Threat IntelligenceEmerging Threats

Nation-States Drive 75% of UK Critical Infrastructure Cyber-Attacks, NCSC Warns

Analyst 207||Source: InfoSecMag
Formal setting with podium in front of large window, neutral color palette.

"Many vulnerabilities that organizations tolerate today will be exploited in conflict tomorrow," Richard Horne, CEO of the UK’s National Cyber Security Centre (NCSC), warned at the Royal United Services Institute (RUSI) Annual Security Lecture on June 17, 2026.

Richard Horne’s tally: 200 incidents and a nation-state problem

Between June 2025 and May 2026 the NCSC “dealt with 200 cyber incidents affecting critical nation infrastructure (CNI),” Richard Horne told the RUSI audience. He added that three-quarters of those incidents “originated from nation-state actors or were linked to hostile states such as Russia, China and Iran.” That figure follows Horne’s disclosure in April that the agency had handled 204 “national significant” cyber incidents at the time of its last annual review.

Far, mid and near: three contested digital spaces

Horne organised the threat landscape into three contested spaces he called far, mid and near. In the far space — “the adversaries’ home turf” — he said the UK and partners press adversaries with “intelligence collection, sanctions, law enforcement action and offensive cyber operations to disrupt and degrade their capability at source.”

In the mid space, where “digital infrastructure is shared by both legitimate and malicious actors,” Horne warned attackers are exploiting cloud and open‑source supply chains “to spread malicious code and achieve scaled impact.” He cautioned that “cloud‑based AI services will play an increasing role in the future to enable attackers,” and urged collective action: “This is where we can deliver collective scaled impact through hardening cloud, technology and telecommunications infrastructure and by disrupting adversary positions within those environments.”

In the near space — the systems of targeted organisations — Horne told company boards to prioritise simple, practical capabilities: “understand exposure, defend and respond.”

AI, legacy systems and prepositioning for conflict

The NCSC singled out frontier AI models as a present accelerant. Horne said such models are “already effective at discovering long standing vulnerabilities in code” and predicted attackers will automate and scale attacks. That view underpins an NCSC assessment that it is “highly likely” AI cyber capabilities will be used by attackers against known vulnerabilities in legacy technology in the UK’s critical infrastructure by 2028.

Horne warned adversaries are “pre‑positioning today, establishing footholds within technology that underpins critical national infrastructure that could enable rapid exploitation to cause mass disruption in a time of conflict.” He pointed to Volt Typhoon — described as “the Chinese state‑linked campaign that infiltrated US digital infrastructure” — as a significant example of that prepositioning. “Kinetic targeting in any conflict tomorrow will be based on intelligence gathered today,” he added.

Operational technology, sector targeting, and the skills gap

Multiple speakers at RUSI highlighted the particular risks to operational technology (OT). James Neilson, SVP of global at OPSWAT, noted a knowledge gap: “The challenge for many UK critical infrastructure organizations is that their environments include a mixture of IT and OT assets, but very few individuals possess deep expertise in both, creating knowledge gaps in threat assessment and defence development.”

Andrew Lintell, general manager for EMEA at Claroty, said attackers “particularly target OT‑rich sectors, such as manufacturing, water and wastewater and power generation ‘because they’re seen as able to cause the most chaos and fear if successful.’” He added that “These sectors account for more than 40% of attacks observed across 20 CNI sectors.”

What this means for boards, security leaders, and OT operators

  • Boards and executives: Horne urged a shift in framing — “cybersecurity must be treated as an ongoing contest rather than a static risk.” He criticised treating cyber as a line on a risk register and warned executives that when they ask “when will we be done investing in cybersecurity, the answer is never.”
  • Security leaders and technologists: Industry voices endorsed the contest framing. Graeme Stewart, head of public sector at Check Point Software, said Horne's speech should be “pinned to the wall of every boardroom in the country” and that the NCSC CEO is “absolutely right” to frame cybersecurity as a contest rather than a compliance exercise.
  • OT operators and critical infrastructure owners: The combined warnings about legacy systems, AI‑driven vulnerability discovery, and prepositioning argue for action on unsupported legacy technology and for addressing the IT/OT skills gap that OPSWAT and Claroty highlighted.

Horne’s remarks at RUSI present a short, stark equation: many recent UK CNI incidents are linked to nation‑state actors; attackers are exploiting shared cloud and supply‑chain layers and will increasingly use AI to scale exploitation; and legacy OT systems offer targets that can be pre‑positioned for use in future conflict. For the NCSC, the response is a mix of partner pressure on adversaries, collective hardening in the mid space, and practical defensive priorities in the near space — while urging boards to treat cyber as a continuous contest, not a mitigable line item.

https://www.infosecurity-magazine.com/news/hostile-states-cni-75-percent-ncsc/

ChinaCyber AttacksEmerging ThreatsIranNation-StateNational SecurityNcscRussiaUK Critical Infrastructure
Related Intelligence

Continue Reading

Busy Southeast Asian city street with people using smartphones and laptops amidst modern buildings and shops.

Cybercrime Exploits APAC's Rapid Digitalization

Cybercrime is rapidly overtaking traditional crime in APAC, with nearly a third of crime in over half the region's countries now online, according to Interpol's latest report. The alarming trend highlights the urgent need for stronger cross-border collaboration to combat the evolving threat.

Analyst 207
Smartphone lies cracked on a bench in a bustling Asia-Pacific city street.

Cybercrime Surges Across Asia and South Pacific, Hits 30% of All Crime

Cybercrime is surging across Asia and the South Pacific, now accounting for over 30% of all recorded crime, with organised networks leveraging AI, ransomware, and social engineering on a massive scale. The rapid rise is driven by rapid digital adoption and new technologies.

Analyst 207
Microsoft headquarters with a laptop and cybersecurity setup, emphasizing protection and security.

Microsoft Tackles RoguePlanet Defender Flaw with Imminent Patch

Microsoft is working on a patch to fix a serious security flaw in Microsoft Defender, known as RoguePlanet, which could allow hackers to gain elevated privileges on affected systems. A high-quality security update is imminent to address this vulnerability and protect users.

Analyst 207
Laptop screen on a desk in a brightly-lit indoor setting with blurred smartphones and tablets in the background.

Malware Campaign Exploits Fake Reviews to Spread Crypto Clipper

A single threat actor cleverly mimicked legitimate brands to spread Crypto Clipper Malware, using fake reviews, tutorial videos, and promotions on trusted platforms to manufacture credibility for a malicious crypto tool. They created a convincing illusion of a trusted product, complete with inflated download counts and coordinated five-star reviews.

Analyst 207