Britain’s Ministry of Defence is investigating claims that Russian hackers stole hundreds of sensitive documents about eight Royal Air Force and Royal Navy bases — plus Ministry of Defence staff names and emails — and posted them on the dark web, first reported by the Daily Mail on Sunday. According to reports, the cache includes references to RAF Lakenheath in Suffolk, where U.S. Air Force F-35 jets are based.
Download the SAN app today to stay up-to-date with Unbiased. Straight Facts™.
Point phone camera here
According to the Mail on Sunday, attackers breached property contractor Dodd Group, providing an entry point into MoD-related data. Dodd Group confirmed it “experienced a ransomware incident whereby an unauthorised third-party gained temporary access to part of our internal systems” and said it took “immediate steps” to contain the breach and hired a specialist forensic firm, according to BBC News.
Overview of what’s in the leak
SAN’s review of the posted dumps shows the group calling itself “Lynx Ransomware” claiming a financially driven model that prefers “dialogue and resolution” and says it avoids targets like governments, hospitals and nonprofits, according to a statement packaged with the files.
What’s been posted so far
Three of four planned releases appear online, labeled as customer data, contracts and confidential materials.
Key items identified
– Monthly and quarterly customer reports dating back to 2024 (e.g., Birmingham, Cambridge, Norwich, Plymouth, Solihull Community Housing, Warwickshire).
– Fleet and fuel data, including vehicle details, fuel-card numbers and other sensitive driver information.
– “Abusive Behaviour Reports” tied to Dodd projects.
– Internal blueprint directory sets such as CAD_Projects, CAD Standards, and accounts.
– Subcontractor orders and regional project folders.
– A file titled “Status of RAF Base Pass Applications.”
– Restricted RAF Lakenheath area maps.
– Technical schematics and site drawings, including base lighting and energy grid layouts.
Verification note
This SAN coverage reflects visible file names, directory labels and accompanying statements in the posted materials. SAN is not republishing personal identifiers or fuel-card data and cannot independently verify completeness beyond the items reviewed.
What officials and experts are saying
The ministry said that it is “actively investigating claims that information relating to the MoD has been published on the dark web” and would not comment further “to safeguard sensitive operational information,” according to statements reported by The Times
The Mail on Sunday quoted former Intelligence Corps officer Col. Phil Ingram calling the episode a “catastrophic security failure,” while University of Buckingham professor Anthony Glees called it a “massive national security breach.”
David Shrier of the Imperial College Business School told Newsweek the “fact pattern” points to possible human error, such as opening a malicious email or connecting an insecure device.
What the leaked files reportedly contain
The trove includes visitor forms and records for RAF Portreath and RNAS Culdrose, internal email guidance and security instructions that could enable phishing and material tied to RAF Predannack, HMS Raleigh, HMS Drake and RAF St Mawgan.
The paper said the hackers claimed to have extracted roughly 4 terabytes of data and were releasing it in stages after an initial breach on Sept. 23 and a warning that “time is running out.”
Why it matters and what’s next
BBC News and The Times said the probe comes after other high-profile ministry breaches affecting serving personnel and Afghans brought to safety in the U.K. Newsweek noted the report has fueled speculation about aggressive Russian hybrid activity toward NATO members.
Dodd Group said it is “taking these claims extremely seriously,” is in contact with customers and authorities, and is working to validate what was published. The ministry also said it is continuing to investigate.
