The UK National Cyber Security Centre (NCSC) has managed twice as many “nationally significant” cyber incidents from September 2024 to May 2025 as it did in the same period in the previous year.
This figure was revealed by NCSC CEO, Richard Horne, during a keynote at the CYBERUK conference in Manchester, UK. He said the agency has managed more than 200 incidents overall since September 2024, including those that are nationally significant.
The NCSC defines nationally significant cyber events as those with a substantial impact on the UK, including incidents that affect medium-sized organizations or pose a considerable risk to large organizations or local/wider government.
The comments follow a series of suspected ransomware attacks against three major UK retailers – Marks & Spencer, Harrods and Co-op – which have resulted in significant disruption to some operations.
During CYBERUK, Chancellor of the Duchy of Lancaster, Pat McFadden, also highlighted figures from the NCSC’s 2024 Annual Review, which showed the NCSC received almost 2000 reports of cyber-attacks in 2024. Of these, 89 were considered nationally significant, including 12 critical incidents.
That is three times the number of severe attacks compared to 2023.
Nation-State Actors Operate in the “Grey Zone”
Horne warned that hostile nation-states are conducting daily cyber operations in the “grey zone” – the space between peace and war. Cyber-attacks enable nation-states “plausible deniability” in conducting disruptive attacks on critical national infrastructure.
He said that China represents the biggest threat to the UK in the cyber realm.
“The Chinese Communist Party’s strategic approach to capability, legislation and data, means they have a whole – vast – ecosystem, entirely at their disposal,” Horne commented.
He also emphasized the significant threat posed by Russia, with the Kremlin’s cyber espionage activity expected to exacerbate as a ceasefire agreement gets closer with Ukraine. This is to gain a strategic advantage in its negotiation strategy.
Additionally, UK security services have observed a “direct connection” between Russian cyber-attacks and physical threats in the UK.
“These threats are manifesting on the streets of the UK, against our industries and our businesses, putting lives, critical services and national security at risk,” Horne noted.
Discussing the growing link between cyber and physical attacks during a press briefing at CYBERUK, Horne explained that we are seeing this more “blended” approach from threat actors beyond Russia.
“Cyber can give you reconnaissance, the ability to target physical threats – that’s very much a theme we’re seeing develop,” he said.
When asked about nation-state threats outside of the main four – Russia, China, Iran and North Korea – Paul Chichester, NCSC Director of Operations, confirmed in a briefing that “there are other state threats out there.”
However, no attacks in the UK to date have been formally attributed to any other nations.
Ransomware Poses a Persistent Threat
Horne also highlighted the persistent threat posed by ransomware, and the importance of the Home Office’s proposed ban on public sector and critical infrastructure organizations making ransomware payments.
“We must see a future together where paying ransoms is no longer considered an option, where the business model for the attackers no longer works,” Horne said.
“The recent Home Office consultation on ransomware was an important step on that journey,” he added.
Horne described ransomware as “probably the most pressing threat” we are seeing across the UK.
