TL;DR
Russian hackers carried out the JLR cyberattack that halted production for six weeks and cost the UK $2.5 billion, the NYT reports.
Russian hackers were behind last year’s devastating cyberattack on Jaguar Land Rover.according to a New York Times research published Thursday. The breach, which began on August 31, 2025, paralyzed production at JLR factories for almost six weeks and cost the British economy approximately $2.5 billion, making it the most financially damaging cyberattack in UK history. Investigators have not determined whether the hackers worked directly for Vladimir Putin’s government, were independent criminals, or operated with the government’s tacit approval.
Microsoft was tracking the Russian hacking group and alerted JLR to their identities, according to the Times. The FBI, Britain’s National Crime Agency, the National Cyber Security Center, Google’s Mandiant unit and Palo Alto Networks contributed to the investigation, an unusually broad coalition that reflects the severity of the breach.
The attack originated with a vishing campaign weeks before the breach became public, in which attackers posing as internal staff tricked JLR employees into handing over their login credentials. Armed with valid usernames and passwords, in some cases with administrator privileges, the hackers entered through normal authentication flows and moved laterally through JLR’s IT networks. Production lines ceased on September 1 and staff were ordered to stay home.
The damage extended far beyond the factory floor. The UK Cyber Monitoring Center estimated the total economic cost at nine billion pounds, with more than 5,000 organizations across JLR’s supply chain affected. The Bank of England later partly blamed a shortfall in GDP growth on the attack, noting that overall output had grown just two-tenths of a percent, less than it had projected.
The UK government responded with an emergency loan of 1.5 billion pounds, approximately $2 billion, to help restore JLR’s supply chain, an unprecedented intervention for a cyberattack. A group calling itself Scattered Lapsus$ Hunters initially claimed responsibility on Telegram shortly after the breach, but the NYT investigation now points to a separate Russian operation.
In a strange twist, investigators discovered that the Russian group was not the only one within JLR’s networks. A Jordanian hacker calling himself Rey had also independently breached parts of the company’s infrastructure, according to the Times. The discovery of two unrelated intrusions on the same victim underscores the problem that multiple breach investigations have emerged in recent years, as criminal and state-linked hackers increasingly converge on the same high-value targets.
The attribution comes amid an increasingly intense pattern of Russian-linked cyber operations targeting Western and Ukrainian infrastructurefrom credential theft campaigns against Ukrainian military targets to DDoS attacks across Europe. Dutch police confiscated 800 servers last month linked to a Kremlin-linked group that had been attacking European government websites from data centers in the Netherlands. He The Five Eyes intelligence alliance warned last week that frontier AI will make these attacks faster and harder to stop, a prospect that makes JLR’s six-week shutdown seem like a preview of what’s to come.
