Britain handled 204 nationally significant cyberattacks in 2025, more than double the 89 recorded the previous year, as hostile states replaced criminal groups as the primary source of the most serious digital threats facing the UK.
The figures were disclosed by UK Security Minister Dan Jarvis at the CYBERUK conference in Glasgow this week alongside warnings from National Cyber Security Centre chief executive Richard Horne that the country now faces four nationally significant incidents every week. Russia, Iran and China were named as the primary sources of the most damaging attacks, marking a fundamental shift from opportunistic criminal operations towards sustained state-directed campaigns.
The doubling of incident figures reflects what Horne described as “the most seismic geopolitical shift in modern history,” though I find the timing of that assessment convenient for justifying increased defence spending announced alongside the threat briefing.
Nation States Have Replaced Ransomware Groups
“The majority of the nationally significant incidents that my teams are handling now originate directly or indirectly from nation states,” Horne told the conference. While ransomware remains the most common threat across all organisations, the incidents requiring NCSC intervention at national level now predominantly trace back to state actors rather than criminal gangs seeking financial gain.
China’s intelligence and military agencies display “an eye-watering level of sophistication in their cyber operations,” according to Horne, while Iran is “almost certainly using cyber activity to support the repression of British individuals on our streets who are seen as a threat to the regime.” Russia, meanwhile, is applying tactics and techniques developed during its war in Ukraine to targets across Europe with sustained hybrid activity targeting UK and European assets.
The Register reported earlier this year that nation-state attackers “want something far harder to recover than money, your infrastructure, your secrets, your leverage.” You cannot get those back with a wire transfer.
Nordic Infrastructure Already Under Attack
Swedish, Polish, Danish and Norwegian authorities have all warned in recent months that Russian-linked hackers have targeted critical infrastructure including power plants and dams. Sweden specifically reported that pro-Russian hackers attempted to breach a thermal power plant in April while The Record from Recorded Future News documented similar targeting across Nordic energy infrastructure.
The NCSC published a technical advisory this month warning that Russia’s GRU military intelligence agency has been compromising home and small office routers to redirect internet traffic through servers under their control enabling credential interception and network mapping for further targeting. The advisory represents one of the clearest recent examples of Russian cyber infrastructure preparation that extends well beyond Ukraine’s borders.
Government Introduces Board-Level Responsibility Requirements
Alongside the threat assessment, Security Minister Dan Jarvis announced a £90 million investment package and a new Cyber Resilience Pledge that the government will ask major organisations to sign this summer. The pledge commits organisations to treat cybersecurity as a board-level responsibility rather than an operational IT function.
The board-level framing is deliberate. High-profile incidents over the past two years have repeatedly exposed the gap between how executive teams perceive their cyber exposure and the actual risk their organisations carry. The government’s position is that closing that gap requires ownership at the top, not just increased technical spending.
Organisations that continue to view cybersecurity as an outsourced operational concern rather than a strategic business risk are poorly positioned for an environment where state actors are targeting infrastructure for strategic rather than financial objectives. As The Register noted in its analysis, “You don’t get those back with a wire transfer.”
References
- UK cyber agency handling four major incidents a week as nation-state attacks surge
- UK Says Iran, China Drive Regular Significant Cyberattacks
- Cheapskate cyber strategy won’t stop Beijing’s finest
- Most serious cyberattacks against the UK now from Russia, Iran and China
- Most serious cyberattacks against the UK now from Russia, Iran and China
This post is also available in:
Svenska
Related News
North Korean Hackers Hijacked Axios Package for 100 Million Users
North Korean state hackers compromised the Axios npm package on 31 March 2026, inserting a cross-platform remote access trojan into one of JavaScript's most widely…
April 22, 2026 
CISA Updates Akira Advisory as Ransomware Earns $244 Million
CISA issued an updated joint advisory on Akira ransomware on 13 November, warning that the group has claimed $244 million in ransom payments since March…
April 3, 2026 