Documents on UK-US trade talks, leaked before the 2019 election, were stolen from the personal email account of Tory MP Liam Fox, the BBC understands.
Sources revealed on Monday that the papers had come from the former minister’s account, but not which address the hackers had targeted.
The papers were published online and used by Labour in the 2019 campaign to claim the NHS would be put at risk.
It is not clear that Mr Fox’s use of a personal account was a breach of rules.
Cabinet Office advice published in 2013 says MPs are provided with access to government email systems, but “other forms of electronic communication may be used in the course of conducting government business”.
A criminal inquiry into the leaking of the documents is under way, being led by the National Crime Agency.
The BBC understands the investigation has been underway since at least the end of last year.
The UK government has said Russians almost certainly sought to interfere in the election through the documents.
A spokesman for the National Crime Agency confirmed it was leading the investigation, but added he could not comment further.
Mr Fox was international trade secretary from July 2016 to July 2019.
Last month, he was nominated as the UK government’s choice to lead the World Trade Organisation, although the new director general has yet to be named.
Reuters, which first reported the story on Monday, said hackers accessed Mr Fox’s account multiple times between 12 July and 21 October last year.
On Tuesday, a source told the BBC’s Gordon Corera the documents had been stolen from Mr Fox’s personal account.
Reuters has reported that the entire contents of Mr Fox’s account was taken.
Responding to Monday’s story, a government spokesperson said: “There is an ongoing criminal investigation into how the documents were acquired, and it would be inappropriate to comment further at this point.
“But as you would expect, the government has very robust systems in place to protect the IT systems of officials and staff.”
Last month, Foreign Secretary Dominic Raab said the government had “reasonable confidence” that Russian actors had tried to interfere in the December 2019 general election.
He told the BBC they had sought to “spread online, illegally obtained, leaked government documents” around the UK-US trade negotiations for after the country leaves the EU.
Mr Raab said the government would “reserve the right to take the appropriate action” when the criminal investigation concluded.
The UK government was later criticised in a report from the Intelligence and Security Committee – known as the “Russia report” – for having “badly underestimated” the threat the country posed.
The mystery of the “trade leaks” is slowly being revealed – though still not completely.
The 2019 general election now looks like it was the target of what is known a “hack and leak” operation, similar – though not on the same scale – as the one Russian military intelligence launched in the 2016 US presidential election.
Last month, the government said it believed Russian actors were responsible for spreading the trade document on social media. But there was still the question of how it was first obtained.
Now, we know it came from a hack of an email account belonging to Liam Fox.
The exact identity of the Russian group behind the attack remains murky.
Whether it was the same group which then spread the document is unclear and that group (codenamed Secondary Infektion) is not thought to be the same as the one behind events in the US election, which had a larger impact.
Hackers from many countries have targeted politicians in recent years. But coming soon after the Russia report, this will serve as a reminder that groups based in Russia are often the most adept at not just stealing, but also using, the information.
Responding to reports of the hack on Mr Fox’s email, a spokesperson for the National Cyber Security Centre said on Monday, it works closely with MPs and political parties to offer them “the best cyber security guidance and support.”
“We have worked closely with political parties for several years on how to protect and defend against cyber attacks – including publishing advice on our website.
“There is an ongoing criminal investigation and it would be inappropriate to comment further at this stage.”