"There are a lot of good reasons why nation states use criminal tactics when conducting destructive attacks." — Cynthia Kaiser, Halcyon Ransomware Research Center SVP and former FBI cyber deputy director
The core allegation: Russian-linked actors targeted Jaguar Land Rover
A New York Times report published June 26 linked Russian hackers to the destructive breach of Jaguar Land Rover (JLR) last year, citing people close to the investigation. That incident has been estimated to have cost the British economy £1.9bn ($2.5bn), according to the same reporting. Microsoft, which was tracking the Russian activity, reportedly raised the alarm with JLR, the report said. The NYT story did not explicitly link the Putin regime itself to the attack; outside experts cited in subsequent coverage, however, made stronger claims about possible Kremlin involvement.
Cynthia Kaiser’s indicators: tactics, timing, and algorithm
Halcyon Ransomware Research Center SVP and former FBI cyber deputy director Cynthia Kaiser laid out why she sees a nation-state nexus in the incident. Kaiser pointed to the lack of a ransom demand, the strike’s timing “just before a new vehicle rollout,” and the use of what she described as novel ransomware with a “mind‑blowing” algorithm. She also noted that JLR’s Land Rover fleet has “strong links to the British royals and military,” arguing that those characteristics fit a destructive operation intended to inflict economic harm rather than generate extortion payments.
Kaiser framed this as a potential tactical choice by a state actor to borrow criminal tradecraft: “There are a lot of good reasons why nation states use criminal tactics when conducting destructive attacks. They are fast, scalable, and highly repeatable. They exploit common weaknesses that exist across nearly every critical infrastructure environment. And critically, they complicate attribution, allowing attackers to operate below traditional response thresholds.”
No ransom demand: Pete Chronis and the sabotage argument
Former Paramount CISO and current venture-capital partner Pete Chronis reinforced that line of reasoning in a LinkedIn post. Chronis observed that “when JLR got hacked, nobody asked for money,” and argued that ransomware operators typically seek a payout; by contrast, “Whoever hit JLR didn’t want one. No demand, no negotiation. They just wanted the company on the floor.” Chronis said those facts make the incident read “less like crime and more like sabotage.”
Complicating actors: Scattered Lapsus$ Hunters and the Jordanian hacker “Rey”
Attribution efforts were initially complicated by a claim of responsibility from Scattered Lapsus$ Hunters. That claim followed extortion attacks attributed to Scattered Spider against Marks & Spencer and Co-op Group, adding noise to the investigative picture. The New York Times report also named a Jordanian hacker known as “Rey,” who reportedly breached part of the JLR network independently of the Russians. Those overlapping claims and intrusions have made it harder for investigators to build a single, unambiguous narrative linking one actor to the full scope of the incident.
Ashish Shrestha on response: no social engineering, careful recovery
Ashish Shrestha, CEO of Zyn Global and group CISO of JLR at the time of the attack, told Infosecurity on June 18 that his team considered the attacker “quite sophisticated,” but he did not confirm attribution. Shrestha said that within the first 24 hours the threat actors asked him not to involve law enforcement; he added that he had law enforcement “physically in my world” and that at no time did he or his team reach out to the attackers.
Shrestha also said that no social engineering was involved in the incident, a point that contrasts with earlier reporting which suggested vishing and impersonation were used to obtain corporate credentials in other intrusions. On recovery, he emphasized caution: JLR’s team took time to ensure adversaries would not be able to conduct a follow-on attack, noting, “Business continuity is not just about coming back, but coming back stronger.”
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: Expect attribution complexity when criminal tradecraft is used in destructive operations; novel ransomware and careful timing can change incident response priorities, shifting emphasis from negotiation to containment and long-term resilience.
- Policymakers and regulators: The absence of a ransom demand and the possible economic scale of damage — an estimated £1.9bn ($2.5bn) hit to the British economy and, by one estimate cited by experts, about $350m to the company in its 2026 fiscal year — raise questions about whether and how states should treat criminal-style operations that produce strategic effects.
- Affected enterprises and procurement leaders: The JLR case underscores the risk of destructive effects that are not tied to extortion revenue; vendors and operators may need to prioritize controls and detection that anticipate sabotage-style objectives rather than only monetization-focused attacks.
Experts quoted in coverage of the JLR breach warned that the blending of criminal methods and state objectives is likely to persist. Kaiser concluded by saying adversaries “believe they can stop appropriate reactions from democratic nations by planting seeds of doubt,” and urged a more forward-leaning posture given an expectation that nation states will increasingly adopt criminal tactics for destructive aims. The public record assembled so far links multiple actors and techniques to a high-impact disruption, but it leaves open the central question investigators and policymakers will now have to answer: when a cyber incident looks like crime and reads like sabotage, what threshold of evidence and response will nations adopt?
