ncsc.gov.uk The NCSC and international partners share technical details of malicious activities and urge organisations to take mitigative actions.
GCHQ’s National Cyber Security Centre and international partners link three China-based companies to campaign targeting foreign governments and critical networks.
Commercial cyber ecosystem with links to the Chinese intelligence services has enabled global malicious activity.
New advisory supports UK organisations in critical sectors bolster their security against China state-sponsored cyber activity
Network defenders urged to proactively hunt for activity and take steps to mitigate threat from attackers exploiting avoidable weaknesses
The UK and international allies have today (Wednesday) publicly linked three technology companies based in China with a global malicious cyber campaign targeting critical networks.
In a new advisory published today, the National Cyber Security Centre (NCSC) – a part of GCHQ - and international partners from twelve other countries have shared technical details about how malicious cyber activities linked with these China-based commercial entities have targeted nationally significant organisations around the world.
Since at least 2021, this activity has targeted organisations in critical sectors including government, telecommunications, transportation, lodging, and military infrastructure globally, with a cluster of activity observed in the UK.
The activities described in the advisory partially overlaps with campaigns previously reported by the cyber security industry most commonly under the name Salt Typhoon.
The data stolen through this activity can ultimately provide the Chinese intelligence services the capability to identify and track targets’ communications and movements worldwide.
The advisory describes how the threat actors have had considerable success taking advantage of known common vulnerabilities rather than relying on bespoke malware or zero-day vulnerabilities to carry out their activities, meaning attacks via these vectors could have been avoided with timely patching.
Organisations of national significance in the UK are encouraged to proactively hunt for malicious activity and implement mitigative actions, including ensuring that edge devices are not exposed to known vulnerabilities and implementing security updates.
NCSC Chief Executive Dr Richard Horne said:
“We are deeply concerned by the irresponsible behaviour of the named commercial entities based in China that has enabled an unrestrained campaign of malicious cyber activities on a global scale.
“It is crucial organisations in targeted critical sectors heed this international warning about the threat posed by cyber actors who have been exploiting publicly known – and so therefore fixable – vulnerabilities.
“In the face of sophisticated threats, network defenders must proactively hunt for malicious activity, as well as apply recommended mitigations based on indicators of compromise and regularly reviewing network device logs for signs of unusual activity.”
The UK has led globally in helping to improve cyber risk management with leading legislation including the Telecommunications (Security) Act 2021 and the associated Code of Practice, for which the NCSC was the technical authority.
The government's forthcoming Cyber Security and Resilience Bill will further strengthen the UK’s cyber defences, protecting the services the public rely on to go about their normal lives.
The NCSC and government partners have previously warned about the growing range of cyber threats facing critical sectors and provides a range of guidance and resources to improve resilience.
The NCSC's Early Warning service provides timely notifications about potential security issues, including known vulnerabilities, and malicious activities affecting users’ networks. All UK organisations can sign up to this free service.
The three China-based technology companies provide cyber-related services to the Chinese intelligence services and are part of a wider commercial ecosystem in China, which includes information security companies, data brokers and hackers for hire.
The named entities are: Sichuan Juxinhe Network Technology Co Ltd, Beijing Huanyu Tianqiong Information Technology Co, and Sichuan Zhixin Ruijie Network Technology Co Ltd.
The NCSC has co-sealed this advisory alongside agencies from the United States, Australia, Canada, New Zealand, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland and Spain.
telegraph.co.uk 2025/08/17/ - Lazarus cyber gang believed to have used stolen funds to boost military and nuclear programmes
North Korean hackers have been accused of a £17m Bitcoin heist that brought down a UK-based cryptocurrency company.
Lazarus, the hermit kingdom’s notorious cyber gang, has been identified as the potential culprit behind the theft of cryptocurrency from Lykke, a trading platform incorporated in Britain.
If confirmed, it would be North Korea’s biggest-known cryptocurrency heist to target Britain. The pariah state has made billions in recent years stealing cryptocurrency to fund its military and nuclear programmes.
Lykke was founded in 2015 and operated from Switzerland but was registered in the UK. The company said last year that it had lost $22.8m (£16.8m) in Bitcoin, Ethereum and other cryptocurrencies, forcing it to halt operations.
In March a judge ordered the company to be liquidated after a legal campaign from more than 70 affected users.
North Korea was named as the potential hacker in a recent report by the Office of Financial Sanctions Implementation (OFSI), a branch of the Treasury.
“The attack has been attributed to malicious Democratic People’s Republic of Korea cyberactors, who stole funds on both the Bitcoin and Ethereum networks,” it said.
The Treasury said the OFSI did not reveal the sources of its information but that it worked closely with law enforcement.
Lazarus had been separately blamed for the attack on Lykke by Whitestream, an Israeli cryptocurrency research company.
It said the attackers had laundered the stolen funds through two other cryptocurrency companies notorious for allowing users to hide their tracks, and thus avoid money-laundering controls.
Other researchers have disagreed with the conclusions, saying it is not currently possible to determine who hacked the exchange.
Lykke was founded by Richard Olsen, a great-grandson of the Swiss banking patriarch Julius Baer, and offered cryptocurrency trading without transaction fees.
The company was run out of Zug in Switzerland’s so-called “crypto valley” but its corporate entity was registered in Britain.
In 2023, the Financial Conduct Authority issued a warning about the company, saying it was not registered or authorised to offer financial services for consumers in Britain.
Despite saying it would be able to return customers’ funds, it froze trading after the hack and officially shut down last December.
The company was liquidated in March following a winding up petition in the UK courts brought by a group of customers, who say they have lost £5.7m as a result of the company shutting down.
Interpath Advisory has been appointed to distribute the remaining funds to those who lost money. Its Swiss parent was placed into liquidation last year.
Mr Olsen was declared bankrupt in January and is the subject of criminal investigations in Switzerland, according to British legal filings. He did not respond to requests for comment.
uk.news.yahoo.com - Records show hundreds of data breaches involving HMRC staff
HM Revenue and Customs (HMRC) has revealed that hundreds of staff have accessed the records of taxpayers without permission or breached security in other ways. HMRC dismissed 50 members of staff last year for accessing or risking the exposure of taxpayers’ records, according to The Telegraph.
354 tax employees have been disciplined for data security breaches since 2022, of whom 186 have been fired - and some were dismissed for accessing confidential information. HMRC holds sensitive data including salary and earnings, which staff cannot access without a good reason.
In an email to staff, the line manager of the claimant wrote: “There have been more incidents of this recently.”
John Hood, of accountants Moore Kingston Smith, said: “Any HMRC employee foolish enough to look up personal information that is not part of their usual responsibilities faces a ticking time bomb as most searches are tracked. As an additional security, some parts of the system are restricted so that only specifically authorised personnel can access them, such as the departments dealing with MPs and civil servants.”
HMRC’s annual report shows there were six incidents last year of employees changing customer records without permission, and two of staff losing inadequately protected devices.
A spokesman for HMRC said: “Instances of improper access are extremely rare, and we take firm action when it does happen, helping prevent a recurrence. We take the security of customers’ data extremely seriously and we have robust systems to ensure staff only access records when there is a legitimate business need.”
Bern, 29.07.2025 — The Office of the Attorney General of Switzerland (OAG) has been conducting criminal proceedings since 2022 in the matter of a large-scale phishing series. Fake e-banking login pages had been used to defraud numerous Swiss bank customers, resulting in losses of around CHF 2.4 million. In this context, the OAG took over about thirty cases from the cantons. The investigations conducted by the OAG and fedpol led to the identification and location of the developer and distributor of phishing kit in the UK. The case was taken over by the British authorities, who were already conducting similar proceedings against the individual involved. He was sentenced by a court in the UK on 23 July 2025 to seven years imprisonment. This success demonstrates the importance of international cooperation in the fight against cybercrime.
In July 2022, the Office of the Attorney General of Switzerland (OAG) initiated criminal proceedings against persons unknown on suspicion of computer fraud (Art. 147 para. 1 in conjunction with para. 2 Swiss Criminal Code (SCC)) in connection with an extensive phishing series. Prior to this, several cantonal public prosecutor's offices had already initiated proceedings in around 30 cases in connection with the same matter, which the OAG subsequently took over and joined in its proceedings. In August 2023, following the identification of the developer and distributor of the phishing kit, criminal proceedings were extended to this person.
Real-time phishing on a grand scale
Between May 2022 and September 2022, unknown perpetrators created and used several fake login websites (phishing pages) for various Swiss banks, using what is known as a phishing kit. Bank customers who used Google Search to access their account ended up on the phishing pages posted as adverts and fell victim to the scam when they attempted to log into their supposed e-banking accounts. As a result, their e-banking access data were intercepted unbeknown to them, enabling the perpetrators to use the stolen access data to log into the victim's e-banking accounts and enable the two-factor authentication. The victims still believed that they were on the bank's real website and authenticated the login by entering the authentication code they received by text message on the phishing page. As a result, the perpetrators gained access to their authentication codes. This enabled them to successfully log into the victims' e-banking accounts and register an additional device with the bank to confirm two-factor authentication. The perpetrators were then able to log into the victims’ e-banking accounts without any further action by the victims and initiate payments without their knowledge or consent. The damage caused to the injured parties in the Swiss criminal proceedings amounts to CHF 2.4 million.
Successful cooperation with the UK, Europol and Eurojust
The intensive investigations conducted by the OAG and fedpol resulted in the identification and localisation of a British national who had developed and distributed the phishing kit. The OAG and fedpol's subsequent close cooperation with Europol, Eurojust and UK law enforcement authorities led to the arrest and prosecution in the UK of the developer and seller of the phishing kit. As the UK authorities were already conducting similar proceedings against this person, they took over the Swiss proceedings at the OAG’s request, continuing them in the UK. The OAG subsequently discontinued its criminal proceedings. On 23 July 2025, the perpetrator was sentenced in the UK to seven years imprisonment for his offences (press release from the Crown Prosecution Service). This success demonstrates the importance and effectiveness of international cooperation in tackling the fight against the ever-increasing cybercrime.
theguardian.com - Conservative government used superinjuction to hide error that put Afghans at risk and led to £2bn mitigation scheme.
Thousands of Afghans relocated to UK under secret scheme after data leak
Conservative government used superinjuction to hide error that put Afghans at risk and led to £2bn mitigation scheme
What we know about the secret Afghan relocation scheme
Afghan nationals: have you arrived in the UK under the Afghan Response Route?
Dan Sabbagh and Emine Sinmaz
Tue 15 Jul 2025 22.07 CEST
Share
Conservative ministers used an unprecedented superinjunction to suppress a data breach that led the UK government to offer relocation to 15,000 Afghans in a secret scheme with a potential cost of more than £2bn.
The Afghan Response Route (ARR) was created in haste after it emerged that personal information about 18,700 Afghans who had applied to come to the UK had been leaked in error by a British defence official in early 2022.
Panicked ministers and officials at the Ministry of Defence learned of the breach in August 2023 after data was posted to a Facebook group and applied to the high court for an injunction, the first sought by a British government – to prevent any further media disclosure.
It was feared that publicity could put the lives of many thousands of Afghans at risk if the Taliban, who had control of the country after the western withdrawal in August 2021, were to become aware of the existence of the leaked list and to obtain it.
The judge in the initial trial, Mr Justice Knowles, granted the application “contra mundum” – against the world – and ruled that its existence remain secret, resulting in a superinjunction which remained in place until lifted on Tuesday.
The gagging order meant that both the data breach and the expensive mitigation scheme remained hidden despite its size and cost until the near two-year legal battle was brought to a close in the high court.
At noon on Tuesday, the high court judge Mr Justice Chamberlain said it was time to end the superinjuction, which he said had the effect of concealing discussions about spending “the sort of money which makes a material difference to government spending plans and is normally the stuff of political debate”.
A few minutes later, John Healey, the defence secretary, offered a “sincere apology” for the data breach. In a statement to the Commons, he said he had felt “deeply concerned about the lack of transparency” around the data breach and “deeply uncomfortable to be constrained from reporting to this house”.
cetas.turing.ac.uk/ Research Report
As AI increasingly shapes the global economic and security landscape, China’s ambitions for global AI dominance are coming into focus. This CETaS Research Report, co-authored with Adarga and the International Institute for Strategic Studies, explores the mechanisms through which China is strengthening its domestic AI ecosystem and influencing international AI policy discourse. The state, industry and academia all play a part in the process, with China’s various regulatory interventions and AI security research trajectories linked to government priorities. The country’s AI security governance is iterative and is rapidly evolving: it has moved from having almost no AI-specific regulations to developing a layered framework of laws, guidelines and standards in just five years. In this context, the report synthesises open-source research and millions of English- and Chinese-language data points to understand China’s strategic position in global AI competition and its approach to AI security.
This CETaS Research Report, co-authored with the International Institute for Strategic Studies (IISS) and Adarga, examines China’s evolving AI ecosystem. It seeks to understand how interactions between the state, the private sector and academia are shaping the country’s strategic position in global AI competition and its approach to AI security. The report is a synthesis of open-source research conducted by IISS and Adarga, leveraging millions of English- and Chinese-language data points.
Key Judgements
China’s political leadership views AI as one of several technologies that will enable the country to achieve global strategic dominance. This aligns closely with President Xi’s long-term strategy of leveraging technological revolutions to establish geopolitical strength. China has pursued AI leadership through a blend of state intervention and robust private-sector innovation. This nuanced approach challenges narratives of total government control, demonstrating significant autonomy and flexibility within China’s AI ecosystem. Notably, the development and launch of the DeepSeek-R1 model underscored China's ability to overcome significant economic barriers and technological restrictions, and almost certainly caught China’s political leadership by surprise – along with Western chip companies.
While the Chinese government retains ultimate control of the most strategically significant AI policy decisions, it is an oversimplification to describe this model as entirely centrally controlled. Regional authorities also play significant roles, leading to a decentralised landscape featuring multiple hubs and intense private sector competition, which gives rise to new competitors such as DeepSeek. In the coming years, the Chinese government will almost certainly increase its influence over AI development through closer collaboration with industry and academia. This will include shaping regulation, developing technical standards and providing preferential access to funding and resources.
China's AI regulatory model has evolved incrementally, but evidence suggests the country is moving towards more coherent AI legislation. AI governance responsibilities in China remain dispersed across multiple organisations. However, since February 2025, the China AI Safety and Development Association (CnAISDA) has become what China describes as its counterpart to the AI Security Institute. This organisation consolidates several existing institutions but does not appear to carry out independent AI testing and evaluation.
The Chinese government has integrated wider political and social priorities into AI governance frameworks, emphasising what it describes as “controllable AI” – a concept interpreted uniquely within the Chinese context. These broader priorities directly shape China’s technical and regulatory approaches to AI security. Compared to international competitors, China’s AI security policy places particular emphasis on the early stages of AI model development through stringent controls on pre-training data and onerous registration requirements. Close data sharing between the Chinese government and domestic AI champions, such as Alibaba’s City Brain, facilitates rapid innovation but would almost certainly encounter privacy and surveillance concerns if attempted elsewhere.
The geographical distribution of China's AI ecosystem reveals the strategic clustering of resources, talent and institutions. Cities such as Beijing, Hangzhou and Shenzhen have developed unique ecosystems that attract significant investments and foster innovation through supportive local policies, including subsidies, incentives and strategic infrastructure development. This regional specialisation emerged from long-standing Chinese industrial policy rather than short-term incentives.
China has achieved significant improvements in domestic AI education. It is further strengthening its domestic AI talent pool as top-tier AI researchers increasingly choose to remain in or return to China, due to increasingly attractive career opportunities within China and escalating geopolitical tensions between China and the US. Chinese institutions have significantly expanded domestic talent pools, particularly through highly selective undergraduate and postgraduate programmes. These efforts have substantially reduced dependence on international expertise, although many key executives and researchers continue to benefit from an international education.
Senior scientists hold considerable influence over China’s AI policymaking process, frequently serving on government advisory panels. This stands in contrast to the US, where corporate tech executives tend to have greater influence over AI policy decisions.
Government support provides substantial benefits to China-based tech companies. China’s government actively steers AI development, while the US lets the private sector lead (with the government in a supporting role) and the EU emphasises regulating outcomes and funding research for the public good. This means that China’s AI ventures often have easier access to capital and support for riskier projects, while a tightly controlled information environment mitigates against reputational risk.
US export controls have had a limited impact on China’s AI development. Although export controls have achieved some intended effects, they have also inadvertently stimulated innovation within certain sectors, forcing companies to do more with less and resulting in more efficient models that may even outperform their Western counterparts. Chinese AI companies such as SenseTime and DeepSeek continue to thrive despite their limited access to advanced US semiconductors.
A criminal has been sentenced at Inner London Crown Court to over a year in prison for operating a SMS Blaster to conduct a mass smishing campaign against victims with the intent to harvest their personal details to be used in fraud.
The sentencing follows an investigation and arrest by the Dedicated Card and Payment Crime Unit (DCPCU), a specialist banking industry sponsored police unit.
The conviction was achieved thanks to the officers from the DCPCU working with mobile network operators including BT, Virgin Media O2, VodafoneThree and Sky as well as the National Cyber Security Centre and Ofcom.
Between 22 and 27 March 2025 Ruichen Xiong, a student from China had installed an SMS Blaster in his vehicle to commit smishing fraud, targeting tens of thousands of potential victims.
Xiong drove around the Greater London area in a Black Honda CR-V. This vehicle was used to hold and transport an SMS Blaster around in the boot.
An SMS Blaster allows offenders to send fraudulent text messages to phones within the vicinity of the equipment and acts as an illegitimate phone mast to send messages. The blaster will draw mobile devices away from legitimate networks by appearing to have a stronger signal. By doing so, the criminal is then able to send a text message to the victim's phone.
The equipment was programmed to send out SMS messages to victims within a nearby radius of the blaster, designed to look like trustworthy messages from genuine organisations, such as government bodies, where the victim was encouraged to click a link. The link would subsequently take them to a malicious site that was designed to harvest their personal details.
The Scattered Spider hacking group has caused chaos among retailers, insurers, and airlines in recent months. Researchers warn that its flexible structure poses challenges for defense.
Empty grocery store shelves and grounded planes tend to signal a crisis, whether it’s an extreme weather event, public health crisis, or geopolitical emergency. But these scenes of chaos in recent weeks in the United Kingdom, United States, and Canada were caused instead by financially motivated cyberattacks—seemingly perpetrated by a collective of joyriding teens.
A notorious cybercriminal group often called Scattered Spider is known for using social engineering techniques to infiltrate target companies by tricking IT help desk workers into granting them system access. Researchers say that the group seems to gain expertise about the backend systems commonly used by businesses in a particular industry and then uses this knowledge to hit a cluster of targets before moving on to another sector. The group often deploys ransomware or conducts data extortion attacks once it has compromised its victims.
Amid increasing pressure from law enforcement last year, which culminated in charges and arrests of five suspects allegedly linked to Scattered Spider, researchers say that the group was less active in 2024 and seemed to be attempting to lay low. The group’s escalating attacks in recent weeks, though, have shown that, far from being defeated, Scattered Spider is emboldened once again.
“There are some uniquely skilled actors in Scattered Spider when it comes to social engineering, and they have identified a major gap in our security systems that they’re successfully taking advantage of,” says John Hultquist, chief analyst in Google’s threat intelligence group. “This group is carrying out serious attacks on our critical infrastructure, and I hope that we’re not missing the opportunity to address the most imminent threat.”
Though a number of incidents have not been publicly attributed, an overwhelming spree of recent attacks on UK grocery store chains, North American insurers, and international airlines has broadly been tied to Scattered Spider. In May, the UK’s National Crime Agency confirmed it was looking at Scattered Spider in connection to the attacks on British retailers. And the FBI warned in an alert on Friday that it has observed “the cybercriminal group Scattered Spider expanding its targeting to include the airline sector.” The warning came as North American airlines Westjet and Hawaii Airlines said they had been victims of cybercriminal hacks. On Wednesday, the Australian airline Qantas also said it had been hit with a cyberattack, though it was not immediately clear if this attack was part of the group’s campaign.
On 12 June 2025, dozens of anonymous X (formerly Twitter) accounts advocating Scottish independence abruptly went silent. Many had posted hundreds of times per week, often using pro-independence slogans, anti-UK messaging, and identity cues like “NHS nurse” or “Glaswegian socialist.”
Their sudden disappearance coincided with a major Israeli airstrike campaign against Iranian military and cyber infrastructure. Within days, Iran had suffered severe power outages, fuel shortages, and an internet blackout affecting 95 percent of national connectivity.
What appeared at first glance to be a curious coincidence has since emerged as the most visible rupture to date in a long-running foreign influence operation.
The ICO said over 150,000 U.K. residents had data stolen in the breach.
The U.K. data protection watchdog has fined 23andMe £2.31 million ($3.1 million) for failing to protect U.K. residents’ personal and genetic data prior to its 2023 data breach.
The Information Commissioner’s Office (ICO) said on Tuesday it has fined the genetic testing company as it “did not have additional verification steps for users to access and download their raw genetic data” at the time of its cyberattack.
In 2023, hackers stole private data on more than 6.9 million users over a months-long campaign by accessing thousands of accounts using stolen credentials. 23andMe did not require its users to use multi-factor authentication, which the ICO said broke U.K. data protection law.
The ICO said over 155,000 U.K. residents had their data stolen in the breach.
In response to the fine, 23andMe told TechCrunch that it had rolled out mandatory multi-factor authentication for all accounts.
The ICO said it is in contact with 23andMe’s trustee following the company’s filing for bankruptcy protection. A hearing on 23andMe’s sale is expected later on Wednesday.
Defence Secretary announces new Cyber and Eletromagnetic Command and £1 billion investment in pioneering battlefield system.
Defence Secretary John Healey personnel at MoD Corsham. MoD Crown Copyright.
More than £1 billion to be invested in pioneering ‘Digital Targeting Web’ to spearhead battlefield engagements, applying lessons learnt from Ukraine to the UK Armed Forces.
New Cyber and Electromagnetic Command will oversee cyber operations for Defence as careers pathway accelerated.
Innovation delivers on the Government’s Plan for Change by bolstering national security and creating skilled jobs.
Pinpointing and eliminating enemy targets will take place faster than ever before, as the Government invests more than £1 billion to equip the UK Armed Forces with a pioneering battlefield system.
A new Cyber and Electromagnetic Command will also be established to put the UK at the forefront of cyber operations as part of the Strategic Defence Review (SDR). The announcements were made by Defence Secretary, John Healey MP on a visit to MOD Corsham, the UK military’s cyber HQ.
The Ministry of Defence will develop a new Digital Targeting Web to better connect Armed Forces weapons systems and allow battlefield decisions for targeting enemy threats to be made and executed faster.
This pioneering digital capability will give the UK a decisive advantage through greater integration across domains, new AI and software, and better communication between our Armed Forces. As an example, a threat could be identified by a sensor on a ship or in space before being disabled by an F-35 aircraft, drone, or offensive cyber operation.
This follows the Prime Minister’s historic commitment to increase defence spending to 2.5% of GDP, recognising the critical importance of military readiness in an era of heightened global uncertainty.
Delivering this new Digital Targeting Web is central to UK efforts to learn lessons directly from the front line in Ukraine. When the Ukrainians achieved a step-change in lethality early in the war – by being able to find the enemy, target them and attack quickly and at scale - it allowed them to stop the encircling Russian advance.
The Ministry of Defence will establish a Cyber and Electromagnetic Command. It will sit under General Sir James Hockenhull’s Command and follows the MOD having to protect UK military networks against more than 90,000 ‘sub-threshold’ attacks in the last two years. The Command will lead defensive cyber operations and coordinate offensive cyber capabilities with the National Cyber Force.
The new Command will also harness all the Armed Forces’ expertise in electromagnetic warfare, helping them to seize and hold the initiative in a high-tempo race for military advantage - for example, through degrading command and control, jamming signals to drones or missiles and intercepting an adversary’s communications.
The cyberattackers claimed 2.1m pieces of customer data had been stolen from the Legal Aid Agency
Millions of pieces of personal data, including criminal records, have been stolen from legal aid applicants in a massive cyberattack.
The data, including national insurance numbers, employment status and financial data, was breached earlier this year, according to the Ministry of Justice (MoJ).
The cyberattackers claimed they had stolen 2.1 million pieces of data from people who had applied for legal aid since 2010 but the MoJ only said a “significant amount of personal data” had been breached.
An MoJ source put the breach down to the “neglect and mismanagement” of the previous government, saying vulnerabilities in the Legal Aid Agency (LAA) systems have been known for many years.
“This data breach was made possible by the long years of neglect and mismanagement of the justice system under the last government,” the source said.
UNC3944, which overlaps with public reporting on Scattered Spider, is a financially-motivated threat actor characterized by its persistent use of social engineering and brazen communications with victims. In early operations, UNC3944 largely targeted telecommunications-related organizations to support SIM swap operations. However, after shifting to ransomware and data theft extortion in early 2023, they impacted organizations in a broader range of industries. Since then, we have regularly observed UNC3944 conduct waves of targeting against a specific sector, such as financial services organizations in late 2023 and food services in May 2024. Notably, UNC3944 has also previously targeted prominent brands, possibly in an attempt to gain prestige and increased attention by news media.
Google Threat Intelligence Group (GTIG) observed a decline in UNC3944 activity after 2024 law enforcement actions against individuals allegedly associated with the group. Threat actors will often temporarily halt or significantly curtail operations after an arrest, possibly to reduce law enforcement attention, rebuild capabilities and/or partnerships, or shift to new tooling to evade detection. UNC3944’s existing ties to a broader community of threat actors could potentially help them recover from law enforcement actions more quickly.
Recent public reporting has suggested that threat actors used tactics consistent with Scattered Spider to target a UK retail organization and deploy DragonForce ransomware. Subsequent reporting by BBC News indicates that actors associated with DragonForce claimed responsibility for attempted attacks at multiple UK retailers. Notably, the operators of DragonForce ransomware recently claimed control of RansomHub, a ransomware-as-a-service (RaaS) that seemingly ceased operations in March of this year. UNC3944 was a RansomHub affiliate in 2024, after the ALPHV (aka Blackcat) RaaS shut down. While GTIG has not independently confirmed the involvement of UNC3944 or the DragonForce RaaS, over the past few years, retail organizations have been increasingly posted on tracked data leak sites (DLS) used by extortion actors to pressure victims and/or leak stolen victim data. Retail organizations accounted for 11 percent of DLS victims in 2025 thus far, up from about 8.5 percent in 2024 and 6 percent in 2022 and 2023. It is plausible that threat actors including UNC3944 view retail organizations as attractive targets, given that they typically possess large quantities of personally identifiable information (PII) and financial data. Further, these companies may be more likely to pay a ransom demand if a ransomware attack impacts their ability to process financial transactions.
U.K. retail giant Marks & Spencer has confirmed hackers stole its customers’ personal information during a cyberattack last month.
In a brief statement with London’s stock exchange on Tuesday, the retailer said an unspecified amount of customer information was taken in the data breach. The BBC, which first reported the company’s filing, cited a Marks & Spencer online letter as saying that the stolen data includes customer names, dates of birth, home and email addresses, phone numbers, household information and online order histories.
The company also said it was resetting the online account passwords of its customers.
Marks & Spencer continues to experience disruption and outages across its stores, with some grocery shelves remaining empty after the hack affected the company’s operations. The company’s online ordering system for customers also remains offline.
It’s not clear how many individuals’ data was stolen during the hack. When reached by TechCrunch, Marks & Spencer spokesperson Alicia Sanctuary would not say how many individuals are affected and referred TechCrunch to its online statement. Marks & Spencer had 9.4 million online customers as of 30 March 2024, per its most recent annual report.
Government to roll out passkey technology across digital services as an alternative to SMS-based verification.
Government to roll out passkey technology across digital services as an alternative to SMS-based verification.
Arkadiusz Wargula via Getty Images
Government set to roll out passkey technology across digital services later this year.
SMS-based verification to be replaced by more secure, cost-effective solution.
NCSC joins FIDO Alliance to shape international passkey standards.
The UK government is set to roll out passkey technology for its digital services later this year as an alternative to the current SMS-based verification system, offering a more secure and cost-effective solution that could save several million pounds annually.
Announced on the first day of the government’s flagship cyber security event, CYBERUK, the move to implement passkey technology for the government’s GOV.UK services marks a major step forward in strengthening the nation’s digital security.
Passkeys are unique digital keys that are today tied to specific devices, such as a phone or a laptop, that help users log in safely without needing an additional text message or other code. When a user logs in to a website or app, their device uses this digital key to prove the user’s identity without needing to send a code to a secondary device or to receive user input.
This method is more secure because the key remains stored on the device and cannot be easily intercepted or stolen, making them phishing-resistant by design. As a result, even if someone attempts to steal a password or intercept a code, they would be unable to gain access without the physical device that contains the passkey.
The NCSC considers passkey adoption as vital for transforming cyber resilience at a national scale, and the UK is already leading internationally with the NHS becoming one of the first government organisations in the world to offer passkeys to users.
In addition to enhanced security and cost savings, passkeys offer users a faster login experience, saving approximately one minute per login when compared to entering a username, password, and SMS code.
Following news of cyber incidents impacting UK retailers, the NCSC can confirm it is working with organisations affected.
NCSC CEO Dr Richard Horne said:
“The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers and the public.
“The NCSC continues to work closely with organisations that have reported incidents to us to fully understand the nature of these attacks and to provide expert advice to the wider sector based on the threat picture.
“These incidents should act as a wake-up call to all organisations. I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively.”
The individuals operating under the DragonForce banner and attacking UK high street retailers are using social engineering for entry. I think it’s in the public interest to break down what is happening.
The attacks on Marks and Spencer, Co-op and Harrods are linked. DragonForce’s lovely PR team claim more are to come.
Defenders should urgently make sure they have read the CISA briefs on Scattered Spider and LAPSUS$ as it’s a repeat of the 2022–2023 activity which saw breaches at Nvidia, Samsung, Rockstar and Microsoft amongst many others. More info below.
I am not saying it is Scatter Spider; Scattered Spider has become a dumping ground for e-crime groups anyway. The point is they — the threat actor — are entering using the front door, via the helpdesk to get MFA access — those are very good guides from defenders about what to do, links below.
Source: Cybersecurity and Infrastructure Security Agency
DragonForce is a white label cartel operation housing anybody who wants to do e-crime. Some of them are pretty good at e-crime.
While organisations are away at RSA thinking about quantum AI cyber mega threats — the harsh reality is most organisations do not have the foundations in place to do be worrying about those kind of things. Generative AI is porn for execs and growth investment — threat actors are very aware that now is the time to launch attacks, not with GenAI, but foundational issues. Because nobody is paying attention.
Once they get access, they are living off the land — using Teams, Office search to find documentation, the works. Forget APTs, now you have the real threat: Advanced Persistent Teenagers, who have realised the way to evade most large cyber programmes is to cosplay as employees. Last time this happened, the MET Police ended up arresting a few under-18 UK nationals causing incidents to largely drop off.
Some Marks & Spencer (M&S) stores have been left with empty food shelves as the retailer continues to struggle with a cyber attack affecting its operations.
Online orders have been paused on the company's website and app since Friday, following problems with contactless pay and Click & collect over the Easter weekend.
The BBC understands food availability should be back to normal by the end of the week.
Meanwhile, security experts say a cyber crime group calling itself DragonForce is behind the mayhem.
Google intelligence report finds UK is a particular target of IT worker ploy that sends wages to Kim Jong Un’s state
British companies are being urged to carry out job interviews for IT workers on video or in person to head off the threat of giving jobs to fake North Korean employees.
The warning was made after analysts said that the UK had become a prime target for hoax IT workers deployed by the Democratic People’s Republic of Korea. They are typically hired to work remotely, enabling them to escape detection and send their wages to Kim Jong-un’s state.
Google said in a report this month that a case uncovered last year involved a single North Korean worker deploying at least 12 personae across Europe and the US. The IT worker was seeking jobs within the defence industry and government sectors. Under a new tactic, the bogus IT professionals have been threatening to release sensitive company data after being fired.
The firm has stopped taking orders on its website and apps, including for food and clothes.
Marks & Spencer (M&S) says it has stopped taking online orders as the company struggles to recover from a cyber attack.
Customers began reporting problems last weekend, and on Tuesday the retailer confirmed it was facing a "cyber incident".
Now, M&S has entirely paused orders on its website and apps - including for food deliveries and clothes - and says it will refund orders placed by customers on Friday.
The firm's shares fell by 5% following the announcement, before recovering.
Online orders remained paused on Saturday morning.
"We are truly sorry for this inconvenience," the retailer wrote in a post on X.
"Our experienced team - supported by leading cyber experts - is working extremely hard to restart online and app shopping.
"We are incredibly grateful to our customers, colleagues and partners for their understanding and support."
