NYT investigation gives first named attribution for the Jaguar Land Rover ransomware attack — a Russian state-linked criminal group

A New York Times investigation published 2026-06-26 provides the first named attribution for the August–October 2025 ransomware attack on Jaguar Land Rover (JLR): investigators including the FBI, the UK National Crime Agency, NCSC, Google Mandiant and Palo Alto Networks now attribute the core intrusion to a Russian state-linked criminal group (Microsoft is reported to have named the group to investigators) (TechCrunch, 2026-06-26; The Next Web, 2026-06-26). The attribution is the investigators' assessment relayed through journalism — the UK government has not made it official, and investigators say they cannot establish whether the group acted on Kremlin orders, with tacit approval, or independently. The attack halted JLR manufacturing for roughly six weeks and disrupted 5,000+ supply-chain businesses, with UK economic damage estimated at ~£1.9 bn ($2.5 bn). Investigators also found a separate Jordanian actor ("Rey") independently inside JLR networks, illustrating multi-actor opportunistic access to the same under-segmented victim.