NCSC CEO: Hostile states linked to three-quarters of cyber attacks affecting UK's critical systems

What Happened

The head of the UK's National Cyber Security Centre (NCSC) announced that hostile countries like Russia, China, and Iran are behind three-quarters of recent cyber attacks on the UK's critical infrastructure. These attacks target the essential services that keep the country running. This matters because vulnerabilities left unfixed today could be exploited in future conflicts, and artificial intelligence is expected to make these attacks faster and more widespread. Organizations should urgently improve their basic security practices, understand their risks, and prepare to recover quickly from potential incidents.

Key Takeaways

• Hostile states, including Russia, China, and Iran, are linked to approximately 75% of cyber attacks on UK critical national infrastructure.
• The NCSC managed over 200 cyber incidents affecting UK critical systems and their supporting ecosystems in the year leading up to May 2026.
• Advances in artificial intelligence are expected to accelerate cyber threats, with AI-enabled capabilities likely exploiting known vulnerabilities in legacy tech at scale by 2028.
• Organizations are urged to strengthen cyber resilience by understanding threat exposure, implementing security fundamentals, and ensuring rapid recovery capabilities.

Affected Systems

• UK Critical National Infrastructure (CNI)
• Legacy technology

Attack Chain

The article does not detail a specific attack chain. It provides a strategic overview of state-sponsored threats targeting UK critical national infrastructure, highlighting the future risk of adversaries using AI-enabled capabilities to exploit known vulnerabilities in legacy systems at scale.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article is a strategic policy speech and does not provide technical detection rules or queries.

Detection Engineering Assessment

EDR Visibility: None — The article is a strategic overview and does not contain technical details or specific malware behaviors that an EDR would detect. Network Visibility: None — No network indicators, infrastructure, or specific C2 protocols are discussed. Detection Difficulty: Very Hard — No actionable technical indicators or specific TTPs are provided to build detections upon.

Hunting Hypotheses

Control Gaps

• Unpatched legacy technology
• Lack of basic security fundamentals

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Evaluate your organization's exposure to known vulnerabilities, particularly in legacy systems supporting critical operations.

Infrastructure Hardening

• Consider accelerating patch management cycles for internet-facing legacy technology.
• Evaluate whether security fundamentals are consistently applied across all environments, including IT and OT networks.

User Protection

• Ensure incident recovery plans are tested and updated to minimize downtime in the event of a successful attack.

Security Awareness

• Consider incorporating the risks of state-sponsored targeting and AI-enabled threats into executive and board-level security briefings.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application