By the NCSC, taken from their annual review of the cyber security landscape published in December 24, highlighting key events and increasing threats seen, that impacted UK business in 2024 and will continue to do so in 2025.

Organisations must step-up their cyber resilience to protect the UK's economic wellbeing and critical national infrastructure.

Every year, the cyber threat landscape grows more complex. In 2024 it is best characterised as ‘diffuse and dangerous'. We face a spectrum of threats where persistent activity by capable hostile states compounds the acute challenges posed by organised crime.  

The number of cyber incidents is increasing, as is the impact of those incidents. Ransomware attacks, network intrusions, cyber espionage and theft of intellectual property are all commonplace. These have significant consequences for our economic and national security, as well as personal and professional costs for individuals.

Our collective ability to defend against cyber attacks - and to be resilient enough to remain operational when attacks do get through - has not kept up with the threat. The UK's national cyber resilience is under pressure, and organisations are not taking the measures needed to defend themselves, despite the widespread availability of advice, expertise and guidance.

The NCSC believe that the severity of the threat facing the UK is - worryingly - underestimated by organisations from all sectors. Right across the country, basic cyber security practices are too often ignored. Mass adoption of these measures remains the best way to defend, respond, and recover. But it must happen now.   

Advances in cyber intrusion technologies

Ransomware continues to be the most significant, serious and organised cyber crime threat faced by the UK, with global ransomware payments in 2023 topping $1 billion. Critically, the cyber criminals behind ransomware continue to mostly operate from foreign jurisdictions that refuse to take action against them, providing a permissive and enabling environment for these groups.   

The commercial proliferation of advanced cyber intrusion tools against an increasing range of devices will almost certainly be transformational in the years ahead. There is now a global, skilled, commercial cyber intrusion sector. This proliferation of cyber tools, combined with advances in technology, is lowering the barriers to entry and putting sophisticated tradecraft in the hands of a far wider range of relatively unskilled actors. This enables actors to access cost-effective capabilities and intelligence that would otherwise take decades to develop. It will no longer just be states buying a few high-end, off-the-shelf products; by 2030, a cyber intrusion ecosystem will be available, putting surveillance, espionage, and possibly even effects capabilities into the hands of new actors. 

This hugely increases the scale and scope of global threat actors, and with it the number of attacks to defend against (and risks to mitigate). The diffusion of previously high-end tradecraft is also making it harder for defenders to establish with a high level of certainty who might be behind attacks. All this is happening against a backdrop of an expanding attack surface, where opportunities for bad actors increase at scale as our dependence on technology grows, our supply chains become more complex, and more services and data move to the cloud.  

The complexity of the threat landscape is also almost certain to intensify with the use of AI technology. States that can develop an advanced sovereign AI capability will pose a cyber threat of real scale and sophistication. Publicly available models will continue to make all types of threat actors more efficient and effective, exacerbating the challenges of defence and response. AI will also almost certainly enhance actors' abilities to extract intelligence value out of exfiltrated data. And so, as more data is stolen and systems are compromised, state and non-state proxy actors use this stolen data to generate information campaigns in support of their wider competitive goals.

Geopolitics as a driver of cyber threat

On top of a more complex picture of actors, the overall cyber threat is amplified by geopolitical risks from global conflicts.  Through the last year, we have repeatedly seen heightened use of cyber activity in areas of wider competing influence around conflict zones. In direct conflict, Russia has routinely deployed wiper malware to delete data from inside Ukrainian government and critical national infrastructure to hinder their operation. Additionally, Russia is routinely seeking to compromise the systems of NATO states and aiming to shape the information space globally around Ukraine as it erroneously sees itself in conflict with NATO.   

Autocratic nation states continue to pose a fundamental and persistent threat to the UK by using advanced cyber capability against our most critical sectors, seeking to undermine our society. Highly sophisticated tools, techniques and procedures, including use of covert networks, helps to obfuscate the activity of these states, increasing the overall impact of their activities and making it harder to attribute attacks. 

The operating environment inside a country can itself be an enabler to state cyber activity. An advanced ecosystem of cyber criminals, hacktivists, data brokers, access brokers and cyber intrusion companies now enables access to data and systems across the globe which can support and benefit nation state aims. While these groups are not always subject to formal or overt state control, this does not lessen states' responsibilities for their actions. 

China remains a highly sophisticated cyber actor, with increasing ambition to project its influence beyond its borders through both cyber and information operations. China state-affiliated actors have routinely sought to gain access to networks across the world that enable their collection of bulk data and follow-on compromises. This includes actively targeting a wide range of networks for espionage, and prepositioning on critical national infrastructure for future disruptive and destructive purposes. Earlier this year, the US stated that China affiliated actors had compromised networks at multiple telecommunications companies [1] to enable the theft of customer call records data revealing a broad and significant cyber espionage campaign. 

Russia and Iran both engage in hostile cyber activity, not just to degrade, damage and compromise data and systems, but to support or trigger direct physical threat activity, broader espionage, and hybrid warfare activities. These regimes have also looked to encourage a new wave of state-aligned hacktivism. The NCSC has seen a stark increase in the focus on critical national infrastructure systems, as hacktivist groups strike to compromise these systems for political effect and propaganda victories. From the Cyber Army of Russia Reborn to the Islamic Hacking Army, these groups pose an active threat to poorly-defended critical systems far beyond their traditional activities of DDoS attacks, as evidenced by the US advisory in April 2024 on the hacktivist threat to US water facilities. 

North Korea continues to use cyber operations for a range of activities, including the acquisition of digital assets and other operations which result in monetary benefit. This is done in a variety of ways, of which supply chain attacks are one.

The widening gap

There is a widening gap between the increasingly complex threats (outlined above) and our collective defensive capabilities in the UK, particularly around our critical national infrastructure. 

That widening gap will only become more pronounced over time as the scale and capability of cyber actors proliferates, the relationship between state and non-state actors becomes more obfuscated, and states' abilities to understand cyber activity becomes fraught.  It is therefore vital we increase our cyber resilience across the whole of the UK, and that we do so with urgency. Elsewhere in this review, we have outlined what organisations must do, and how they should do it. The NCSC stands ready to help.

Read the full NCSC 2024 review [2] here