You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A collection of reports related to cyberattacks and campaigns against UK critical national infrastructure (CNI)
This is an open source intelligence (OSINT) research project based on publicly available information only
These reports can act as case studies to understand the threat landscape for UK CNI
The Joint Committee on the National Security Strategy (JCNSS) warned in December 2023 that there is a “high risk” the country faces a “catastrophic ransomware attack at any moment”
Ransomware incidents reportedly make up the majority of the British government’s crisis management Cabinet Office Briefing Rooms (COBR) meetings
The 13 UK national infrastructure sectors
According to the UK National Protective Security Authority (NPSA), there are 13 critical national infrastructure sectors that are necessary for a country to function and upon which daily life depends.
This also includes organisations which are not critical to the maintenance of essential services, but which need protection due to the potential danger to the public (civil nuclear and chemical sites for example).
This research project will index reports as case studies of incidents happening in the UK only for each of the 13 designated CNI sectors.
1. Chemicals
When
Victim
Incident Type
Short Description
Source(s)
November 2020
AstraZeneca
Cyber-espionage
A suspected North Korean APT group posed as recruiters on networking site LinkedIn and WhatsApp to approach AstraZeneca staff with fake job offers, the sources Reuters. The focus of the group appeared to be staff working on COVID-19 research for AstraZeneca's vaccine during the pandemic.
A Nuclear Decommissioning Authority (NDA) report, obtained using freedom of information legislation, said officials are “aware that an important business in the Nuclear Power Generating Sector has been negatively impacted by a cyber attack..." The organizations was "...not part of the NDA group."
TalkTalk's website had a critical SQL injection vulnerability that was exploited by adolescent cybercriminals from the UK to steal personal records from around 157,000 customer accounts. The CEO, Dido Harding, reportedly received a ransom email asking Bitcoin in exchange for the stolen data. The estimated cost of the breach was £77 million.
Industry body Comms Council UK said several of its members had been targeted by distributed denial of service (DDoS) attacks in an alleged effort to extort those companies. The customers of these VoIP firms included public services, including the police 999 emergency call line and the NHS 111 service.
UK-based mobile virtual network provider giant Lyca Mobile has confirmed a cyberattack that caused service disruption for millions of its customers and led to data theft.
The Oxfordshire-based Defence Academy of the United Kingdom reportedly faced a "sophisticated" cyberattack that had "consequences for operations" and it had to "rebuild the network" but whether criminals or a hostile state were responsible is unknown. The academy's IT infrastructure, including its website, is managed by Serco, an outsourcing company. Its contractors first spotted the unusual activity.
Captia was victim to a ransomware attack by the Black Basta gang. The company is a public sector outsourcing specialist and has massive contracts with the Ministry of Defence, including recruitment for the British army, maintenance at the UK’s Submarine Training Centre, and fire and rescue operations for the Ministry of Defence. Capita said the Black Basta attack is estimated to cost them above £15 million.
British mesh fencing systems maker Zaun disclosed it was victim to a LockBit ransomware attack that exposed the data of UK military and intelligence sites.
Dacoll, a Scotland-based MSP, was attacked by CL0P and claimed they stole data from the Police National Computer (PNC) and published some as proof to its data leak site. Officials from the UK Home Office deny that the PNC was accessed.
NHS 111 medical services were disrupted by a LockBit 3.0 ransomware attack against Advanced, an MSP that had to pull a portion of its infrastructure offline as a result. Advanced had up to 36 NHS clients and impacted services included the hosting of Adastra, Carey’s, Carenotes, Crosscare, Odyssey and Staffplan. Adastra is said to work with 85% of NHS 111 services. Initial access was achieved via stolen credentials to a Remote Desktop session for a Citrix server. Prior to encrypting Advanced's systems, data was copied and exfiltrated.
Ortivus, a Swedish IT company, was attacked and it left two British ambulance services without access to electronic patient records. The ambulance services are responsible for emergency calls from an area from Cornwall to Oxford, containing up to 12.5 million people. The precise nature of the attack has not been disclosed. Delays were caused and staff were being forced to use pens and paper as a result.
The names of police officers and staff in Northern Ireland, where they were based and their roles were published on the internet. The data was made public, in error, by police as they responded to a routine freedom of information (FoI) request. The leaked spreadsheet included the surname and initials of every employee, their rank or grade, where they are based and the unit they work in, including sensitive areas such as surveillance and intelligence.
The UK Metropolitan Police suffered a data breach when cybercriminals successfully breached the IT systems of a contractor in charge of producing warrant cards and staff passes. Up to 47,000 police personnel have been impacted. Police officials, VIP protection officers, counterterrorism police, and undercover officers are some of the most at risk who have been exposed.
The NCSC warned that multiple companies involved in the CNI supply chain were targeted by a state-sponsored espionage campaign focusing on industrial control systems and process. The campaign is tracked in open sources as Berserk Bear, Energetic Bear, Dragonfly, Havex, and Crouching Yeti.
Elexon's internal IT systems, including emails, were affected by a REvil ransomware attack. Files stolen from Elexon were published to the group's data leak site as proof. The Balancing and Settlement Code (BSC) central systems and Electricity Market Reform (EMR) systems were not affected.
Tesco Bank had £2.26 million stolen from 9,000 customer accounts. The adversary reportedly exploited a misconfiguration in how Tesco Bank distributed debit card numbers and used an algorithm to generate virtual cards and made thousands of unauthorised transactions. The estimated cost of the breach was £16.4 million.
Travelex suffered a multi-week outage after an REvil ransomware attack on New Years Eve. Initial access was gained via an unpatched Pulse Secure VPN. The ransomware group demanded a £4.6 million ransom.
Protect Your Systems Amigo (PYSA) ransomware attack Hackney council during the Covid-19 pandemic. As a result, for around a year housing benefit payments and social care services did not function properly. The estimated cost of the attack was £12 million.
The UK Electoral Comission was breached in August 2021 by a hostile actor (likely state-sponsored) who was not discovered until October 2022. Names and addresses of 40 million registered voters were accessible as far back as 2014.
Foreign, Commonwealth and Development Office (FCDO)
Cyber-espionage
The FCDO was impacted by a "serious cyber security incident". iNews reported that adversaries from both China and Russia were able to access emails, internal messages, and Teams meetings revealing the day-to-day business of the government department, but no classified information was stolen.
A website was created that published leaked emails from several leading proponents of Britain's exit from the European Union was tied to Russian hackers linked to the Callisto group (aka Cold Driver or Gossamer Bear)
The WannaCry ransomware worm impacted up to 40 NHS organisations and some GP practices in England and Scotland. Trusts in Wales and Northern Ireland were reportedly not impacted.
The BlackCat (ALPHV) ransomware group listed St. Barts Health, an NHS Trust, on its data leak site. Barts Health NHS Trust is a collection of six hospitals and ten clinics in East London and oversees the care of over 2.5 million patients. The deployment of ransomware was not confirmed.
British Airways' website was compromised and a JavaScript webskimmer from a Magecart group compromised the personal and financial details of customers who made bookings on its website or app between 21 August and 5 September. Close to 400,000 customers were impacted. The UK ICO fined British Airways £20 million.
EasyJet disclosed a data breach affecting nine million of its customers and involving over 2,000 credit-card details. The company did not disclose when the breach occurred or how it happened.
Merseyrail suffered an IT disruption due to ransomware. The LockBit gang emailed reporters from a compromised director's email address and shared samples of stole data as proof they compromised Merseyrail.
Royal Mail suffered a severe service disruption to its international export services following a ransomware attack. LockBit 3.0 was used in the attack and it caused ransom notes to be printed on printers. Royal Mail also refused to pay a £66 million ransom demanded by LockBit.
South Staffordshire PLC, the parent company of South Staff Water and Cambridge Water, was breached by CL0P but no ransomware was deployed. Screenshots of the company's SCADA systems used to control industrial processes at water treatment facilities were shared. CL0P also originally mistook the victim for Thames Water on its data leak site.