Russian hackers were responsible for the JLR cyberattack that resulted in a $2.5 billion loss for the UK economy.

      A New York Times investigation published on Thursday indicates that Russian hackers were responsible for last year’s significant cyberattack on Jaguar Land Rover (JLR). This breach commenced on August 31, 2025, and led to a production halt in JLR’s factories for nearly six weeks, resulting in an estimated cost of $2.5 billion to the British economy, marking it as the most financially damaging cyberattack in the UK’s history. It remains unclear if the hackers were directly affiliated with Vladimir Putin's government, were independent criminals, or acted with government approval.

      According to the Times, Microsoft was monitoring the Russian hacking group and informed JLR about their identities. The investigation involved contributions from the FBI, Britain’s National Crime Agency, the National Cyber Security Centre, Google’s Mandiant unit, and Palo Alto Networks, demonstrating the seriousness of the breach.

      The attack was initiated through vishing campaigns weeks prior to the public revelation, wherein attackers impersonating internal staff deceived JLR employees into disclosing their login credentials. Equipped with valid usernames and passwords, sometimes with administrator access, the hackers accessed JLR’s IT networks through standard authentication protocols and moved laterally within the systems. Production lines halted on September 1, and employees were instructed to remain at home.

      The impact went well beyond the production facilities. The UK’s Cyber Monitoring Centre estimated the overall economic damage at £1.9 billion, affecting over 5,000 organizations in JLR’s supply chain. The Bank of England subsequently linked a drop in GDP growth to the attack, observing that the overall output increased by only 0.2%, lower than anticipated.

      In response, the UK government provided an emergency loan of £1.5 billion, approximately $2 billion, to aid in the restoration of JLR’s supply chain, a rare governmental intervention following a cyber incident. Shortly after the breach, a group named Scattered Lapsus$ Hunters claimed responsibility on Telegram, but the NYT investigation has since identified a different Russian entity as the perpetrator.

      In an unexpected development, investigators revealed that the Russian group was not the sole entity infiltrating JLR’s networks. A Jordanian hacker known as Rey had also independently compromised parts of the company’s infrastructure. This dual intrusion illustrates a growing issue in breach investigations, where state-affiliated and criminal hackers are increasingly targeting the same high-value entities.

      This attribution comes as Russian-linked cyber operations targeting Western and Ukrainian infrastructure intensify, ranging from credential-stealing efforts aimed at Ukrainian military targets to DDoS attacks across Europe. Last month, Dutch police confiscated 800 servers related to a Kremlin-affiliated group that had been assaulting European government websites from data centers in the Netherlands. The Five Eyes intelligence alliance issued a warning last week that emerging AI technologies will accelerate these attacks and complicate mitigation efforts, suggesting that JLR's six-week shutdown may be a precursor to future threats.