UK NCSC Notes Major Spike in “Nationally Significant” Cyber Incidents

“Nationally significant” cyber incidents more than doubled in the past year, according to the UK NCSC’s Annual Review for 2025. The one-year spike is troubling enough on its own, but it reflects an ongoing trend seen since only one incident of high seriousness was logged for the report issued four years ago.

That number is now up to 204 incidents in this category, an increase of 115 from the prior year’s report. In total the NCSC received 1,727 tips on cyber incidents during the report period and logged 429 cases that required intervention by their Incident Management Team, with 18 incidents receiving a more serious classification involving more widespread damage.

Ransomware grabs headlines, but nation-state threat actors also heavily target UK firms

The UK’s big cybersecurity story of the year thus far was the re-emergence of Scattered Spider and its campaign against major retailers and other organizations, eventually revealed to be in partnership with equally notorious criminal hacking group ShinyHunters. But the report cautions that nation-state attackers more focused on espionage and critical infrastructure backdooring are also still heavily targeting the country and responsible for a good deal of these significant incidents.

The two big ones, China and Russia, are both mentioned. A recent spike of new “hacktivists” has been seen out of Russia, assumed to be spurred by the ongoing conflicts in Ukraine and Gaza. China’s Salt Typhoon, infamous for compromising US telephone networks and ISPs, has also been linked to activity in the country targeting a wide range of sectors and institutions. And North Korea’s regime is sending fake IT workers to apply for remote jobs in the hopes of gaining inside access to UK firms.

The throughline for all of these nation-state groups right now is the use of AI as a support and enhancement tool. As other recent reports from other sources have indicated, they are not yet significantly innovating with these tools but they are enhancing the efficiency and effectiveness of existing operations by using LLMs. This includes everything from improving initial spearphishing approaches to data exfiltration and post-breach cover.

UK officials also now believe that this increase in efficiency means even the smallest businesses and organizations have to be prepared for sophisticated attacks and have a recovery plan should they fall victim to cyber incidents; NCSC CEO Richard Horne said that this is now down to the individual small business owner “sitting at their kitchen table” running things.

18 cyber incidents with “highly significant” impact

The good news from the report is that no incidents recorded over the year rose to the level of a “national cyber emergency,” the most serious designation involving loss of life or a major disruption of critical infrastructure. However, 18 cyber incidents in the second most serious category (“highly significant”) is bad news when that number was at just six the year before and virtually did not even exist just two years prior to that.

In terms of non-state-backed cyber criminals, the report notes that attacks have been “sector agnostic” despite the leading headlines being about Scattered Spider’s targeted attacks on retail. That appears to have been a quirk of that particular group, with most threat actors simply honing in on opportunities wherever they find them. Nevertheless, several sectors other than retail did get hit particularly hard by ransomware during the report period: academia, finance, engineering, health and manufacturing.

One of the report’s key takeaways is that a relatively small amount of unpatched vulnerabilities are proving to be the source of an outsized number of cyber incidents; 29 of the NCSC intervention incidents came from just three known vulnerabilities. Another is that it is probably now inevitable that AI will have to be deployed defensively to counter AI-powered aggression. At the moment it’s a question of a greater amount of attackers moving more efficiently with AI assistance, but soon enough it will likely be a case of AI supercharging vulnerability research and innovative attack development. Finally, as the head of the NCSC noted, sophisticated attacks are now the concern of all types of organizations of all sizes, but those large enough to have boards are very seriously advised to escalate cybersecurity to board-level involvement.