The UK is at risk from nation state adversaries. That’s according to the UK National Cyber Security Centre’s CEO Richard Horne, who recently issued a warning saying that nation states, principally China, Iran, and Russia, now drive the majority of significant cyber incidents targeting the UK.

The types of attacks performed by nation state aggressors vary, but many of these are driven by disruption and espionage, rather than financial gain. This means there is no fallback option of paying the ransom, making it important that firms have the tools in place to prevent and mitigate attacks before damage occurs.

The Risk From CRINK 

Five key nation state attackers are known to be actively targeting the West: China, Russia, Iran and North Korea (CRINK). Experts say it is interesting, therefore, that North Korea is missing from Horne’s warning.

Yet it doesn’t mean the country has faded from the threat landscape, says Katie Barnett, director of cyber security at Toro Solutions. “Rather, its operations tend to be more financially-driven and focused on generating revenue.”

The difference between the likes of China and Russia verses North Korea is intent, agrees Rob Dartnall, CEO and head of intelligence of SecAlliance.

“Where North Korea’s aims lean towards monetisation, predominantly through operations more closely aligned to what you see from criminal actors, the intent from Russia and China is more aligned to traditional intelligence state craft,” he says.

China's posture is “intelligence-led and economic,” according to Ian Thornton-Trump, CISO at Inversion6.

He cites the example of the Volt, Salt, and Flax Typhoon groups. “These have established persistent access inside US and allied critical infrastructure, but the verifiable evidence of actual destructive Chinese operations inside the UK is minimal. Beijing's interest is not to cripple the British economy.”

China holds significant stakes in UK trade, supply chains, technology partnerships, and inbound investment. The objective is “collection and pre-positioning,” rather than damage, says Thornton-Trump.

Crippling Attacker

Thornton-Trump believes Russia is the “genuine crippling actor” and the nation that poses the most threat to UK companies. “The Kremlin now runs a deniable proxy model — petty criminals, taxi drivers and teenagers recruited on Telegram for arson, sabotage, and parcel-bomb plots traced across nine European countries.”

For Russia, grey zone tactics – which include the use of the cyber domain to launch attacks – are “baked into their military doctrine,” says Will Ashford Brown, director of strategic insights at Heligan Group. “Rather than viewing grey zone activities as merely subthreshold or peripheral, Russia treats them as a fundamental extension of its warfighting capability – integral to achieving strategic objectives.”

Meanwhile, Iran is “regional and opportunistic,” Thornton-Trump says. “The Islamic Revolutionary Guard Corps’ (IRGC's) value proposition is chokepoint pressure — the Strait of Hormuz, the energy supply chain, civilian water and utilities. UK exposure is indirect, transmitted through energy markets, shipping insurance premia, and rerouting costs in the Red Sea, not through targeted destruction of British networks. American networks are firmly on the radar.”

The Geopolitical Landscape 

The warnings of nation state activities come at a time when geopolitical tensions across the world are rising sharply. The Russia-Ukraine war continues, while tensions between Iran and Israel and the US are at an all-time high. Kinetic warfare is now converging with cyber-warfare, with nations using multiple tactics to achieve their aims.

“What we are seeing now is, cyber activity is one of the main ways that geopolitics plays out,” says Barnett.

For example, she says, the war in Ukraine has made Russia more aggressive in cyber activity. “Tensions with China have increased concerns around espionage, infrastructure access and long-term strategic positioning,” she adds.

Cyberattacks are an integral part of modern hybrid warfare, but the ongoing conflicts in Europe and the Middle East have fuelled the rise of hacktivist groups with direct or indirect ties to state actors, says Daniel dos Santos, senior director and head of research at Forescout.

Government agencies or state-affiliated adversaries often adopt the branding, tactics and imagery of grassroots hacktivist groups, he says. “These entities operate under the guise of independent hacktivists but are, in reality, directly employed by national governments or state-linked corporations to promote government-aligned narratives and conduct cyber operations.”

Notable examples include the Cyber Army of Russia Reborn (CARR), the CyberAv3ngers in Iran and Predatory Sparrow in Israel, according to dos Santos.

At Risk Firms

All companies are at risk from nation state adversaries. However, certain sectors face a more elevated threat. Almost any organisation can be exposed if it holds useful data, supports critical operations or sits in the supply chain of a bigger target, according to Barnett.

High-risk critical sectors include energy, water, telecoms, transport, healthcare, finance, defence, aerospace and technology, Barnett warns. “Cloud providers, managed service providers, software vendors and IT suppliers are especially attractive because they can provide access to many customers.”

Law firms, consultancies, recruitment firms, universities, research bodies, media organisations and charities are also being targeted.

There is also a growing trend of targeting individuals, including executives and journalists, through phishing and account takeover campaigns, which are often used for intelligence gathering, she adds.

Security Boost

The threat from nation states is significant, but experts believe it’s possible to thwart many of these attacks by ensuring the security basics are in place.

As Horne alluded to in his speech, there is a need for cultural change to ensure cyber security is embedded in organisation's mission and priorities, says Ashford Brown.

Horne also advises AI adoption to match adversary velocity. But experts point out that AI is only useful if firms have the basics in place to support it – as well as governance to control the technology’s use within the business.

With the growing threat from sophisticated state actors and the emergence of AI-assisted attacks, organisations need to invest in “foundational security measures,” such as network visibility for every connected asset, risk assessment and network segmentation, says dos Santos.

But it is also important to be aware that nation state attacks are often highly sophisticated. Therefore, it may not be possible to prevent all attacks.

With this in mind, aligning defences to likely techniques from most likely adversaries is also “an appropriate response,” says Dartnall.

He advises asking: “If you have identified that you could be targeted by a particular nation state, who are the most likely actors? And what were the techniques used in their most recent attacks? Do you have the controls in place to prevent or detect these techniques? If you have identified that an availability based attack is possible, have your response and recovery tools and processes been fully and regularly exercised?”

Kate O'Flaherty Cybersecurity and privacy journalist