NCSC warns of China threat as major UK cyber-attacks surge 50%

The National Cyber Security Centre has issued a new warning highlighting the threat posed by China among other nation-state actors, as official figures reveal a 50% increase in highly significant cyber-attacks on the United Kingdom over the past year.

This warning arrives in the context of mounting concern about the shifting dynamics of global cyber threats, with Chinese, Russian, and North Korean threat actors remaining prominent among the risks facing UK organisations. The NCSC reported handling 429 cyber incidents in the last year, 18 of which significantly impacted essential services or the wider economy. Serious incidents are now occurring at a rate of nearly one every two days.

Nation-state activity

Marc Jones, Regional Director for UK & Ireland at Armis, commented on the NCSC's latest warning and the changing nature of global cyber aggression. Jones said both China and Russia are at the forefront of UK IT leaders' concerns, with 74% and 71% respectively ranking these nations as top threats. North Korea also remains a focus of national security attention.

Jones noted that advances in artificial intelligence are altering the cyber threat landscape, enabling less powerful states to develop more sophisticated capabilities and posing new challenges for defenders.

"The usual suspects - China, Russia, and North Korea - remain serious cyber threats, with 74% of UK IT leaders identifying China and 71% citing Russia as top concerns. But GenAI is shifting the balance - arming smaller nations to develop more advanced capabilities. With 66% of UK IT leaders believing AI is reshaping global power dynamics and 71% worried about AI-driven nation-state attacks, organisations must take the threat posed by states of all sizes seriously. This requires true cyber resilience, which begins with understanding and managing their own cyber exposure."

Organisations are increasingly being urged to take a holistic approach to their cybersecurity posture in order to counter this evolving landscape, with a focus on understanding and mitigating their specific vulnerabilities.

Ransomware evolution

As the volume and impact of attacks increase, so too has the sophistication of ransomware operations affecting UK organisations. Pierre Noel, Field Chief Information Security Officer for EMEA at Expel, described a transformation from opportunistic hacking to highly organised criminal activity, operating with the structure and support systems typically associated with commercial enterprises.

Noel observed that modern ransomware groups function in a similar fashion to software-as-a-service businesses, offering subscription models, user dashboards and even customer assistance. This ocean of professionalisation makes them persistent and effective in exploiting vulnerabilities, compromised credentials and misconfigured networks.

Noel highlighted that identity-based attacks are now predominant, accounting for 67.6% of incidents processed by Expel's Security Operations Centre in the second quarter of 2025. He also warned of the risks posed by broad, untargeted malware campaigns, which accounted for nearly 14% of threats and can still have severe consequences for organisations lacking essential cybersecurity hygiene.

The ongoing consultation on banning ransom payments in the UK represents a further shift in strategy towards prevention. Noel said that eliminating the option of payment would make it imperative for organisations to focus on readiness, as attackers would likely respond with greater emphasis on data exfiltration and threatening public disclosures to coerce victims.

"The inability to pay heightens the importance of stopping attacks before they happen and ensuring resilience when they do," Noel said. He emphasised the need for immutable - tamper-proof - back-ups, visibility into system and authentication logs, rapid remediation capabilities, and robust threat intelligence to keep pace with evolving tactics. A cloud-only storage policy, in which documents are never saved on user devices, also emerged as a recommended measure for ensuring business continuity.

Operational readiness

Noel also stressed that organisational preparedness cannot rely on technology alone, citing persistent execution failures despite the prevalence of incident response plans. He pointed out that only 32% of businesses and 30% of charities report breaches externally, often due to untested plans and confusion in high-pressure situations. Regular tabletop exercises involving executive leadership, legal, and public relations teams, in addition to IT specialists, were presented as key to making incident response truly effective.

Looking to the future, Noel predicted the continued rise of automation and artificial intelligence in ransomware operations, with attacks becoming faster and more specifically tailored. He advocated for multilayered defences, from immutable back-ups and strong threat intelligence to proactive monitoring and regular plan testing, as the foundation for maintaining resilience and reducing risk exposure over time.

The NCSC's statistics highlight the urgency of strengthening cyber resilience across critical industries, as the threat environment is expected to remain dynamic and challenging for UK organisations in the months ahead.