Rogue state-aligned actors are most critical cyber threat to UK

The UK’s critical national infrastructure (CNI) faces an “enduring and significant” threat from state-aligned threat actors aggressively ramping up activity, and must work more closely with allies and industry in countering “epoch-defining” cyber challenges, says the UK’s National Cyber Security Centre (NCSC).

In its latest annual review, published today, covering the period from 1 September 2022 to 31 August 2023, the NCSC highlighted the increasingly unpredictable threat landscape, looking back on a year that will be long-remembered as one of geopolitical chaos in which tools containing elements of artificial intelligence (AI) entered the mainstream consciousness.

The NCSC warned that the UK needs to speed up its work to keep pace with these changing threats, particularly in terms of enhancing cyber resilience in industries such as energy and water supply, communications, logistics and transport, and financial services.

“The last year has seen a significant evolution in the cyber threat to the UK – not least because of Russia’s ongoing invasion of Ukraine, but also from the availability and capability of emerging tech,” said NCSC CEO Lindy Cameron.

“As our annual review shows, the NCSC and our partners have supported government, the public and private sectors, citizens, and organisations of all sizes across the UK to raise awareness of the cyber threats and improve our collective resilience,” she added.

“Beyond the present challenges, we are very aware of the threats on the horizon, including rapid advancements in tech and the growing market for cyber capabilities. We are committed to facing those head-on and keeping the UK at the forefront of cyber security.” 

The annual report details the emergence of a “new class” of cyber adversary in the form of state-aligned actors – usually Russian ones – who are ideologically rather than financially motivated.

These groups have become emboldened to act with impunity regardless of whether or not they have Russia’s official backing, and the NCSC said it had “concerns” that these groups have a higher risk appetite than those advanced persistent threat (APT) actors – such as Sandworm – that operate as units of the Russian intelligence and military services.

This makes them a far more dangerous threat because they may seek to attack CNI operators without constraint and without being able to fully understand, or control, the impact of their actions. The consequences of this could be exceptionally severe.

At the same time, Russian APTs continue to advance their goal of weakening and dividing Moscow’s adversaries by interfering in the democratic process using mis- and disinformation and cyber attacks. It is a virtual certainty, said the NCSC, that Russia sought to interfere with the 2019 UK General Election and, five years on, they will repeat the exercise.

Of particular concern next go round will be large language models (LLM), which will almost certainly be used to generate fabricated content and deepfakes before the election, and a developing trend of targeting the email accounts of prominent individuals, as previously reported.

The NCSC has already started work on weaving resilience into the UK’s democratic processes in advance, including the establishment of the Joint Election Security Preparedness unit.

Turning to China, the review detailed continued evidence of China-affiliated cyber actors deploying sophisticated capabilities to pursue Beijing’s objectives, as highlighted earlier in 2023 in disclosures concerning the activity of the group known as Volt Typhoon.

In response to this challenge, the NCSC is renewing its calls for collaboration with allies and industry to develop an enhanced understanding of China’s capabilities and how it is using them not to sow discord like Russia, but in the service of stealing high-tech secrets, among other things.

The lengthy annual review also detailed threats from other hostile nation states, such as Iran and North Korea, and financially motivated cyber crime – the threat of ransomware remaining one of the most acute threats. The NCSC said it had noted the widely reported trend of data extortion attacks, in which no ransomware lockers are deployed, as epitomised by Cl0p’s campaign of cyber attacks orchestrated via the MOVEit file transfer tool.

The NCSC said it saw a jump in cyber attacks reported to it this year, but the volumes that reached the threshold where they might be described as being of national significance were broadly stable.

All told, the NCSC received 2,005 reports of cyber attacks, up 64% on 2021-22, of which 371 were considered serious enough to escalate to its incident management (IM) team, up 5%. Of those, 62 were nationally significant, and four were among the most severe it has ever had to deal with thanks to “sustained disruption” and the victims’ links to CNI.

In turn, the NCSC issued 24.48 million notifications to organisations through its Early Warning service, indicating potential malicious activity on an organisation’s network or exposure to a newly discovered vulnerability. Of those, 258 needed a bespoke response from the IM team.

The highest proportion of incidents to which the IM team responded involved the exploitation of vulnerabilities in public-facing applications. The most widespread vulnerability giving rise to serious incidents during the reporting period was CVE-2023-3519, a remote code execution bug in Citrix NetScaler, from which13 nationally significant incidents arose – 8% of the total.