TL; DR
The NYT reports that Russian hackers carried out a JLR cyberattack that halted production for six weeks and cost the UK $2.5 billion.
Russian hackers were behind the devastating cyberattack on Jaguar Land Rover last yearaccording to New York Times The study was published Thursday. The breach, which began on August 31, 2025, halted production at JLR’s factories for nearly six weeks and cost the British economy an estimated two and a half billion dollars, making it the most financially damaging cyber attack in UK history. Investigators have not determined whether the hackers worked directly for Vladimir Putin’s government, were independent criminals, or acted with the government’s tacit approval.
According to the Times, Microsoft was monitoring a Russian hacking group and alerted JLR to their identity. The FBI, Britain’s National Crime Agency, the National Cyber Security Center, Google’s Mandiant unit and Palo Alto Networks contributed to the investigation, an unusually broad coalition that reflects the severity of the breach.
The attack began with a vishing campaign weeks before the breach was made public, in which attackers posing as internal employees tricked JLR employees into handing over their login credentials. Armed with trusted usernames and passwords, in some cases with administrator privileges, the hackers logged in through normal authentication flows and moved laterally across JLR’s IT networks. Production lines were shut down on September 1 and workers were told to stay home.
The damage went beyond the factory. The UK’s Cyber Monitoring Center estimated the total economic cost at one point at nine billion pounds, with more than 5,000 organizations in JLR’s supply chain affected. The Bank of England later attributed the shortfall in GDP growth in part to the attack, noting that headline output grew by just two-tenths of a percent, less than forecast.
The UK government responded with an emergency loan of one and a half billion pounds, nearly two billion dollars, to help restore JLR’s supply chain, an unprecedented intervention for a cyber attack. A group calling itself Scattered Lapsus$ Hunters claimed responsibility on Telegram shortly after the breach, but a NYT investigation now points to a separate Russian operation.
In a rare twist, investigators discovered that the Russian group was not the only one in the JLR networks. According to the Times, a Jordanian hacker named Ray also independently compromised parts of the company’s infrastructure. The discovery of two unrelated intrusions on the same victim highlights a problem that has plagued numerous breach investigations in recent years as state-linked and criminal hackers increasingly converge on the same high-value targets.
The attribute comes between an intensifying pattern Russian-linked cyber operations targeting Western and Ukrainian infrastructureFrom credential theft campaigns against Ukrainian military targets to DDoS attacks in Europe. Dutch police seized 800 servers last month It is linked to a Kremlin-linked group that attacks European government websites from data centers in the Netherlands. The The Five Eyes intelligence alliance warned last week that border AI will make it faster and harder to stop these attacks, making JLR’s six-week shutdown a preview of things to come.
