The most recent annual review report by the UK’s National Cyber Security Centre (NCSC) has been released, and the leading headline is that cyber incidents considered to be of “national significance” are now effectively a weekly occurrence with 204 counted through August 2025.
The increase is more than double the count from the prior year’s report. Though these attacks are all considered nationally significant, there are gradations of significance and not all rise to the highest level of “national cyber emergency.” 18 of the cyber incidents from the year’s report topped out at the “highly significant” level, meaning a serious impact on the government, essential services or the national economy.
UK sees major spike of “significant” cyber incidents during ransomware wave
The 2025 report is composed of 1,727 tips on cyber incidents over the course of the year that developed into a total of 429 cases that involved intervention by the NCSC IM team. While these overall numbers are comparable to those observed in 2024, the primary difference is that the share of incidents ranked as “nationally significant” jumped from 89 in the prior year to 204 in the current one.
“Nationally significant” cyber incidents can fall into three categories. None of the reported incidents fell into the most severe category of “national cyber emergencies” (involving serious disruption of critical infrastructure or loss of life). 18 fell into the next most serious category, “highly significant” incidents that involve serious impacts on the government, economy, essential services or a “large proportion” of the national population. These incidents are typified by many of the Dragonforce ransomware attacks of the spring and summer, such as the attacks on major retailers such as Marks & Spencer and Co-Op that saw tens of millions of customer records stolen. The remaining 186 incidents fell into the “significant” category which means a major impact on an individual organization or a more local government entity.
The report also contains some limited new information on UK cyber incidents involving ransomware. The most impacted sectors during the report period were academia, finance, engineering, retail, health and manufacturing. However, the report notes that the majority of threat actors are “sector agnostic” and seeking opportunities wherever they can find them, whether that be unpatched vulnerabilities or social engineering.
The most severe incidents, the majority of which involved ransomware and/or data ransoming, were also linked to both a very small set of threat actors and a very small collection of known vulnerabilities. Three particular vulnerabilities were responsible for 29 of the incidents that NCSC became involved with: CVE-2025-0282 (Ivanti Connect Secure), CVE-2024-47575 (Fortinet FortiManager) and CVE-2025-53770 (Microsoft Sharepoint Server).
State-backed threat actors step up campaigns and tactics
The report also contains some information on cyber incidents linked to nation-state threat actors. China is noted as targeting a wide range of sectors and institutions in the UK, with three China-based companies linked to potential Salt Typhoon actions in the nation. Russia’s state-backed groups also continue their usual activities, but the report notes that both the Gaza conflict and the continuing Ukraine invasion are inspiring possibly independent pro-Russian “hacktivists” to ramp up activity against the UK and other NATO countries. The movements of these groups are also difficult to predict as they almost exclusively select targets of opportunity that have unpatched vulnerabilities.
There is also a special note about North Korean hackers posing as freelance third-country IT staff to target UK firms, looking to get inside access via employment. Some will at least fake doing their jobs to generate revenue for the North Korean government, but more likely these threat actors are seeking access to crypto or valuable information to steal.
All of the major state-backed threat groups have also been observed using AI to support their campaigns. This includes fully automated spear-phishing campaigns, hijacking cloud-based LLMs, automating post-breach attack stages and data exfiltration. As other recent reports have echoed, these groups are not yet using AI to innovate in significant ways. However, that is believed to be the next major development as they continue to integrate AI with vulnerability research and exploit development (VRED) processes.
The spike in significant activity has prompted UK ministers to write to the largest 350 companies on the FTSE Index, urging them to elevate cyber resilience to a board-level responsibility if they have not done so already. But smaller businesses are also being warned to expect an increased severity of attacks, with NCSC CEO Richard Horne noting that even solo entrepreneurs “sitting at their kitchen table” must now have a plan for dealing with cyber incidents in the age of AI. Horne advised businesses of all sizes to envision a scenario in which computer screens are blank, payment systems are not functioning, machines are down and supplies are not coming in and have plans in place for alternate means of staying functional.
Hom Bahmanyar, Global Enablement Officer, Ridge Security, notes that this will likely involve implementation of AI solutions: “The continued increase in the number of cyber incidents year over year requires organizations to adopt a continuous security validation of all cyber assets to detect and mitigate security risks before threat actors. It’s so important to find the right AI-powered continuous security validation platform that’s equipped to do that.”
John Carberry, Solution Sleuth, Xcape, adds: “This situation makes it clear that cybersecurity is no longer just an IT concern; it’s crucial for national resilience and business continuity. Organizations need to urgently strengthen their defenses, focus on detecting and responding to threats, and adopt a risk-based strategy that anticipates breaches. Investing in basic security measures, such as multi-factor authentication, network segmentation, continuous monitoring, and board-level involvement, is vital to stay ahead of the rapidly evolving threat landscape.”
