Documents on UK-US trade talks, leaked ahead of the 2019 general election, were stolen from an email account belonging to Conservative MP Liam Fox, it has emerged.
The papers were published online and used by Labour in the 2019 campaign to claim the NHS would be put at risk.
The UK government has said Russians almost certainly sought to interfere in the election through the documents.
A criminal inquiry into the leaking of the documents is under way.
A spokesman for the National Crime Agency confirmed it was leading the investigation, but added he could not comment further.
Mr Fox was international trade secretary from July 2016 to July 2019.
It is not clear when his account was accessed and the information stolen.
Reuters, which first reported the story, said hackers accessed Mr Fox’s account multiple times between 12 July and 21 October last year.
A government spokesperson said: “There is an ongoing criminal investigation into how the documents were acquired, and it would be inappropriate to comment further at this point.
“But as you would expect, the government has very robust systems in place to protect the IT systems of officials and staff.”
Last month, Foreign Secretary Dominic Raab said the government had “reasonable confidence” that Russian actors had tried to interfere in the December 2019 general election.
He told the BBC they had sought to “spread online, illegally obtained, leaked government documents” around the UK-US trade negotiations for after the country leaves the EU.
Mr Raab said the government would “reserve the right to take the appropriate action” when the criminal investigation concluded.
The UK government was later criticised in a report from the Intelligence and Security Committee – known as the “Russia report” – for having “badly underestimated” the threat the country posed.
The mystery of the “trade leaks” is slowly being revealed – though still not completely.
The 2019 general election now looks like it was the target of what is known a “hack and leak” operation, similar – though not on the same scale – as the one Russian military intelligence launched in the 2016 US presidential election.
Last month, the government said it believed Russian actors were responsible for spreading the trade document on social media. But there was still the question of how it was first obtained.
Now, we know it came from a hack of an email account belonging to Liam Fox.
The exact identity of the Russian group behind the attack remains murky.
Whether it was the same group which then spread the document is unclear and that group (codenamed Secondary Infektion) is not thought to be the same as the one behind events in the US election, which had a larger impact.
Hackers from many countries have targeted politicians in recent years. But coming soon after the Russia report, this will serve as a reminder that groups based in Russia are often the most adept at not just stealing, but also using, the information.
Responding to reports of the hack on Mr Fox’s email, a spokesperson for the National Cyber Security Centre said it works closely with MPs and political parties to offer them “the best cyber security guidance and support.”
“We have worked closely with political parties for several years on how to protect and defend against cyber attacks – including publishing advice on our website.
“There is an ongoing criminal investigation and it would be inappropriate to comment further at this stage.”