Cyber Threat Actor: Storm 1849

Storm 1849 is athreat actor known by that alias and is linked to operations originating from China. Observed activity shows the group targeting United Kingdom government departments, retail enterprises, and automotive manufacturers. In these intrusions, Storm 1849 has accessed confidential government files, including visa‑related information, indicating an espionage‑oriented objective. The actor has also disrupted business operations, such as suspending online retail sales and stopping vehicle assembly lines, demonstrating a disruptive intent. These patterns suggest the group pursues both intelligence collection and operational impact as part of its activity. No public description of its internal structure, size, or financing has been provided in the cited sources.

Public reporting ties Storm 1849 to a December 2025 incident where UK government systems were breached and thousands of Foreign Office documents, potentially containing visa data, were accessed, with authorities judging the risk to personal data as fairly low. An earlier October 2025 compromise of UK government networks was also attributed to the group, described as a technical issue that was quickly contained while investigations remained ongoing. In the same month, Marks & Spencer disclosed a cyber attack that forced the suspension of online orders for six weeks, a disruption noted alongside the government breach. Jaguar Land Rover experienced a September 2025 cyber incident that halted production, contributing to a pre‑tax loss of nearly £500 million for the second quarter and £134 million for the first half before operations resumed. While officials have connected these events to a China‑linked actor, they have explicitly stated they cannot confirm a direct relationship with the Chinese state. Consequently, Storm 1849 is publicly recognized as a China‑associated group whose observed campaigns have combined espionage‑style data gathering with disruptive attacks on UK‑based targets.