UK’s cyber security agency warns of ‘sophisticated’ threat from Chinese hackers

Chinese hackers pose a “highly sophisticated and capable” threat to the UK, GCHQ’s cyber security agency has warned.

The warning came after the National Cyber Security Centre (NCSC) recorded a 50% increase in “highly significant” online incidents carried out by criminals and state-linked groups in the year to the end of August.

The attacks on household names including Marks and Spencer, Co-op and Jaguar Land Rover have shown the real world impact of cyber attacks, the NCSC said.

At the launch of the NCSC’s annual review, security minister Dan Jarvis said all Britons must “step up” and play their part in protecting the country online.

He said: “Cyber crime is one of the greatest threats to our economy, to our businesses, to the livelihoods of our workers and while the Government is providing more cyber security support, we cannot do it alone.

“We need businesses to lead the way, by making cyber security a top priority.

“And we need citizens to step up and take personal responsibility for their cyber safety.”

He warned that “any syndicate of cowards hiding behind keyboards can have a devastating impact” and they are “just as happy hacking the NHS and nurseries as they are multibillion-pound companies”.

As well as online criminals launching ransomware attacks to demand money from firms or individuals, the UK is also targeted by hostile states – either directly or through groups operating at arms-length from the authorities in Beijing, Moscow, Tehran and Pyongyang.

The NCSC’s annual review said: “State actors continue to present a significant threat to UK and global cyber security, aided by an evolving cyber intrusion sector.

“As threats intensified, our incident management team faced a record number of nationally significant incidents.”

The report said:

– China is a “highly sophisticated and capable threat actor, targeting a wide range of sectors and institutions across the globe, including the UK”.

– Russia is a “capable and irresponsible threat actor in cyberspace”, while pro-Moscow “hacktivist” groups operating outside formal state control are seeking to target the UK, Europe, US, and other Nato countries in retaliation for western support for Ukraine and Israel.

– Iran’s activity has largely been focused in the Middle East but the NCSC assesses it is “highly likely” that UK entities could be potential targets for Tehran-linked hackers, following a US warning that Iranian state-sponsored or affiliated cyber activity could threaten critical infrastructure.

– North Korea’s “prolific and capable” hacking activity mainly seeks to raise revenue, to collect intelligence and to offset the impact of international sanctions, while undercover IT workers from Kim Jong Un’s country are “almost certainly” targeting UK firms by posing as third-country freelance staff.

NCSC chief Richard Horne said: “We know that our adversaries are combining cyber means with physical methods in order to further their aims.

“Just last month, agencies from 13 nations came together to warn that three technology companies based in China have conducted a malicious global cyber campaign targeting critical networks on behalf of their host nation.”

As well as that warning in August this year, the NCSC and allies in September 2024 exposed a covert network operated by a China-linked company called Integrity Technology Group or Flax Typhoon, which had a botnet consisting of 260,000 compromised devices around the world.

The NCSC’s experts are also worried about hostile states “pre-positioning” for attacks on infrastructure, including by embedding IT workers who could strike against targets at short notice.

The NCSC’s report comes with the risk posed by China to the UK under intense political scrutiny following the collapse of an alleged spying case and with a ruling due on Beijing’s application to build a massive new embassy in the heart of London.

The NCSC report warned that hackers – including those with links to Beijing – were using artificial intelligence (AI) to improve the potency of their attacks.

“Actors linked to China, Russia, Iran and the DPRK are using large language models to evade detection, support reconnaissance, process exfiltrated data, access systems through social engineering, and support vulnerability research and exploit development,” the NCSC warned.

In the year to the end of August, the NSCS provided support in 429 cases, of which 204 were deemed “nationally significant incidents” – an increase from 89 in the previous 12 months.

Of those, 18 were categorised as “highly significant”, meaning they had a serious impact on government, essential services, the economy or a large proportion of the UK population.