- A collection of reports related to cyberattacks and campaigns against UK critical national infrastructure (CNI)
- This is an open source intelligence (OSINT) research project based on publicly available information only
- These reports can act as case studies to understand the threat landscape for UK CNI
- The Joint Committee on the National Security Strategy (JCNSS) warned in December 2023 that there is a “high risk” the country faces a “catastrophic ransomware attack at any moment”
- Ransomware incidents reportedly make up the majority of the British government’s crisis management Cabinet Office Briefing Rooms (COBR) meetings
- According to the UK National Protective Security Authority (NPSA), there are 13 critical national infrastructure sectors that are necessary for a country to function and upon which daily life depends.
- This also includes organisations which are not critical to the maintenance of essential services, but which need protection due to the potential danger to the public (civil nuclear and chemical sites for example).
- This research project will index reports as case studies of incidents happening in the UK only for each of the 13 designated CNI sectors.
| When | Victim | Incident Type | Short Description | Source(s) |
|---|---|---|---|---|
| November 2020 | AstraZeneca | Cyber-espionage | A suspected North Korean APT group posed as recruiters on networking site LinkedIn and WhatsApp to approach AstraZeneca staff with fake job offers, the sources Reuters. The focus of the group appeared to be staff working on COVID-19 research for AstraZeneca's vaccine during the pandemic. | reuters.com |
| When | Victim | Incident Type | Short Description | Source(s) |
|---|---|---|---|---|
| March 2019 | Unnamed Nuclear Power Sector firm | Unspecified cyberattack | A Nuclear Decommissioning Authority (NDA) report, obtained using freedom of information legislation, said officials are “aware that an important business in the Nuclear Power Generating Sector has been negatively impacted by a cyber attack..." The organizations was "...not part of the NDA group." | telegraph.co.uk |
| December 2023 | Sellafield nuclear site | State-sponsored malware attacks | Attacks attributed to suspected Russian and/or Chinese APT groups dating back to 2015. The UK Government has disputed these claims. | theguardian.com reuters.com |
| When | Victim | Incident Type | Short Description | Source(s) |
|---|---|---|---|---|
| October 2015 | TalkTalk | Data Breach | TalkTalk's website had a critical SQL injection vulnerability that was exploited by adolescent cybercriminals from the UK to steal personal records from around 157,000 customer accounts. The CEO, Dido Harding, reportedly received a ransom email asking Bitcoin in exchange for the stolen data. The estimated cost of the breach was £77 million. | bbc.co.uk |
| October 2021 | Multiple UK VoIP firms | Denial of Service attack | Industry body Comms Council UK said several of its members had been targeted by distributed denial of service (DDoS) attacks in an alleged effort to extort those companies. The customers of these VoIP firms included public services, including the police 999 emergency call line and the NHS 111 service. | bbc.co.uk |
| October 2023 | Lyca Mobile | Network Disruption and Data Breach | UK-based mobile virtual network provider giant Lyca Mobile has confirmed a cyberattack that caused service disruption for millions of its customers and led to data theft. | 1. techcrunch.com 2. techcrunch.com |
| When | Victim | Incident Type | Description | Source(s) |
|---|---|---|---|---|
| March 2021 | Defence Academy of the United Kingdom | Cyber-espionage | The Oxfordshire-based Defence Academy of the United Kingdom reportedly faced a "sophisticated" cyberattack that had "consequences for operations" and it had to "rebuild the network" but whether criminals or a hostile state were responsible is unknown. The academy's IT infrastructure, including its website, is managed by Serco, an outsourcing company. Its contractors first spotted the unusual activity. | news.sky.com |
| March 2023 | Capita | Ransomware attack | Captia was victim to a ransomware attack by the Black Basta gang. The company is a public sector outsourcing specialist and has massive contracts with the Ministry of Defence, including recruitment for the British army, maintenance at the UK’s Submarine Training Centre, and fire and rescue operations for the Ministry of Defence. Capita said the Black Basta attack is estimated to cost them above £15 million. | theguardian.com, computerweekly.com |
| August 2023 | Zaun | Ransomware attack | British mesh fencing systems maker Zaun disclosed it was victim to a LockBit ransomware attack that exposed the data of UK military and intelligence sites. | zaun.co.uk securityweek.com |
| When | Victim | Incident Type | Description | Source(s) |
|---|---|---|---|---|
| October 2021 | Dacoll MSP | Ransomware attack | Dacoll, a Scotland-based MSP, was attacked by CL0P and claimed they stole data from the Police National Computer (PNC) and published some as proof to its data leak site. Officials from the UK Home Office deny that the PNC was accessed. | theregister.com |
| August 2022 | Advanced MSP | Ransomware attack | NHS 111 medical services were disrupted by a LockBit 3.0 ransomware attack against Advanced, an MSP that had to pull a portion of its infrastructure offline as a result. Advanced had up to 36 NHS clients and impacted services included the hosting of Adastra, Carey’s, Carenotes, Crosscare, Odyssey and Staffplan. Adastra is said to work with 85% of NHS 111 services. Initial access was achieved via stolen credentials to a Remote Desktop session for a Citrix server. Prior to encrypting Advanced's systems, data was copied and exfiltrated. | theregister.com |
| July 2023 | Ortivus | Disruptive attack | Ortivus, a Swedish IT company, was attacked and it left two British ambulance services without access to electronic patient records. The ambulance services are responsible for emergency calls from an area from Cornwall to Oxford, containing up to 12.5 million people. The precise nature of the attack has not been disclosed. Delays were caused and staff were being forced to use pens and paper as a result. | therecord.media |
| August 2023 | Police Service Northern Ireland (PSNI) | Data Breach | The names of police officers and staff in Northern Ireland, where they were based and their roles were published on the internet. The data was made public, in error, by police as they responded to a routine freedom of information (FoI) request. The leaked spreadsheet included the surname and initials of every employee, their rank or grade, where they are based and the unit they work in, including sensitive areas such as surveillance and intelligence. | bbc.co.uk |
| August 2023 | UK Metropolitan Police | Data Breach | The UK Metropolitan Police suffered a data breach when cybercriminals successfully breached the IT systems of a contractor in charge of producing warrant cards and staff passes. Up to 47,000 police personnel have been impacted. Police officials, VIP protection officers, counterterrorism police, and undercover officers are some of the most at risk who have been exposed. | news.sky.com |
| When | Victim | Incident Type | Description | Source(s) |
|---|---|---|---|---|
| March 2017 | Unspecified | Cyber-espionage | The NCSC warned that multiple companies involved in the CNI supply chain were targeted by a state-sponsored espionage campaign focusing on industrial control systems and process. The campaign is tracked in open sources as Berserk Bear, Energetic Bear, Dragonfly, Havex, and Crouching Yeti. | ncsc.gov.uk |
| May 2020 | Elexon | Ransomware attack | Elexon's internal IT systems, including emails, were affected by a REvil ransomware attack. Files stolen from Elexon were published to the group's data leak site as proof. The Balancing and Settlement Code (BSC) central systems and Electricity Market Reform (EMR) systems were not affected. | securityweek.com |
| When | Victim | Incident Type | Description | Source(s) |
|---|---|---|---|---|
| November 2016 | Tesco Bank | Financial Theft | Tesco Bank had £2.26 million stolen from 9,000 customer accounts. The adversary reportedly exploited a misconfiguration in how Tesco Bank distributed debit card numbers and used an algorithm to generate virtual cards and made thousands of unauthorised transactions. The estimated cost of the breach was £16.4 million. | zdnet.com |
| December 2019 | Travelex | Ransomware attack | Travelex suffered a multi-week outage after an REvil ransomware attack on New Years Eve. Initial access was gained via an unpatched Pulse Secure VPN. The ransomware group demanded a £4.6 million ransom. | arstechnica.com |
| When | Victim | Incident Type | Description | Source(s) |
|---|---|---|---|---|
| October 2021 | Tesco | Denial of Service | Tesco's wesbite and app were attacked, leaving customers unable to order, amend, or cancel deliveries for two days. | theguardian.com |
| December 2021 | Spar | Ransomware attack | More than 300 branches of the convenience store chain Spar in the north of England were hit by a ransomware attack, forcing many of them to close. | news.sky.com |
| When | Victim | Incident Type | Description | Source(s) |
|---|---|---|---|---|
| October 2020 | London’s Hackney Council | Ransomware attack | Protect Your Systems Amigo (PYSA) ransomware attack Hackney council during the Covid-19 pandemic. As a result, for around a year housing benefit payments and social care services did not function properly. The estimated cost of the attack was £12 million. | wired.com |
| August 2021 | Electoral Comission | Cyber-espionage | The UK Electoral Comission was breached in August 2021 by a hostile actor (likely state-sponsored) who was not discovered until October 2022. Names and addresses of 40 million registered voters were accessible as far back as 2014. | electoralcommission.org.uk |
| January 2022 | Foreign, Commonwealth and Development Office (FCDO) | Cyber-espionage | The FCDO was impacted by a "serious cyber security incident". iNews reported that adversaries from both China and Russia were able to access emails, internal messages, and Teams meetings revealing the day-to-day business of the government department, but no classified information was stolen. | thestack.technology, inews.co.uk |
| May 2022 | Brexit campaigners and the former Head of MI6 | Hack-and-Leak Operation | A website was created that published leaked emails from several leading proponents of Britain's exit from the European Union was tied to Russian hackers linked to the Callisto group (aka Cold Driver or Gossamer Bear) | reuters.com |
| When | Victim | Incident Type | Description | Source(s) |
|---|---|---|---|---|
| May 2017 | The NHS | Ransomware attack | The WannaCry ransomware worm impacted up to 40 NHS organisations and some GP practices in England and Scotland. Trusts in Wales and Northern Ireland were reportedly not impacted. | bbc.co.uk |
| August 2017 | NHS Lanarkshire (Scotland) | Ransomware attack | BitPaymer ransomware attack on hospital group in Scotland. | bleepingcomputer.com |
| June 2023 | NHS Barts Health Trust | Ransomware attack | The BlackCat (ALPHV) ransomware group listed St. Barts Health, an NHS Trust, on its data leak site. Barts Health NHS Trust is a collection of six hospitals and ten clinics in East London and oversees the care of over 2.5 million patients. The deployment of ransomware was not confirmed. | digitalhealth.net |
| When | Victim | Incident Type | Description | Source(s) |
|---|---|---|---|---|
| When | Victim | Incident Type | Description | Source(s) |
|---|---|---|---|---|
| September 2018 | British Airways | Magecart Webskimming | British Airways' website was compromised and a JavaScript webskimmer from a Magecart group compromised the personal and financial details of customers who made bookings on its website or app between 21 August and 5 September. Close to 400,000 customers were impacted. The UK ICO fined British Airways £20 million. | zdnet.com. reuters.com |
| May 2020 | EasyJet | Data breach | EasyJet disclosed a data breach affecting nine million of its customers and involving over 2,000 credit-card details. The company did not disclose when the breach occurred or how it happened. | zdnet.com |
| April 2021 | Merseyrail | Ransomware attack | Merseyrail suffered an IT disruption due to ransomware. The LockBit gang emailed reporters from a compromised director's email address and shared samples of stole data as proof they compromised Merseyrail. | bleepingcomputer.com |
| January 2023 | Royal Mail | Ransomware attack | Royal Mail suffered a severe service disruption to its international export services following a ransomware attack. LockBit 3.0 was used in the attack and it caused ransom notes to be printed on printers. Royal Mail also refused to pay a £66 million ransom demanded by LockBit. | bleepingcomputer.com, computerweekly.com |
| When | Victim | Incident Type | Description | Source(s) |
|---|---|---|---|---|
| August 2022 | South Staffordshire PLC | Ransomware attack | South Staffordshire PLC, the parent company of South Staff Water and Cambridge Water, was breached by CL0P but no ransomware was deployed. Screenshots of the company's SCADA systems used to control industrial processes at water treatment facilities were shared. CL0P also originally mistook the victim for Thames Water on its data leak site. | bitdefender.com |
| January 2024 | Southern Water | Ransomware attack | The Black Basta ransomware gang claimed to have hacked the UK water utility Southern Water | securityaffairs.com |