Russian hackers (Lynx group) breached the UK’s Ministry of Defence (MoD) by exploiting a third-party contractor (Dodd Group), gaining access to **hundreds of classified military documents**—including files marked *‘Controlled’* or *‘Official Sensitive’*—from **eight RAF and Royal Navy bases**. The leaked data (4TB total) includes **names, emails, and mobile numbers of MoD personnel and contractors**, **car registrations**, **visitor logs for high-security sites (e.g., RAF Lakenheath, home to US F-35 stealth jets and nuclear bombs)**, and **internal security instructions**, aiding future phishing attacks. Two of four planned data dumps have been released on the dark web, with hackers threatening further leaks. The breach, described as *‘catastrophic’* by experts, compromises **national security**, **embarrasses key allies (e.g., the US)**, and exposes critical vulnerabilities in the MoD’s supply chain and IT infrastructure. The attack leveraged a *‘gateway’* via a maintenance contractor, bypassing the MoD’s primary cyber defenses.
Source: https://www.thesun.co.uk/news/37057525/russian-hackers-steal-ministry-of-defence-files-dark-web/
TPRM report: https://www.rankiteo.com/company/uk-ministry-of-defence
"id": "uk-5562155102025",
"linkid": "uk-ministry-of-defence",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'defense',
'location': 'United Kingdom',
'name': 'UK Ministry of Defence (MoD)',
'type': 'government/military'},
{'customers_affected': ['MoD personnel',
'contractors',
'visitors to RAF/Royal Navy '
'bases'],
'industry': 'construction/maintenance',
'location': 'United Kingdom',
'name': 'Dodd Group',
'type': 'private contractor'},
{'customers_affected': ['US Armed Forces (F-35 stealth '
'jets)',
'MoD personnel'],
'industry': 'defense/aviation',
'location': 'Suffolk, UK',
'name': 'RAF Lakenheath',
'type': 'military base'},
{'industry': 'defense',
'location': 'Cornwall, UK',
'name': 'RAF Portreath',
'type': 'military base (radar)'},
{'industry': 'defense/UAV',
'location': 'Cornwall, UK',
'name': 'RAF Predannack (National Drone Hub)',
'type': 'military base'},
{'industry': 'defense/aviation',
'location': 'Cornwall, UK',
'name': 'RNAS Culdrose',
'type': 'Royal Navy air station'},
{'industry': 'construction',
'location': 'United Kingdom',
'name': 'Kier Group',
'type': 'private contractor'}],
'attack_vector': ['third-party compromise (Dodd Group)',
'gateway attack',
'phishing (likely)',
'dark web data exfiltration'],
'customer_advisories': ['MoD personnel: monitor for phishing/social '
'engineering attacks using leaked PII.',
'Contractors: reset credentials and enable MFA for '
'all MoD-linked systems.',
'Affiliated organizations: audit third-party access '
'to sensitive networks.'],
'data_breach': {'data_exfiltration': ['dark web leaks (2/4 dumps released)',
'planned staged releases'],
'file_types_exposed': ['PDFs',
'emails',
'spreadsheets',
'visitor forms',
'construction documents'],
'number_of_records_exposed': 'hundreds of files (4TB total)',
'personally_identifiable_information': ['names',
'email addresses',
'mobile numbers',
'car registrations'],
'sensitivity_of_data': ['Controlled',
'Official Sensitive',
'potentially Secret (e.g., '
'F-35/nuclear bomb references)'],
'type_of_data_compromised': ['military operational documents',
'personnel PII (names, emails, '
'mobile numbers)',
'contractor data (car '
'registrations, contact details)',
'visitor logs',
'construction project details',
'internal security guidance']},
'date_detected': '2023-09-23',
'description': "Russian cybercriminals (group 'Lynx') stole hundreds of "
'military documents from the UK Ministry of Defence (MoD) and '
'leaked them on the dark web. The breach compromised eight RAF '
'and Royal Navy bases, including sensitive data such as '
'personnel names, emails, contractor details, and operational '
'documents. The attack was executed via a third-party '
'contractor (Dodd Group), bypassing the MoD’s cyber defenses. '
"Approximately 4TB of data, including 'Controlled' and "
"'Official Sensitive' files, were exfiltrated. The hackers "
'have released two of four planned data dumps, with threats of '
'further leaks if unresolved.',
'impact': {'brand_reputation_impact': ['severe damage to MoD credibility',
'eroded trust in UK national security',
'international embarrassment '
'(especially with US allies)'],
'data_compromised': ['military documents (RAF/Royal Navy bases)',
'MoD personnel names/emails',
'contractor names/car registrations/mobile '
'numbers',
'internal email guidance/security '
'instructions',
'visitor logs (RAF Portreath, RNAS Culdrose)',
'construction details (Kier’s work at RAF '
'Lakenheath)',
'4TB of data (including secured '
'repositories)'],
'identity_theft_risk': ['high (personnel/contractor PII exposed)'],
'legal_liabilities': ['potential GDPR violations (personal data)',
'contractual breaches with third parties'],
'operational_impact': ['compromised security protocols (phishing '
'aid)',
'embarrassment to UK/US allies',
'potential disruption to military '
'operations',
'loss of trust in MoD supply chain'],
'systems_affected': ['Dodd Group (third-party contractor)',
'MoD email systems',
'secured document repositories',
'RAF Lakenheath (F-35 stealth jets/nuclear '
'bomb data)',
'RAF Portreath (radar base)',
'RAF Predannack (National Drone Hub)',
'RNAS Culdrose (Royal Navy air station)']},
'initial_access_broker': {'backdoors_established': ['likely (persistent '
'access to exfiltrate '
'4TB)'],
'data_sold_on_dark_web': ['4TB in staged dumps (2/4 '
'released)',
'Russian-speaking forums'],
'entry_point': 'Dodd Group (third-party contractor)',
'high_value_targets': ['RAF Lakenheath '
'(F-35/nuclear bombs)',
'RAF Portreath (radar base)',
'MoD personnel data',
'secured document '
'repositories']},
'investigation_status': 'active (MoD-led, NCSC involved)',
'lessons_learned': ['Supply chain vulnerabilities are critical attack vectors '
'for nation-state/advanced threats.',
'Third-party contractors with MoD access require stricter '
'cybersecurity oversight.',
'Outdated IT infrastructure and rigid processes '
'exacerbate breach risks.',
'Dark web monitoring is essential for early detection of '
'leaked sensitive data.',
'Lack of accountability in repeated MoD breaches '
'undermines public trust.'],
'motivation': ['financial gain (ransom threats)',
'espionage',
'geopolitical disruption',
'reputation damage'],
'post_incident_analysis': {'root_causes': ['Inadequate third-party risk '
'management (Dodd Group '
'compromise).',
'Over-reliance on perimeter '
'defenses without zero-trust '
'controls.',
'Legacy IT systems vulnerable to '
'modern exfiltration techniques.',
'Lack of real-time dark web '
'monitoring for leaked data.',
"Cultural issues: 'lack of care' "
'and accountability in MoD '
'cybersecurity (per expert '
'comments).']},
'ransomware': {'data_exfiltration': True,
'ransom_demanded': ["implied ('resolve this matter before "
"consequences unfold')"]},
'recommendations': ['Implement zero-trust architecture for third-party access '
'to MoD systems.',
'Mandate multi-factor authentication (MFA) and continuous '
'monitoring for all contractors.',
'Conduct regular red-team exercises targeting supply '
'chain weaknesses.',
'Upgrade legacy IT systems to modern, segmented networks '
'with behavioral analytics.',
'Establish a transparent breach disclosure protocol to '
'rebuild stakeholder trust.',
'Enhance collaboration with Five Eyes allies on cyber '
'threat intelligence sharing.'],
'references': [{'source': 'The Mail on Sunday'},
{'source': 'The Sun',
'url': 'https://www.thesun.co.uk/news/24312344/russian-hackers-steal-mod-files-dark-web/'},
{'source': 'National Cyber Security Centre (NCSC) report'}],
'regulatory_compliance': {'regulations_violated': ['potential GDPR (personal '
'data)',
'UK Official Secrets Act '
'(military data)'],
'regulatory_notifications': ['National Cyber '
'Security Centre '
'(NCSC) involved']},
'response': {'communication_strategy': ["MoD statement: 'actively "
"investigating'",
'no public disclosure of remediation '
'steps'],
'containment_measures': ['investigation ongoing',
'no public details on containment'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True},
'stakeholder_advisories': ['US Armed Forces (F-35/nuclear asset exposure)',
'UK Royal Navy/RAF (operational security risks)',
'Dodd Group/Kier (contractor accountability)',
'UK Parliament (oversight of MoD cybersecurity '
'failures)'],
'threat_actor': {'affiliation': 'Russian-speaking cybercriminal group',
'location': 'Russia (suspected)',
'name': 'Lynx',
'type': ['hacktivist',
'cybercriminal',
'state-aligned (possible)']},
'title': 'Major Breach: Russian Hackers Steal Hundreds of Ministry of Defence '
'Files and Leak Them to Dark Web',
'type': ['data breach', 'cyber espionage', 'supply chain attack'],
'vulnerability_exploited': ['weak supply chain security',
'inadequate third-party access controls',
'outdated IT infrastructure']}