NYT investigation gives first named attribution for the Jaguar Land Rover ransomware attack — a Russian state-linked criminal group
From CTI Daily Brief — 2026-06-28 · published 2026-06-28 · view item permalink →
A New York Times investigation published 2026-06-26 provides the first named attribution for the August–October 2025 ransomware attack on Jaguar Land Rover (JLR): investigators including the FBI, the UK National Crime Agency, NCSC, Google Mandiant and Palo Alto Networks now attribute the core intrusion to a Russian state-linked criminal group (Microsoft is reported to have named the group to investigators) (TechCrunch, 2026-06-26; The Next Web, 2026-06-26). The attribution is the investigators' assessment relayed through journalism — the UK government has not made it official, and investigators say they cannot establish whether the group acted on Kremlin orders, with tacit approval, or independently. The attack halted JLR manufacturing for roughly six weeks and disrupted 5,000+ supply-chain businesses, with UK economic damage estimated at ~£1.9 bn ($2.5 bn). Investigators also found a separate Jordanian actor ("Rey") independently inside JLR networks, illustrating multi-actor opportunistic access to the same under-segmented victim.
Defender takeaway: Per the fake-news guard, treat the Russian attribution as the investigators'/NYT's claim, not an established fact — but the pattern (state-adjacent criminal ransomware against a NATO-aligned manufacturer, possibly retaliatory for Ukraine support) is a relevant sector signal for EU/Swiss defence-industrial and automotive supply chains. The multi-actor finding reinforces that a partially-compromised perimeter invites additional opportunistic intrusion; prioritise segmentation, credential hygiene and tested clean-recovery for high-value manufacturing/OT estates.