Russian hackers were behind $2.5 billion hack of Jaguar Land Rover: Report
TechCrunch
β’Fri, 26 Jun 2026 17:29:29 +0000
π° What Happened
The devastating cyberattack on Jaguar Land Rover (JLR) that halted production for months and cost the British economy an estimated $2.5 billion has been attributed to Russian hackers, according to a New York Times report citing people close to the investigation. The attack on JLR, one of the United Kingdom's largest employers, was so severe that the UK government was forced to intervene with a Β£1.5 billion (approximately $2 billion) bailout to keep the company afloat. For months following the breach, the identity of the attackers remained unknown, with only speculation circulating in cybersecurity circles.
The investigation involved multiple agencies, including the FBI, Britain's National Crime Agency and National Cyber Security Centre, Google's Mandiant unit, and Palo Alto Networks. Microsoft was tracking the Russian hacking group and alerted JLR to the hackers' identities. However, the report notes it remains unclear whether the hackers were working directly for Vladimir Putin's government, were independent cybercriminals, or something in between β such as criminals operating with the government's tacit approval. In an unusual twist, investigators also discovered that a Jordanian hacker who went by the alias "Rey" had separately breached JLR's networks, suggesting the company's cybersecurity defenses were compromised from multiple directions.
π The Backstory
Jaguar Land Rover, owned by India's Tata Motors, is one of Britain's largest manufacturing employers with tens of thousands of workers across multiple plants in the UK. The company has been navigating a difficult transition to electric vehicles while dealing with supply chain disruptions. The cyberattack, which occurred in 2025, crippled JLR's manufacturing operations, forcing prolonged production halts at several facilities. The attack compounded existing challenges from the global semiconductor shortage and the shift to EVs. The attribution to Russian hackers comes against a backdrop of escalating cyber tensions between Russia and Western nations following the Ukraine war, with Russian state-sponsored groups like Sandworm, APT29 (Cozy Bear), and APT28 (Fancy Bear) having been implicated in numerous high-profile attacks, including the SolarWinds breach, the Colonial Pipeline ransomware attack, and various critical infrastructure intrusions. The involvement of a separate Jordanian hacker adds another layer of complexity to what was already one of the most consequential cyber incidents of the decade.
π― Why It Matters
This attack represents one of the most economically damaging cyberattacks in history against a single company, directly costing billions and triggering a government bailout. It underscores the vulnerability of critical industrial infrastructure to sophisticated state-linked hacking groups and the cascading economic damage such attacks can cause, far beyond just data theft or ransomware. The attack also highlights the increasingly blurred line between state-sponsored cyber warfare and criminal hacking, where the Russian government can achieve strategic objectives through plausible deniability while criminal groups operate with apparent impunity.
The devastating cyberattack on Jaguar Land Rover (JLR) that halted production for months and cost the British economy an estimated $2.5 billion has been attributed to Russian hackers, according to a New York Times report citing people close to the investigation. The attack on JLR, one of the United Kingdom's largest employers, was so severe that the UK government was forced to intervene with a Β£1.5 billion (approximately $2 billion) bailout to keep the company afloat. For months following the breach, the identity of the attackers remained unknown, with only speculation circulating in cybersecurity circles.
The investigation involved multiple agencies, including the FBI, Britain's National Crime Agency and National Cyber Security Centre, Google's Mandiant unit, and Palo Alto Networks. Microsoft was tracking the Russian hacking group and alerted JLR to the hackers' identities. However, the report notes it remains unclear whether the hackers were working directly for Vladimir Putin's government, were independent cybercriminals, or something in between β such as criminals operating with the government's tacit approval. In an unusual twist, investigators also discovered that a Jordanian hacker who went by the alias "Rey" had separately breached JLR's networks, suggesting the company's cybersecurity defenses were compromised from multiple directions.
Jaguar Land Rover, owned by India's Tata Motors, is one of Britain's largest manufacturing employers with tens of thousands of workers across multiple plants in the UK. The company has been navigating a difficult transition to electric vehicles while dealing with supply chain disruptions. The cyberattack, which occurred in 2025, crippled JLR's manufacturing operations, forcing prolonged production halts at several facilities. The attack compounded existing challenges from the global semiconductor shortage and the shift to EVs. The attribution to Russian hackers comes against a backdrop of escalating cyber tensions between Russia and Western nations following the Ukraine war, with Russian state-sponsored groups like Sandworm, APT29 (Cozy Bear), and APT28 (Fancy Bear) having been implicated in numerous high-profile attacks, including the SolarWinds breach, the Colonial Pipeline ransomware attack, and various critical infrastructure intrusions. The involvement of a separate Jordanian hacker adds another layer of complexity to what was already one of the most consequential cyber incidents of the decade.
This attack represents one of the most economically damaging cyberattacks in history against a single company, directly costing billions and triggering a government bailout. It underscores the vulnerability of critical industrial infrastructure to sophisticated state-linked hacking groups and the cascading economic damage such attacks can cause, far beyond just data theft or ransomware. The attack also highlights the increasingly blurred line between state-sponsored cyber warfare and criminal hacking, where the Russian government can achieve strategic objectives through plausible deniability while criminal groups operate with apparent impunity.