UK Cyber Threat Landscape 2025: Key Insights for U.S. Homeland Security

The UK’s National Cyber Security Centre has reported a dramatic 50% increase in highly significant cyber incidents for the third consecutive year, with nearly half of all handled incidents now classified as nationally significant – a stark warning that resonates across the Atlantic for U.S. critical infrastructure defenders. 

Executive Summary 

The NCSC’s 2025 Annual Review reveals an intensifying cyber threat environment characterized by sophisticated state actors, prolific ransomware operations, and the weaponization of artificial intelligence. The report’s findings have direct implications for U.S. homeland security, particularly concerning shared threats from China, Russia, Iran, and North Korea. 

Key Statistics: 

• 1,727 incident tips received, resulting in 429 active incidents 

• 48% classified as nationally significant (up from previous years) 

• 18 incidents categorized as “highly significant”—a 50% year-over-year increase 

• Retail, finance, engineering, and manufacturing sectors most heavily targeted by ransomware 

State Actor Threats: A Transatlantic Challenge 

China: Expanding Cyber Intrusion Capabilities 

The NCSC identified China as a “highly sophisticated and capable threat actor” targeting critical networks globally. In August 2025, UK and international partners linked three China-based technology companies to campaigns targeting foreign governments and critical infrastructure—activities overlapping with the Salt Typhoon operation that has also impacted U.S. telecommunications networks. 

The report highlights China’s operation of Integrity Technology Group (also known as Flax Typhoon), which managed a botnet of over 260,000 compromised devices worldwide for coordinated cyber attacks. 

Russia: Persistent Threat to Western Infrastructure 

Russian cyber operations remain focused on Ukraine but increasingly threaten NATO allies. The NCSC documented the proliferation of pro-Russia hacktivist groups targeting UK, European, and U.S. critical national infrastructure in retaliation for Western support of Ukraine. These groups operate with varying degrees of state control, making their activities less predictable and targeting decisions based primarily on vulnerability rather than strategic value. 

The report specifically called out Russian military intelligence unit APT28 and the GRU’s continued exploitation of western technology companies. 

Iran and North Korea: Dual-Purpose Operations 

Iranian cyber operations concentrate on military and geopolitical objectives related to Middle Eastern conflicts, with the NCSC assessing that threats to UK entities likely extend to U.S. targets. Meanwhile, North Korean cyber actors continue revenue-generation operations targeting cryptocurrency firms and defense industries globally, with UK firms “almost certainly” being targeted by DPRK IT workers disguised as freelance contractors. 

Ransomware: The “Most Acute and Pervasive” Threat 

High-profile ransomware attacks on major UK retailers including Marks & Spencer, Co-op Group, and Jaguar Land Rover demonstrated the real-world consequences of cyber incidents, with empty shelves serving as “stark reminders” that attacks no longer just affect computers and data but real business operations and lives. 

Co-op Group Attack Breakdown: 

• Multi-stage attack confirmed by NCSC and National Crime Agency 

• Data of all 6.5 million Co-op members stolen 

• Estimated costs to Marks & Spencer and insurers exceeded £300 million 

• Healthcare provider Synnovis incident resulted in £32.7 million in costs and at least one patient death 

The report emphasizes that cyber criminals are sector-agnostic, selecting victims based on: 

• Likelihood of ransom payment 

• Vulnerability to operational downtime 

• Possession of sensitive data that could cause significant harm if leaked 

AI as a Force Multiplier for Adversaries 

The NCSC confirms that threat actors are leveraging AI to enhance existing tactics rather than create novel attacks. State actors from China, Russia, Iran, and North Korea are using large language models for: 

• Evading detection mechanisms 

• Supporting reconnaissance operations 

• Processing exfiltrated data 

• Social engineering campaigns 

• Vulnerability research and exploit development 

The most significant near-term threat identified is AI-assisted vulnerability research and exploit development, enabling faster discovery and weaponization of software flaws. 

Critical Infrastructure Vulnerabilities 

The report acknowledges a “widening gap” between threats to critical national infrastructure and the ability of operators to defend against them. Three specific CVEs were associated with 29 managed incidents: 

• CVE-2025-53770 (Microsoft SharePoint) 

• CVE-2025-0282 (Ivanti Connect Secure) 

• CVE-2024-47575 (Fortinet FortiManager) 

The NCSC emphasizes that legacy system vulnerabilities continue to be exploited at scale, with organizations failing to implement basic cyber hygiene measures despite the availability of protective tools and guidance. 

Cyber Governance: A Boardroom Imperative 

In a direct message to organizational leadership, NCSC CEO Richard Horne stated: “For too long, cyber security has been regarded as an issue predominantly for technical staff. This must change. All business leaders need to take responsibility for their organisation’s cyber resilience.” 

The report introduces the Cyber Governance Code of Practice and accompanying training program, emphasizing that cyber risk must be translated into business risk terms that boards can understand and act upon—affecting share price, customer trust, and regulatory standing. 

Active Defense at Scale 

The NCSC’s Active Cyber Defence initiatives demonstrate the value of automated, large-scale protective measures: 

• Early Warning Service: 13,178 organizations enrolled; 316,343 alerts sent 

• Takedown Service: 1.2 million phishing campaigns removed; 50% taken down within one hour 

• Share and Defend: Blocked millions of attempts to access known scam websites 

• Protective DNS for Schools: Over 13,000 schools protected 

These services operate automatically once organizations register, providing protection without requiring direct interaction—a model potentially applicable to U.S. critical infrastructure protection. 

Post-Quantum Cryptography: Preparing for Tomorrow’s Threats 

The NCSC published a three-phase timeline for organizations to transition to quantum-resistant encryption methods by 2035, recognizing that adversaries may be conducting “harvest now, decrypt later” operations against sensitive encrypted data. 

Implications for U.S. Homeland Security 

The NCSC’s findings align closely with assessments from U.S. intelligence agencies and CISA, reinforcing that: 

1. Shared Adversaries: The same state actors threatening UK infrastructure are actively targeting U.S. critical systems 
2. Ransomware Ubiquity: No sector is immune, and operational impacts extend far beyond the initially compromised organization 
3. Supply Chain Risk: Third-party compromises, as demonstrated by the Synnovis healthcare incident, can cascade across entire sectors 
4. Leadership Gap: Cyber security remains inadequately prioritized at board and executive levels despite growing threats 
5. Legacy Systems: Outdated technology and unpatched vulnerabilities continue to provide easy entry points for adversaries 

Recommendations for U.S. Organizations 

Drawing from NCSC guidance, U.S. organizations should: 

• Implement basic cyber hygiene controls (analogous to CISA’s Cyber Essentials) 

• Develop and regularly exercise incident response plans 

• Ensure board-level understanding of cyber risk as business risk 

• Invest in automated threat detection and response capabilities 

• Prioritize vulnerability management, especially for internet-facing systems 

• Segment networks to limit blast radius of potential compromises 

• Develop resilient recovery capabilities, including immutable backups 

• Prepare for “Preparedness for Crisis” scenarios where threat levels escalate rapidly 

Conclusion 

The NCSC’s 2025 Annual Review presents a sobering assessment of an intensifying threat landscape that transcends national borders. With 48% of incidents reaching national significance and highly significant incidents increasing 50% year-over-year, the data underscores that cyber resilience is no longer optional for organizations of any size or sector. 

As GCHQ Director Anne Keast-Butler emphasized: “Don’t be an easy target; prioritise cyber risk management, embed it into your governance, and lead from the top.” 

For U.S. homeland security professionals, the message is clear: the cyber threats facing allied nations are the same threats facing American critical infrastructure, and the time for proactive defense is now. 

The full NCSC Annual Review 2025 is available here.

(AI was used in part to facilitate this article.)