The UK has quietly mounted offensive cyber operations against Russia, according to former British and American intelligence officials cited by The New York Times, in one of the clearest public indications yet that Britain’s cyber campaign against Moscow extends beyond defence and into active disruption.
The report, which attributes the 2025 cyberattack on Jaguar Land Rover to Russian hackers, also claims Britain has conducted covert cyber-intrusion and sabotage operations against Moscow. The UK has never publicly confirmed targeting Russia, although ministers and intelligence chiefs have become more willing to discuss the National Cyber Force’s offensive role in recent years.
Earlier this year, GCHQ Director Anne Keast-Butler said the NCF delivers “high-impact cyber operations every single day”, although officials have consistently stopped short of discussing individual missions or naming state targets.
The New York Times’ report marks a notable shift, placing Russia at the centre of Britain’s alleged offensive cyber activity at a time when relations between the two countries remain at their lowest point in decades.
The report also casts the Jaguar Land Rover attack in a different light. The breach forced the carmaker to halt production after shutting down its IT systems in August 2025. At the time, it looked like another major cybercrime incident, but if the reported attribution is correct, it may instead have been intended to damage a key British manufacturer rather than make money.
Paul Reynolds, a senior security architect with 25 years’ experience across UK central government, critical national infrastructure, and regulated enterprise, said the absence of a ransom demand made the reported attribution more believable.
“The NYT attribution is credible, but whether Russian hackers were directed, tolerated, or simply unleashed by the state is an important distinction,” he told Resilience Media. “Profit-motivated criminal groups do not walk away from the largest ransomware hit in British history without asking for money, and no ransom was ever demanded. That makes a state-sponsored attack a much more likely explanation.”
Reynolds pointed to comments made by the UK’s Security Minister earlier this year, describing Russia’s strategy as seeking to “quietly hollow us out” through cyber operations and other hostile activity that remain below the threshold of armed conflict.
“The JLR attack fits that model precisely,” he said.
The reported disclosure that Britain has itself conducted offensive operations against Russia should not come as a surprise, Reynolds added, given the government’s increasingly open discussion of the NCF’s role.
“The UK does not comment on specific targets, but it is well known that the capability exists, and it would be unusual not to use it against a sustained adversary,” he said.
Not everyone believes public attribution alone tells the full story. While Reynolds believes the circumstances make a state-backed explanation more likely, Kaveh Ranjbar, co-founder and CEO of Whisper Security, said publicly available evidence rarely tells the whole story when attributing sophisticated cyberattacks.
“Attribution at this level is rarely a single smoking gun,” he told Resilience Media. “What you can actually observe from the outside is infrastructure: the hosting, the routing, the domains, the reuse of tooling across incidents. That can place an attack inside a known cluster with real confidence. Tying that cluster to a specific government is a much harder step, and it usually rests on intelligence the public never sees rather than on the infrastructure alone.”
He argued that Russia’s cyber ecosystem is rarely as clear-cut as state versus criminal, making attribution more nuanced than a simple question of who gave the order.
“With Russia in particular, the sharper question is often not whether the state pressed the button but whether it created the conditions,” Ranjbar said. “A large part of the Russia-nexus threat runs as a tolerated criminal ecosystem: financially motivated crews left alone as long as they hit Western targets. Whether you call that state-sponsored or state-aligned matters, because it changes how you defend and how you deter.”
Whatever the precise relationship between criminal groups and the Russian state, both experts agreed that the implications extend well beyond a single manufacturer.
“The part that should worry people is the pattern, not the one carmaker,” Ranjbar said. “Halting a production line imposes real economic cost without a shot being fired, so manufacturing and automotive are now strategic targets.”
Reynolds echoed that warning, arguing the attack demonstrates how commercial organisations increasingly find themselves on the front line of geopolitical competition.
“The implication for business is the one that should concern us all,” he said. “JLR is a car manufacturer, not a defence contractor. If the threshold for economic targeting is now ‘country that supports Ukraine’, the attack surface is every significant British employer, as well as their suppliers.”








