‘Catastrophic’ attack as Russians hack files on EIGHT MoD bases and post them on the dark web

Russian hackers have stolen hundreds of sensitive military documents containing details of eight RAF and Royal Navy bases as well as Ministry of Defence staff names and emails – and posted them on the dark web, The Mail on Sunday can reveal.

In what has been described as a ‘catastrophic’ security breach, cybercriminals accessed the cache of files by hacking a maintenance and construction contractor used by the MoD.

The ‘gateway’ attack – which targeted third party the Dodd Group – allowed cyber gangsters to circumvent the almost impenetrable cyber defences used by the Armed Forces.

The MoD said it was investigating the enormous data and security breach, believed to have been carried out by Russian group Lynx.
Leaked documents seen by the MoS disclose information about a number of sensitive RAF and Navy bases, including RAF Lakenheath, in Suffolk, where the US Air Force’s F-35 stealth jets are based and their nuclear bombs are believed to be housed.

Other bases include RAF Portreath – a top-secret radar station that forms part of Nato’s air defence network – and RAF Predannack, now home to the UK’s National Drone Hub.

Details of contractors’ names, car registrations and mobile numbers, as well as MoD personnel’s names and email addresses, have also been uploaded. Some documents are marked ‘Controlled’ or ‘Official Sensitive’.

The disclosure follows a warning from the National Cyber Security Centre last week that the number of significant hacking attacks in the UK have reached a record high, with 204 taking place in the year to September.

A former military intelligence officer told the MoS the breach was a ‘catastrophic security failure’ which would cause ‘huge alarm’ in the US.

Colonel Phil Ingram, a former member of the Intelligence Corps who also served in Iraq and the Balkans, added: ‘Any sensitive information, from emails to mobile phone numbers, will be useful to our enemies.

‘This is yet another embarrassing breach of the MoD’s supply chain compromising sensitive data. There doesn’t seem to be a week going by without another MoD-related breach and no sign of accountability.

‘It is likely a reflection on the creaking IT infrastructure the MoD has, its rigid, outdated processes and simple lack of care.’

The information emerged on the dark web after the gang infiltrated the systems of the Dodd Group, a major UK building and maintenance contractor.

The criminals boasted of ‘quietly extracting roughly 4TB [terabytes] of data, including material from secured repositories’, sparking fears that Britain’s adversaries could exploit the information to penetrate defence and government systems.

The Dodd Group’s network was first breached on 23 September, with the hackers issuing a chilling ultimatum: ‘Time is running out – you have the opportunity to resolve this matter before inevitable consequences unfold.’

Since then, the group has begun releasing the stolen material in stages, posting two out of four planned data dumps on the dark web so far.

Within the leaked files, around a thousand documents, are visitor forms for RAF Portreath listing contractors’ and MoD personnel’s data, and visitor records for RNAS Culdrose, one of the Royal Navy’s principal air stations.

Also among the material is internal email guidance and security instructions which could be exploited to craft highly convincing phishing attacks.

There are also files relating to construction group Kier concerning work at RAF Lakenheath, where B61-12 thermonuclear gravity bombs were reportedly delivered in July, and RAF Mildenhall, which also acts as a base for US F-35 fighter squadrons.

Other leaked files include material linked to HMS Raleigh, HMS Drake and RAF St Mawgan.

The Dodd Group, which last year turned over £294 million and made a £53 million gross profit, has also carried out work for the NHS, defence infrastructure and the Duchy of Cornwall, the private estate owned by Prince William.

Experts have cautioned that even seemingly mundane data could help foreign adversaries build intelligence on Britain’s defence infrastructure.

Professor Anthony Glees, a security and defence expert from the University of Buckingham, told The Mail on Sunday: ‘This is a massive national security breach, and it’s a double-headed breach, because it not only is about data of great importance to Britain’s enemies and potential enemies, but it is also an embarrassment to Britain’s allies, in particular the US.’

Lynx is believed to be based in Russia and recruits openly on Russian-speaking underground forums. In line with many Moscow-based cybercrime groups, it avoids targeting organisations in former Soviet states.

Confirming a ‘cyber incident’, a Dodd Group spokesman said ‘limited data’ had been stolen and the company had ‘secured and recovered our systems’.

The MoD said it was ‘actively investigating’ the situation./DailyMall/