Russian-linked hackers claim to have stolen and dumped data from eight UK Ministry of Defence sites in what appears to be one of the most serious cyber breaches to hit Britain’s military network in years.
The breach, first reported by the Mail on Sunday, has been claimed by the “Lynx” ransomware gang, a relatively new cybercriminal outfit believed to operate out of Russia that emerged in 2024 as a likely successor to the notorious “INC” ransomware operation.
In a post on its dark web leak site, seen by Resilience Media, the group claims to have quietly exfiltrated “roughly 4TB of data” from eight RAF and Royal Navy bases in September, including RAF Lakenheath in Suffolk, where the US Air Force’s F-35 jets are based.
“Time is running out – you have the opportunity to resolve this matter before inevitable consequences unfold,” Lynx wrote. The allegedly stolen files, which the group has begun to publish, include the personal details of MoD staff such as names, mobile numbers, vehicle registrations, visitor logs from multiple RAF and Royal Navy facilities, and documents marked “Official Sensitive.”
The breach stemmed not from a direct intrusion into the MoD, but through one of its contractors – Shropshire-based Dodd Group, which handles maintenance and construction at a number of defence sites.
Dodd Group didn’t respond to Resilience Media’s questions, but confirmed to the Mail on Sunday that it “recently experienced a ransomware incident whereby an unauthorised third-party gained temporary access to part of our internal systems.”
“We took immediate steps to contain the incident, swiftly secure our systems and engaged a specialist IT forensic firm to investigate what happened. While our forensic investigation is ongoing, we are aware of claims that data taken from our systems have been published online. We are taking these claims extremely seriously and are working hard to validate this.”
Dodd Group didn’t say how it was compromised, how many individuals are affected by the data breach, or whether it has received any communication from the hacker group responsible.
The MoD has confirmed it is “actively investigating the claims that information relating to the MoD has been published on the dark web”.
“To safeguard sensitive operational information, we will not comment any further on the details,” it said in a statement.
Lynx has been linked to a string of high-profile extortion campaigns since mid-2024. Operating on a ransomware-as-a-service model, it typically exfiltrates data before encrypting systems, then threatens to publish or sell the information if victims refuse to pay. Its decision to target an MoD contractor marks a departure from its public pledge not to attack government institutions.
The incident is the latest in a string of damaging cybersecurity setbacks involving the Ministry of Defence. In August, officials confirmed that thousands of Afghans evacuated to the UK under the government’s resettlement scheme had their personal data exposed after an MoD subcontractor was compromised. The year before, another major breach saw the personal details of serving UK military personnel accessed by hackers, prompting a review of the department’s data-handling and supplier oversight.
Together, the incidents underscore the growing risks posed by third-party access within the MoD’s sprawling contractor ecosystem – and the challenge of securing sensitive information across an increasingly digitised defence supply chain.
James Broomhall, senior associate at Grosvenor Law, who regularly handles high-profile matters involving cybercrime and ransomware attacks, told Resilience Media that the incident involving Dodd Group adds to a “concerning trend” of cyberattacks targeting defence contractors.
“Just months ago, Inflite The Jet Centre Ltd suffered a breach that exposed the personal data of nearly 3,700 individuals, including Afghans resettled under the UK’s Afghan Relocations and Assistance Policy. These repeated failures suggest systemic weaknesses in how sensitive data is protected across the MoD’s supply chain,” he said.
“From a legal standpoint, these breaches raise questions about compliance with UK GDPR, particularly around the duty to implement appropriate security measures and report breaches promptly,” Broomhall continued. “Contractors handling personal data on behalf of the government are considered data processors, and both they and the MoD, as the data controller, could face scrutiny from the Information Commissioner’s Office if safeguards were inadequate.”
Alice Christie, a spokesperson for the UK’s Information Commissioner’s Office, told Resilience Media: “We have received a report from Dodd Group in connection to this and are assessing the information provided.” We’ve asked follow up questions and will update this post as we learn more.
The breach comes amid mounting warnings from the National Cyber Security Centre about escalating cyber threats to the UK’s public sector.
Just days before the MoD attack was revealed, the NCSC disclosed that more than 200 cyber incidents had targeted government agencies in 2025 alone – a sharp rise on 89 incidents in 2024. Officials say state-aligned and financially motivated groups are increasingly blurring the line between espionage and extortion, with defence and critical infrastructure now prime targets.
The timing of the Lynx breach will likely reinforce calls for tighter cyber hygiene across government networks and their private-sector partners.
