By Sean Rayment

Russian cyber hackers have breached security at some of the country’s most sensitive military bases, including an RAF station where US nuclear weapons are stored.

The Russian group known as Lynx has targeted numerous RAF and Royal Navy bases using a tactic called a “gateway attack”.

The bases whose security was breached include RAF Lakenheath, where the US B61-12 thermonuclear gravity bombs are believed to be housed. Other bases penetrated include RAF Portreath, a top-secret radar station that forms part of NATO’s air defence network, and RAF Predannack, now home to the UK’s National Drone Hub.

Last night a former military intelligence officer told National Security News that the breach was a “catastrophic security failure” which would cause “huge alarm” in the United States.

The security failure came to light after Lynx released a cache of sensitive defence documents on the dark web. The disclosure follows a warning from the National Cyber Security Centre that the number of significant hacking attacks in the UK has reached a record high, with 204 taking place in the year up to September.

The ransomware attack appeared on the dark web after the gang infiltrated the systems of the Dodd Group, a major UK building and maintenance contractor. Targeting contractors in this way is known as a “gateway attack” and is one of the tactics used by hackers to penetrate the security of organisations such as the Ministry of Defence (MoD).

The criminals boasted of “quietly extracting roughly 4TB [terabytes] of data, including material from secured repositories”, sparking fears that Britain’s adversaries could exploit the information to compromise defence and government systems.

Last night Colonel Phil Ingram, a former member of the Intelligence Corps who also served in Iraq and the Balkans, said: “This is a catastrophic security failure. I should imagine that the US will look upon this with huge alarm and will be deeply concerned by this failure. RAF Lakenheath is a US base believed to house nuclear weapons and is where the F-35 stealth jet is based. Any sensitive information, from emails to mobile phone numbers, will be useful to our enemies.”

He added: “This is yet another embarrassing breach of the MoD’s supply chain, compromising sensitive data. There doesn’t seem to be a week that goes by without another MoD-related breach and no sign of accountability. It is likely a reflection of the creaking IT infrastructure the MoD has, its rigid outdated processes and a simple lack of care.”

The Dodd Group’s network was first breached on 23 September, with the hackers issuing a chilling ultimatum: “Time is running out – you have the opportunity to resolve this matter before inevitable consequences unfold.” Since then, the group has begun releasing the stolen material in stages, posting two out of four planned data dumps on the dark web so far.

Among the leaked files, around a thousand documents include visitor forms for RAF Portreath listing contractors’ names, car registrations and mobile numbers, as well as details of Ministry of Defence personnel including names and email addresses. Some documents are marked “Controlled” or “Official Sensitive”.

Other leaked files include visitor records for RNAS Culdrose, one of the Royal Navy’s principal air stations and home to the Merlin Helicopter Force, which conducts anti-submarine warfare, airborne surveillance, carrier strike group support and other maritime helicopter operations. Also among the material is internal email guidance and security instructions which could be exploited to craft highly convincing phishing attacks.

There are also files relating to Kier, the major construction group, concerning work at RAF Lakenheath and RAF Mildenhall in Suffolk, where the US Air Force’s F-35 fighter squadrons are based. In addition, the leaked Dodd Group documents include material linked to HMS Raleigh, the Royal Navy’s training base in Cornwall, HMS Drake, the naval base in Devon, and RAF St Mawgan, a Royal Air Force station also in Cornwall.

Contact information for Lockheed Martin personnel, the defence giant supplying battlefield drones to the British Army, was also among the leaked files, as well as invoices for work the US firm had done at RNAS Culdrose.

The Dodd Group, which last year turned over £294 million and made a £53 million gross profit, has carried out high-profile work across NHS hospitals and defence infrastructure. Experts have cautioned that even seemingly mundane data could help foreign adversaries build intelligence on Britain’s defence assets.

Professor Anthony Glees, a security and defence expert from the University of Buckingham, said: “This is a massive national security breach, and it is a double-headed breach because it not only concerns data of great importance to Britain’s enemies and potential enemies, but it is also an embarrassment to Britain’s allies, in particular the United States of America.

“The government has said we have to have digital ID cards, and it is going out of its way to digitise an increasing amount of our national critical infrastructure, but there is no evidence that it is able to keep this data safe from hackers. The fact that this involves Russian hackers makes it even more serious.”

The Dodd Group also works with the Duchy of Cornwall, the private estate owned by Prince William. Hackers have released email addresses and phone numbers for some Duchy of Cornwall staff members, as well as files containing invoices for Restormel Manor, a Duchy holiday property near Lostwithiel.

Lynx is believed to be based in Russia and is known to recruit members openly on Russian-speaking underground forums. In line with many Moscow-based cybercrime groups, it explicitly avoids targeting organisations in Russia or other former Soviet states.

Cybersecurity expert Rob Pritchard told the Mail on Sunday that while the leaked data might not directly compromise third parties, “it could be used to facilitate future attacks, as it will enable criminals to create very good phishing emails or similar approaches with real context from real projects.”

Confirming a “cyber incident”, a spokesperson for the Dodd Group said: “We recently discovered suspicious activity on our IT systems. We are now aware a criminal group managed to steal some limited data from our systems, which they have published on the dark web.

“We are coordinating with the relevant authorities and caution against anyone seeking to access this stolen data, which could constitute a criminal offence in itself.

“We can confirm that we notified our clients, including the Duchy of Cornwall, at the earliest opportunity and have kept them updated as the investigation into the incident has progressed. We would reiterate that we are continuing our forensic investigation through our specialists CFCR, and the complex analysis of any findings as we receive them remains an ongoing priority.”

He confirmed the company had “successfully secured and recovered our systems, which meant that we were able to minimise operational disruption”.

A Ministry of Defence spokesperson said: “We take a robust and proactive approach to cyber threats that could pose risks to national interests. We are actively investigating claims that information relating to the MoD has been published on the dark web. To safeguard sensitive operational information, we will not comment further on the actions being taken in response.”