Russian hackers (allegedly the group Lynx) breached The Dodd Group, a UK-based maintenance and construction contractor for the Ministry of Defence (MoD), stealing ~4TB of sensitive data including documents from eight RAF and Royal Navy bases (e.g., RAF Lakenheath, housing US F-35 stealth jets and nuclear bombs; RAF Portreath, a NATO radar station; and RNAS Culdrose). Compromised data includes MoD personnel names, emails, contractor details (car registrations, mobile numbers), visitor logs, and internal security instructions some marked ‘Controlled’ or ‘Official Sensitive’. The attackers posted the data on the dark web in staged releases, exploiting a third-party supply chain vulnerability to bypass military cyber defenses. The breach risks enabling phishing attacks, intelligence gathering by adversaries (e.g., Russia), and potential infiltration of broader defense systems. Experts call it a ‘catastrophic security failure’, undermining UK-US defense cooperation and exposing critical infrastructure weaknesses. The Dodd Group, which also works with the NHS and Duchy of Cornwall, confirmed the attack but downplayed it as ‘limited data’ theft.
Source: https://www.dailymail.co.uk/news/article-15205213/Russians-hack-files-EIGHT-MoD-bases-dark-web.html
TPRM report: https://www.rankiteo.com/company/dodd-group-ltd-
"id": "dod0603306102125",
"linkid": "dodd-group-ltd-",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Defense',
'location': 'United Kingdom',
'name': 'UK Ministry of Defence (MoD)',
'type': 'Government/Military'},
{'customers_affected': ['MoD',
'NHS',
'Duchy of Cornwall'],
'industry': 'Construction/Maintenance',
'location': 'United Kingdom',
'name': 'Dodd Group',
'size': '£294M turnover (2022), £53M gross profit',
'type': 'Private Company'},
{'industry': 'Defense/Aviation',
'location': 'Suffolk, UK',
'name': 'RAF Lakenheath',
'type': 'Military Base'},
{'industry': 'Defense/Radar (NATO air defense)',
'location': 'Cornwall, UK',
'name': 'RAF Portreath',
'type': 'Military Base'},
{'industry': 'Defense/Drones (UK National Drone Hub)',
'location': 'Cornwall, UK',
'name': 'RAF Predannack',
'type': 'Military Base'},
{'industry': 'Defense/Naval Aviation',
'location': 'Cornwall, UK',
'name': 'RNAS Culdrose',
'type': 'Military Base'},
{'industry': 'Defense/Naval Training',
'location': 'UK',
'name': 'HMS Raleigh',
'type': 'Military Base'},
{'industry': 'Defense/Naval',
'location': 'UK',
'name': 'HMS Drake',
'type': 'Military Base'},
{'industry': 'Defense',
'location': 'Cornwall, UK',
'name': 'RAF St Mawgan',
'type': 'Military Base'},
{'industry': 'Defense/Aviation (US F-35 squadrons)',
'location': 'Suffolk, UK',
'name': 'RAF Mildenhall',
'type': 'Military Base'},
{'customers_affected': ['MoD (RAF Lakenheath, RAF '
'Mildenhall projects)'],
'industry': 'Construction',
'location': 'UK',
'name': 'Kier Group',
'type': 'Private Company'}],
'attack_vector': ['Third-Party Compromise (Dodd Group)',
'Gateway Attack',
'Data Exfiltration'],
'data_breach': {'data_exfiltration': {'method': 'Staged dark web leaks (2/4 '
'dumps released)',
'volume': '4TB total'},
'file_types_exposed': ['PDFs',
'Visitor forms',
'Emails',
'Construction plans',
'Security instructions'],
'number_of_records_exposed': '~1,000 documents (partial dump; '
'total ~4TB)',
'personally_identifiable_information': ['MoD personnel '
'names/emails',
'Contractor names/car '
'registrations/mobile '
'numbers'],
'sensitivity_of_data': ['High (military/defense)',
'Medium (PII)'],
'type_of_data_compromised': ['Military base operational '
'details',
'Personally identifiable '
'information (PII)',
'Internal security protocols',
'Construction/visitor logs',
'Classified documents '
"('Controlled'/Official "
"Sensitive')"]},
'date_detected': '2023-09-23',
'description': 'Russian hackers (group Lynx) breached the systems of UK '
'maintenance contractor Dodd Group, stealing ~4TB of sensitive '
'military data (including details of 8 RAF/Royal Navy bases, '
'MoD staff names/emails, and contractor PII) and leaking it on '
'the dark web in staged releases. The breach exploited the '
'contractor’s weaker security to bypass MoD’s defenses, '
"exposing classified documents marked 'Controlled' or "
"'Official Sensitive,' including visitor logs, construction "
'plans for bases housing US F-35 stealth jets and nuclear '
'weapons (e.g., RAF Lakenheath), and internal security '
'protocols. The incident underscores supply chain '
'vulnerabilities in UK defense infrastructure.',
'impact': {'brand_reputation_impact': ['Embarrassment to UK MoD and allies '
'(especially US)',
'Erosion of trust in MoD supply chain '
'security',
"Public scrutiny over 'creaking IT "
"infrastructure' and lack of "
'accountability'],
'data_compromised': {'types': ['Military base '
'blueprints/construction plans',
'MoD personnel names/emails',
'Contractor PII (names, car '
'registrations, mobile numbers)',
'Visitor logs (RAF Portreath, RNAS '
'Culdrose, etc.)',
'Internal security '
'instructions/email guidance',
"Documents marked 'Controlled' or "
"'Official Sensitive'"],
'volume': '~4TB'},
'identity_theft_risk': ['High (for MoD personnel and contractors)'],
'operational_impact': ['Risk of follow-on phishing attacks using '
'leaked security protocols',
'Potential physical security risks at '
'military bases (e.g., RAF Lakenheath, RAF '
'Portreath)',
'Compromised NATO air defense network '
'intelligence (RAF Portreath radar station)',
'US-UK defense relations strained '
'(nuclear/stealth asset exposure)'],
'systems_affected': ['Dodd Group IT systems',
'Secured MoD repositories (via lateral '
'movement)']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (staged releases; 2/4 '
'dumps public)',
'entry_point': 'Dodd Group IT systems',
'high_value_targets': ['RAF Lakenheath (US '
'F-35/nuclear assets)',
'RAF Portreath (NATO radar)',
'MoD personnel PII']},
'investigation_status': 'Ongoing (MoD and Dodd Group)',
'lessons_learned': ['Supply chain vulnerabilities in defense contractors are '
'critical attack vectors.',
'Lateral movement from third parties can bypass primary '
'organization defenses.',
"Even 'mundane' data (e.g., visitor logs) can enable "
'sophisticated follow-on attacks (e.g., phishing).',
'Public disclosure of breaches involving allies (e.g., '
'US) has diplomatic repercussions.',
'Outdated IT infrastructure and lack of accountability '
'exacerbate risks.'],
'motivation': ['Cyber Espionage',
'Financial Gain (Potential Ransom)',
'Geopolitical Advantage',
'Intelligence Gathering'],
'post_incident_analysis': {'root_causes': ['Inadequate cybersecurity at '
'third-party contractor (Dodd '
'Group)',
'Lack of segmentation between '
'contractor and MoD systems',
'Outdated MoD IT '
'processes/infrastructure',
'Failure to detect exfiltration of '
'4TB data']},
'ransomware': {'data_exfiltration': 'Yes (4TB)'},
'recommendations': ['Enhance third-party cybersecurity audits for defense '
'contractors.',
'Implement zero-trust architecture to limit lateral '
'movement.',
'Monitor dark web for leaked defense-related data '
'proactively.',
'Update MoD IT infrastructure and incident response '
'protocols.',
'Establish clearer accountability mechanisms for supply '
'chain breaches.'],
'references': [{'source': 'The Mail on Sunday'},
{'source': 'National Cyber Security Centre (NCSC) warning'}],
'response': {'communication_strategy': ["MoD public statement ('actively "
"investigating')",
"Dodd Group downplayed as 'limited "
"data'"],
'containment_measures': ['Securing Dodd Group systems',
'Limiting further data dumps'],
'incident_response_plan_activated': ['Dodd Group '
'secured/recovered systems',
'MoD investigation '
'launched']},
'threat_actor': {'affiliation': 'Russian cybercrime group',
'geographic_restrictions': 'Avoids targeting former Soviet '
'states',
'name': 'Lynx',
'recruitment': 'Russian-speaking underground forums'},
'title': "'Catastrophic' cyberattack on UK MoD via third-party contractor "
'Dodd Group by Russian hackers (Lynx)',
'type': ['Data Breach',
'Cyber Espionage',
'Supply Chain Attack',
'Dark Web Leak'],
'vulnerability_exploited': ['Weak Security Controls at Third-Party Contractor',
'Lateral Movement from Contractor to MoD Systems']}