kremlin. The United Kingdom has also carried out its own covert cyber intrusion and sabotage operations against Russia, according to former British and American intelligence officials.
Continues after advertising
A spokesperson for the UK’s National Crime Agency said that while it cannot comment on an ongoing investigation, it is aware that “some of the most notorious cyberattacks against the UK are committed by criminals operating from Russia, and that some of the groups responsible have links to the Russian state.”
Jaguar Land Rover declined to comment, citing the ongoing investigation by authorities. The FBI also declined to comment.
Dmitry Peskov, spokesman for Russian President Vladimir Putin, said: “We don’t know anything about this.”
Continues after advertising
Some clues emerged as the investigation progressed. The attack was highly orchestrated. Hackers exploited vulnerabilities in older technologies and then unleashed advanced ransomware aimed at hijacking company networks.
Also read:
Experts say this type of technique is more common among nation states than among cybercriminals looking to make big quick gains without spending a lot of money. States can also finance cybercriminals or provide them with hacking tools.
Russia is the world’s biggest source of cybercrime, and its intelligence services have long maintained a close relationship with cybercriminals to conduct espionage and carry out attacks, according to Western security agencies.
Alex Orleans, a former cybersecurity contractor for the US government, compared this relationship to that between organized crime and certain units of the New York Police Department in the 1960s and 1970s. “Just as mobsters offered patronage and received protection from certain police officers, the Russian government provides krysha — a ‘ceiling’ — to electronic crime agents operating from Russian territory,” said Orleans.
At an April cybersecurity conference in Scotland, Dan Jarvis, the UK’s newly appointed Defense Secretary and who at the time of the attack was Minister for Security, said that hostile states had concluded that “the most effective way is not to confront us directly, but to silently deflate us.”
Determining whether the Russian government ordered the hacker group to sabotage Jaguar or merely gave tacit approval is a difficult but not impossible task.
In 2024, the United Kingdom imposed sanctions on a Russian group called Evil Corp, a notorious cybercrime syndicate that operates out of Moscow and used ransomware and other malware in its attacks.
The group was used by Russian intelligence services to conduct attacks and espionage operations against NATO allies and went “far beyond the typical state-criminal relationship based on protection, payments and extortion,” the National Crime Agency said in a 2024 joint report with the FBI and Australian Federal Police.
Even before the attack on Jaguar, there were signs that the company’s systems had been compromised. In June 2025, a hacker released information that included an internal IP address for the company, according to cybersecurity experts.
They described this hacker — a Jordanian named “Rey” — as someone who sells access to hacked systems. Its publication was a sign that someone was inside the company’s networks. Coincidentally, the Russian hackers were already there too.
Rey’s publication raised alarm within Jaguar. The company immediately took steps to deal with a possible intrusion, updating software and rebuilding an old server that was vulnerable but also critical to the production line.
It was too late. Russian hackers had previously exploited weaknesses in the software and hardware. They silently infiltrated networks and waited for the moment to strike, three of the people said.
The timing couldn’t have been worse. This happened on August 31, just as the company was preparing to launch new cars to dealerships around the world. Jaguar Land Rover, controlled by the Indian conglomerate Tata Group, employs 34,000 people in the United Kingdom and supports another 120,000 British jobs through its supply chain.
The ransomware used in the attack was unlike anything some security researchers involved in the investigation had seen before, two people familiar with the case said. The encryption was sophisticated and unusual — “really, really complicated,” said one expert.
The attackers warned Jaguar not to seek help from British authorities and said they would make contact within 72 hours. The company ignored the warning and invited British investigators and other experts to its crisis room in the Midlands region.
Within hours, the company had to shut down its systems, halting production at its factories in England, as well as in Brazil, China, India and Slovakia. It was a drastic measure, but it allowed the company to stop hackers from taking full control of its global network. The ransomware was designed to encrypt servers, including backup servers, locking Jaguar out of its own systems.
Ultimately, the attackers were kicked off the networks as cybersecurity experts fought to regain control. Jaguar slowly restarted operations in October and restored production to normal levels in mid-November.
After containing the attack, the company carried out an analysis to identify those responsible. A hacker collective that called itself Scattered Lapsus$ Hunters — a mix of names inspired by existing criminal groups that had claimed responsibility for dozens of major corporate invasions in recent years — claimed the attack in a Telegram channel.
One such group, Scattered Spider, was suspected of several attacks on British retailers last spring, including Harrods and Marks & Spencer. The group also targeted American companies.
Investigators quickly concluded that the methods used against Jaguar Land Rover were different from those employed in these attacks, which involved ransom demands in at least two cases and resorted to online deception tactics such as phishing to trick targets into granting access.
The company didn’t know who was behind the attack until Microsoft alerted it in the days after the hack that the group responsible was Russian, three people familiar with the investigation said. Microsoft declined to comment.
Jaguar Land Rover has since recovered with help from the government, which gave the automaker a guarantee for a loan of about $2 billion that could be used to support its suppliers.
At the cybersecurity conference in Scotland, Jarvis said the damage was remarkable.
“If this damage had been caused by a physical attack, the old-fashioned way, it would be the equivalent of hundreds of masked criminals showing up at dealerships across the country, breaking windows, destroying computers and taking cars right off the lot,” he said.
c.2026 The New York Times Company
