Full Report
In 2024, the UK National Cyber Security Centre issued over 500 notifications to UK organizations about cyber incidents – double the number recorded in 2023
Analysis Summary
# Incident Report: Escalating Cyber Threats and NCSC Response in the UK
## Executive Summary
The UK's NCSC reported a significant escalation in cyber threats over the past year, evidenced by a substantial increase in incident reports requiring intervention (1957 total reports, 430 interventions). Ransomware remained the most pervasive threat, causing major disruption, notably impacting the NHS through incidents like the Synnovis attack. Nation-state activity also increased in frequency and severity, prompting the NCSC to urge organizations to drastically improve cyber defenses and move beyond treating security as mere compliance.
## Incident Details
- Discovery Date: Reporting published on December 3 of the current review year (referencing activity over the preceding year).
- Incident Date: Over the past year (as detailed in the NCSC Annual Review).
- Affected Organization: Includes numerous UK organizations, public bodies, and critical infrastructure sectors (Academia, Manufacturing, IT, Legal, Charities, Construction, and NHS Trusts).
- Sector: All major sectors, with specific focus on Critical National Infrastructure (CNI).
- Geography: United Kingdom.
## Timeline of Events
### Initial Access
- Date/Time: Throughout the reported year.
- Vector: Exploitation of known vulnerabilities (e.g., **CVE-2023-20198** in Cisco IOS XE and **CVE-2024-3400** in Palo Alto Networks PAN-OS); third-party MFA compromise leading to incidents like the British Library attack; and general pre-ransomware activity.
- Details: Nation-state actors increasingly inspire/direct non-state actors to target UK CNI.
### Lateral Movement
- Details: Implied through the nature of the nationally significant incidents managed by the IM team (e.g., ransomware spreading across NHS trusts following initial access).
### Data Exfiltration/Impact
- Impact: Operational disruption (e.g., thousands of procedures canceled during the Synnovis NHS data breach). Data types compromised include sensitive patient data. The overall impact severity, particularly concerning nation-state attacks, is increasing.
### Detection & Response
- Detection: NCSC Incident Management (IM) team received 1957 reports and intervened in 430 incidents. The Early Warning service issued approximately 12,000 alerts about vulnerable services.
- Response Actions: IM team managed 20 NCSC-managed ransomware incidents (13 nationally significant). Issued 542 bespoke notifications to affected organizations. Coordinated joint guidance on 'ransom discipline' with the ICO. International coordination via the Counter Ransomware Initiative (CRI).
## Attack Methodology
- Initial Access: Exploitation of unpatched zero-days (Cisco, Palo Alto), direct infiltration, or third-party supply chain compromise.
- Persistence: Not explicitly detailed, but required for successful ransomware deployment and nation-state targeting.
- Privilege Escalation: Not explicitly detailed, but necessary for achieving significant impact in CNI attacks.
- Defense Evasion: Implied by the success of nation-state actors operating below official state control lines.
- Credential Access: Not explicitly detailed, but likely a component of ransomware campaigns.
- Discovery: Not explicitly detailed.
- Lateral Movement: Implied by multi-trust impact following initial attacks (e.g., NHS incidents).
- Collection: Implied by data extortion demands common in ransomware incidents.
- Exfiltration: Implied in incidents resulting in data breaches (e.g., Synnovis).
- Impact: Deployment of destructive malware (Russia-aligned activity), operational shutdown (ransomware), and disruption of CNI.
## Impact Assessment
- Financial: Not explicitly quantified, but inferred to be significant given the scale of disruption to the NHS and critical sectors, and the frequency of insurance claims reported by users of Cyber Essentials.
- Data Breach: Sensitive patient data confirmed compromised (Synnovis). Compromise targeting democratic institutions also noted.
- Operational: Severe disruption noted, including the halting of thousands of medical procedures due to ransomware attacks on healthcare providers.
- Reputational: Significant pressure on affected organizations and the government to improve national resilience.
## Indicators of Compromise
- Network Indicators (Defanged):
- Activity associated with known nation-state actors targeting CNI, including Russian-aligned and China state-affiliated groups (Volt Typhoon).
- File Indicators: Not specified in the summary.
- Behavioral Indicators:
- Significant increase in pre-ransomware activity reports (317 incidents).
- Exploitation of specific CISA/NCSC-identified CVEs.
## Response Actions
- Containment Measures: NCSC IM team intervention in 430 incidents; issuance of 542 bespoke notifications guiding organizations.
- Eradication Steps: Not explicitly detailed beyond managing the active incidents.
- Recovery Actions: Support provided to NHS trusts and other affected entities to regain operational status post-ransomware.
## Lessons Learned
- The gap is widening between the scale of cyber threats faced and the current level of defense readiness across UK organizations.
- Most organizations (public and private) are underestimating current cyber threats.
- Cyber security must transition from being viewed as a compliance burden to an essential business investment and a driver for growth.
- Resilience in critical infrastructure and supply chains requires urgent improvement.
## Recommendations
- Improve adoption of proven security frameworks; NCSC will focus on translating existing guidance into practical implementation.
- Drive up the adoption of the 'Cyber Essentials' scheme, as adopters are 92% less likely to file cyber insurance claims.
- Increase the pace of defensive measures to stay ahead of rapidly evolving adversaries, especially nation-state actors.
- Enhance collaboration between government agencies, industry, and the public sector.