Nation-state actors now behind majority of serious UK incidents, NCSC security chief warns
" Intelligence and military agencies are displaying an eye-watering level of sophistication in their cyber operations."
The UK National Cyber Security Centre has warned that nation-states are now responsible for most of the serious incidents it deals with in the UK.
In a speech at CYBERUK 2026, an annual government security conference, NCSC CEO Richard Horne said that rival intelligence agencies have stepped up their game dramatically, leaving Britain facing a "perfect storm" of threats in cyberspace.
AI and rising geopolitical tensions have created a period of "tumultuous uncertainty", as frontier AI enables the discovery and exploitation of existing vulnerabilities at scale and quantum jeopardises legacy cryptography, Horne stated.
"Criminal activity such as ransomware remains the most prevalent threat to the vast majority of organisations, but the majority of the nationally significant incidents that my teams are handling now originate directly or indirectly from nation states," he said.
Chinese intelligence and military agencies now display an "eye-watering level of sophistication in their cyber operations", the security chief advised.
"This, combined with their whole-of-state approach, means we face more than just a capable cyber threat but a peer competitor in cyberspace," he said.
Meanwhile, Iran is "almost certainly" engaged in covert digital operations to "support the repression of British individuals on our streets" who are seen as a threat to the regime.
Russia is also moving from the physical theatre of conflict into the cyberwar arena, using techniques it learned and honed in Ukraine to target enemy nations.
If simmering geopolitical tensions boil over into open conflict, Horne said that Britain is likely to face a blitzkrieg from hacktivists capable of doing the same damage as ransomware gangs - but without offering victims the chance to pay their way out of trouble.
Ric Derbyshire, Principal Security Researcher, Orange Cyberdefense, has observed this trend in the wild, with attackers pivoting towards attacks on operational technology and critical infrastructure.
He told Machine: "The NCSC’s warning highlights the evolving role of hacktivist groups in wider geopolitical tensions. Escalatory hacktivism is a phenomenon we are seeing in which groups align with state-backed narratives and contribute to their host state’s hybrid warfare efforts. This trend is set to become more pervasive and more impactful."
"Amid persistent geopolitical instability, we must be prepared for an increase in both the frequency and severity of attacks, especially against critical national infrastructure, where the cyber-physical impact is likely to be more consequential."
Research from Check Point found that the UK is among the most targeted nations in the world.
Graeme Stewart, Head of Public Sector at Check Point Software, said: "At a time of heightened geopolitical uncertainty, the rise of growing volumes of increasingly sophisticated AI-powered cyber attacks and unbreakable ransomware could bring the country to its knees.
"Large scale hacktivist attacks pose an existential threat to UK PLC, with hostile powers seeking to damage and disrupt core services like the NHS, energy and supply chains."
Botnets and IOC extinction: Rising threats from China
In a warning issued after Horne's speech, the NCSC said China-linked groups have moved away from using "individually procured infrastructure" they set up and own independently, instead wielding large-scale “covert networks” – botnets built from compromised routers and other edge devices.
These networks are used throughout every phase of the kill chain, from reconnaissance and malware delivery to command and control and data exfiltration against targets of espionage and offensive cyber operations.
These evolving techniques and tactics create a "dynamic, low-cost, deniable infrastructure model that can be rapidly re-shaped, rendering traditional static IP block lists ineffective".
Covert networks are constantly refreshed and share nodes across multiple threat groups, meaning defenders face "IOC extinction" as indicators of compromise "disappear as quickly as they are discovered", the agency advised.
READ MORE: Ex-Lord Mayor “alarmed” over government's response to Atlantic undersea cable risks
Paul Chichester, NCSC Director of Operations, also said: "We have seen a deliberate shift in cyber groups based in China utilising these networks to hide their malicious activity in an attempt to avoid accountability."
Sarah Cleveland, a former US special ops and US Air Force colonel now working as strategy director at Extrahop, said the escalating nation-state threat demands a focus on fast, decisive real-time detection.
She said: "In the military, we talk about ‘Centres of Gravity’ as key areas to focus resources on. Speed of detection is now this for most enterprises. With today’s onslaught of cyber attacks and all decisions data-driven, often with less information, the speed leaders need to get ahead of the enemy is vastly reduced."
The end of passwords?
Hot on the heels of its warning about nation-state threats, the NCSC advised organisations to "leave passwords in the past".
It said passkeys - passwordless, cryptographic sign-ins tied to a device - are "quicker and easier to use and harder for cyber attackers to compromise", claiming they are more secure than pairing a strong password with two-step verification.
Jonathon Ellison, Director for National Resilience, NCSC, said: "The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in where users migrate to passkeys – they are a user-friendly alternative which provide stronger overall resilience.
"As we aim to accelerate the UK’s cyber defences at scale, moving to passkeys is something all of us can do to improve the security of everyday digital services and be prepared for modern and future cyber threats."
READ MORE: Bank of England warns of risks lurking in “opaque and hidden corners” of the financial system
Kevin Marriott, Director of Cyber Content Strategy and IP at Immersive, described the NCSC’s guidance on passkeys as "a crucial step forward" that could reduce the risks of phishing and stolen credentials.
"Bad actors are always looking for the weakest link, and for years that has been passwords. Even ‘strong’ passwords create an illusion of security, leaving multiple entry points for attackers," he said.
"Rather than hoping to keep data secure with passwords alone, passkeys provide an added layer of protection, requiring bad actors to do extra work and limiting the avenues they can use to gain access to sensitive information."
