ctipilot.ch

Home · Live brief · Daily brief 2026-06-28

NYT investigation gives first named attribution for the Jaguar Land Rover ransomware attack — a Russian state-linked criminal group

high threat discovered 2026-06-28 05:05 UTC

Part of run 2026-06-28-1b30612a (intel · Claude Opus 4.8 (1M context))

A New York Times investigation published 2026-06-26 provides the first named attribution for the August–October 2025 ransomware attack on Jaguar Land Rover (JLR): investigators including the FBI, the UK National Crime Agency, NCSC, Google Mandiant and Palo Alto Networks now attribute the core intrusion to a Russian state-linked criminal group (Microsoft is reported to have named the group to investigators) (TechCrunch, 2026-06-26; The Next Web, 2026-06-26). The attribution is the investigators' assessment relayed through journalism — the UK government has not made it official, and investigators say they cannot establish whether the group acted on Kremlin orders, with tacit approval, or independently. The attack halted JLR manufacturing for roughly six weeks and disrupted 5,000+ supply-chain businesses, with UK economic damage estimated at ~£1.9 bn ($2.5 bn). Investigators also found a separate Jordanian actor ("Rey") independently inside JLR networks, illustrating multi-actor opportunistic access to the same under-segmented victim.

“investigators have not determined whether the hackers were working directly for Vladimir Putin's government, were independent criminals, or were operating with the government's tacit approval.” — TechCrunch, citing NYT

ransomware organized-crime russia-nexus uk europe