Russian Hackers Breach Eight UK Military Bases, Leak MoD Data on Dark Web

Russian hackers linked to the Kremlin have targeted eight UK military bases, stealing and publishing sensitive Ministry of Defence (MoD) information on the dark web.

According to British officials, the breach occurred through the Dodd Group, a private maintenance and construction contractor working with the MoD. By infiltrating this third-party network, the attackers reportedly bypassed the Armed Forces’ own cybersecurity defenses, an event described by insiders as “catastrophic.”

The Russian hacking collective Lynx, believed to operate under Moscow’s direction, is suspected of carrying out the attack. Compromised sites include RAF Lakenheath in Suffolk — a base hosting US Air Force F-35 stealth jets and widely believed to store nuclear weapons.

Leaked data included names and email addresses of MoD personnel, which have since appeared on the dark web. The MoD confirmed it is investigating the incident, stating:

“We take a robust and proactive approach to cyber threats that could pose risks to national interests. We are actively investigating claims that information relating to the MoD has been published on the Dark Web.”

The breach comes amid a surge in cyberattacks against UK government and defense systems. The National Cyber Security Centre (NCSC) warned last week that the UK has recorded a record 204 major cyber incidents in the past year.

The latest intrusion follows previous Russian-linked operations targeting NATO members. In one recent incident, Russian hackers attempted to compromise a Spanish Air Force plane carrying the country’s defense minister as it flew over Kaliningrad.

Not the First: A Pattern of Russian Cyber Aggression

This latest breach fits a broader pattern of Russian-linked cyber operations targeting Western military and defense institutions. Over the past several years, Kremlin-backed groups such as Lazarus, Sandworm, Fancy Bear (APT28), and Killnet-affiliated collectives have repeatedly probed NATO systems in attempts to exfiltrate data, disrupt operations, and undermine public trust.

In 2024, the UK Ministry of Defence faced a serious payroll data breach affecting more than 272,000 serving personnel and veterans, exposing sensitive financial information and forcing emergency security measures. The same year, during the evacuation of Afghanistan, an MoD email mishap leaked the identities of Afghan interpreters, raising fears of Taliban retaliation and prompting the government to quietly initiate a protection program.

Other NATO members have faced similarly aggressive campaigns. In Spain, Russian threat actors attempted to compromise communications on a Spanish Air Force aircraft carrying Defence Minister Margarita Robles as it transited airspace near Kaliningrad, a bold operation interpreted as a direct warning to NATO officials. In Germany, the Bundestag and military logistics networks have come under repeated attack by APT28, a unit linked to Russian military intelligence (GRU), targeting both political decision-making and battlefield support systems for Ukraine.

The United States has also reported Russian intrusion attempts against defense contractors involved in F-35 fighter programs, satellite networks, and munitions supply chains, aiming to steal advanced weapons schematics or disrupt deployment plans. Joint NATO cyber exercises have since been expanded to include simulated attacks on airbases, command-and-control systems, and transport links, all of which align with the tactics employed in the MoD breach.

These incidents underscore Russia’s continued reliance on cyber warfare as an asymmetric tool, exploiting private contractors, targeting critical logistics, and weaponizing data leaks to project intimidation. The breach at eight UK military sites is not an isolated event, but part of a sustained campaign against the digital backbone of Western defense.