Russian hackers were behind the Jaguar Land Rover attack that cost the British economy two and a half billion dollars

Russian hackers were behind last year’s devastating cyberattack on Jaguar Land Rover, according to a New York Times investigation published Thursday. The breach, which began on 31 August 2025, shut down production across JLR’s factories for nearly six weeks and cost the British economy an estimated two and a half billion dollars, making it the most financially damaging cyberattack in UK history. Investigators have not determined whether the hackers were working directly for Vladimir Putin’s government, were independent criminals, or were operating with the government’s tacit approval.

Microsoft was tracking the Russian hacking group and alerted JLR to their identities, according to the Times. The FBI, Britain’s National Crime Agency, the National Cyber Security Centre, Google’s Mandiant unit, and Palo Alto Networks all contributed to the investigation, an unusually broad coalition that reflects the severity of the breach.

The attack originated with a vishing campaign weeks before the breach went public, in which attackers posing as internal staff tricked JLR employees into handing over login credentials. Armed with valid usernames and passwords, in some cases with administrator privileges, the hackers entered through normal authentication flows and moved laterally across JLR’s IT networks. Production lines ceased on 1 September, and staff were told to stay home.

The damage extended far beyond the factory floor. The UK’s Cyber Monitoring Centre estimated the total economic cost at one point nine billion pounds, with more than 5,000 organizations across JLR’s supply chain affected. The Bank of England later attributed a shortfall in GDP growth partly to the attack, noting that headline output had grown by just two tenths of a percent, less than it had projected.

The UK government responded with an emergency loan of one and a half billion pounds, roughly two billion dollars, to help restore JLR’s supply chain, an unprecedented intervention for a cyberattack. A group calling itself Scattered Lapsus$ Hunters initially claimed responsibility on Telegram shortly after the breach, but the NYT investigation now points to a separate Russian operation.

In a rare twist, investigators found that the Russian group was not the only one inside JLR’s networks. A Jordanian hacker who went by the name Rey had also breached parts of the company’s infrastructure independently, according to the Times. The discovery of two unrelated intrusions in the same victim underscores a problem that multiple breach investigations have surfaced in recent years, as state-linked and criminal hackers increasingly converge on the same high-value targets.

The attribution arrives amid an intensifying pattern of Russian-linked cyber operations targeting Western and Ukrainian infrastructure, from credential-stealing campaigns against Ukrainian military targets to DDoS attacks across Europe. Dutch police seized 800 servers last month tied to a Kremlin-linked group that had been attacking European government websites from data centres in the Netherlands. The Five Eyes intelligence alliance warned last week that frontier AI will make these attacks faster and harder to stop, a prospect that makes JLR’s six-week shutdown look like a preview of what is coming.