Dodd Group, a property contractor serving the UK’s Ministry of Defence (MoD), suffered a ransomware attack by the group *Lynx Ransomware*, leading to a massive breach of sensitive data. The attackers exfiltrated approximately 4TB of data, including classified documents related to eight Royal Air Force (RAF) and Royal Navy bases, such as RAF Lakenheath (hosting US F-35 jets), as well as MoD staff names, emails, security instructions, technical schematics, fuel-card details, and restricted area maps. The breach occurred via an initial compromise on September 23, with data leaked in stages on the dark web. The incident was described by security experts as a ‘catastrophic security failure’ and a ‘massive national security breach’, given the exposure of military infrastructure details, operational security protocols, and personnel data. The attack not only risks operational vulnerabilities for NATO-aligned forces but also fuels concerns over Russian hybrid warfare tactics targeting critical defense contractors. Dodd Group confirmed the ransomware incident, stating they took containment measures and engaged forensic specialists, while the MoD launched an active investigation.
Source: https://san.com/cc/ransomware-at-uk-military-contractor-leads-to-dark-web-dump/
TPRM report: https://www.rankiteo.com/company/dodd-group-ltd-
"id": "dod3603336102125",
"linkid": "dodd-group-ltd-",
"type": "Ransomware",
"date": "9/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Defense/Military',
'location': 'United Kingdom',
'name': 'UK Ministry of Defence (MoD)',
'type': 'Government'},
{'customers_affected': ['MoD',
'Solihull Community Housing',
'Warwickshire Council (implied '
'via project folders)'],
'industry': 'Facilities Management/Property '
'Contracting',
'location': 'United Kingdom',
'name': 'Dodd Group',
'type': 'Private Company'},
{'industry': 'Defense',
'location': 'Suffolk, UK',
'name': 'Royal Air Force (RAF) Lakenheath',
'type': 'Military Base'},
{'industry': 'Defense',
'location': 'UK',
'name': 'RAF Portreath',
'type': 'Military Base'},
{'industry': 'Defense',
'location': 'UK',
'name': 'RNAS Culdrose',
'type': 'Military Base'},
{'industry': 'Defense',
'location': 'UK',
'name': 'RAF Predannack',
'type': 'Military Base'},
{'industry': 'Defense',
'location': 'UK',
'name': 'HMS Raleigh',
'type': 'Military Base'},
{'industry': 'Defense',
'location': 'UK',
'name': 'HMS Drake',
'type': 'Military Base'},
{'industry': 'Defense',
'location': 'UK',
'name': 'RAF St Mawgan',
'type': 'Military Base'}],
'attack_vector': ['Phishing (suspected)',
'Malicious Email',
'Insecure Device Connection (suspected)',
'Third-Party Vendor Compromise (Dodd Group)'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['PDFs (reports, contracts)',
'CAD files (schematics)',
'Spreadsheets (fleet/fuel data)',
'Emails (internal guidance)',
'Visitor logs'],
'personally_identifiable_information': ['Names',
'Email addresses',
'Vehicle details '
'(fleet data)'],
'sensitivity_of_data': 'High (military base layouts, '
'personnel info, security '
'instructions)',
'type_of_data_compromised': ['Personnel Data (names/emails)',
'Operational Documents (base '
'maps, schematics)',
'Administrative Data (pass '
'applications, contracts)',
'Financial Data (fuel-card '
'numbers)',
'Technical Data (CAD projects, '
'energy grids)']},
'date_detected': '2023-09-23',
'date_publicly_disclosed': '2023-10-01',
'description': 'Britain’s Ministry of Defence (MoD) is investigating claims '
'that Russian hackers (Lynx Ransomware group) stole hundreds '
'of sensitive documents related to eight Royal Air Force (RAF) '
'and Royal Navy bases, along with MoD staff names and emails, '
'and posted them on the dark web. The breach originated from a '
'ransomware attack on property contractor Dodd Group, '
'which provided an entry point into MoD-related data. The '
'leaked files include restricted RAF Lakenheath maps, '
'technical schematics, fleet/fuel data, subcontractor orders, '
'and security instructions. The incident is described as a '
"'catastrophic security failure' and a 'massive national "
"security breach' by experts, with speculation of Russian "
'hybrid activity targeting NATO members.',
'impact': {'brand_reputation_impact': ["MoD: 'Catastrophic security failure' "
'(Col. Phil Ingram)',
'Dodd Group: Under scrutiny for supply '
'chain breach'],
'data_compromised': ['MoD staff names/emails',
'RAF/Royal Navy base documents (8 bases)',
'Restricted RAF Lakenheath area maps',
'Technical schematics (base lighting, energy '
'grids)',
'Fleet/fuel data (vehicle details, fuel-card '
'numbers)',
'Visitor forms/records (RAF Portreath, RNAS '
'Culdrose)',
'Internal email guidance/security '
'instructions',
'Subcontractor orders',
'Monthly/quarterly customer reports (2024)',
'Abusive Behaviour Reports (Dodd projects)',
'CAD projects/standards',
'Status of RAF Base Pass Applications',
'Material tied to RAF Predannack, HMS '
'Raleigh, HMS Drake, RAF St Mawgan'],
'identity_theft_risk': ['MoD staff (names/emails)',
'Fleet drivers (fuel-card data)'],
'operational_impact': ['Potential phishing risks due to exposed '
'security instructions',
'National security risk (exposed base '
'layouts, visitor records)',
'Reputation damage to MoD and Dodd Group'],
'payment_information_risk': ['Fuel-card numbers exposed'],
'systems_affected': ['Dodd Group internal systems',
'MoD-related data accessed via Dodd Group']},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': 'Dodd Group (third-party contractor '
'for MoD)',
'high_value_targets': ['RAF Lakenheath (F-35 base)',
'MoD personnel data']},
'investigation_status': 'Ongoing (MoD and Dodd Group)',
'motivation': 'Financial Gain (claimed by Lynx Ransomware; group states it '
'avoids governments/hospitals/nonprofits but targets were '
'MoD-related via contractor)',
'post_incident_analysis': {'root_causes': ['Third-party vendor compromise '
'(Dodd Group)',
'Suspected human error '
'(phishing/insecure device)']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Lynx Ransomware'},
'references': [{'date_accessed': '2023-10-01',
'source': 'Daily Mail / Mail on Sunday'},
{'date_accessed': '2023-10-01', 'source': 'BBC News'},
{'date_accessed': '2023-10-01', 'source': 'The Times'},
{'date_accessed': '2023-10-01', 'source': 'Newsweek'},
{'date_accessed': '2023-10-01',
'source': 'SAN (Unbiased. Straight Facts™)'}],
'regulatory_compliance': {'regulatory_notifications': ['Ongoing investigation '
'by MoD']},
'response': {'communication_strategy': ["MoD: 'Actively investigating; no "
'further comment to safeguard '
"operational info'",
'Dodd Group: Public confirmation of '
'breach, contact with '
'customers/authorities'],
'containment_measures': ['Immediate steps taken by Dodd Group '
'(unspecified)'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'third_party_assistance': ['Specialist forensic firm (hired by '
'Dodd Group)']},
'stakeholder_advisories': ['MoD: No further comment to protect operational '
'security',
'Dodd Group: Validating published data, contacting '
'affected parties'],
'threat_actor': 'Lynx Ransomware (allegedly Russian-affiliated)',
'title': 'Russian Hackers Steal Sensitive UK Ministry of Defence Documents '
'via Dodd Group Ransomware Attack',
'type': ['Data Breach', 'Ransomware Attack', 'Supply Chain Attack']}