Summary

Richard Horne, Chief Executive of the UK’s National Cyber Security Centre (NCSC), issued a stark warning about the rise in state-sponsored cyberattacks targeting the United Kingdom. Over the past year, attacks attributed to Chinese and Iranian actors have doubled, with government, healthcare, defense, and critical infrastructure among the most affected sectors. The UK government has taken decisive action, including sanctions, new legislation, and collaboration with international allies. Horne emphasized the need for resilience and rapid response as the UK faces this evolving and sophisticated threat landscape.

 

Detailed Report

1. NCSC Chief: China and Iran Driving Majority of UK Cyber Incidents

During the CYBERUK 2026 conference in Glasgow, Richard Horne, Chief Executive of the National Cyber Security Centre, stated that “the majority of the nationally significant incidents that my teams are handling now originate directly or indirectly from nation states.” According to the official NCSC transcript, Horne identified China and Iran as the UK’s principal cyber adversaries, describing China’s cyber operations as displaying “an eye-watering level of sophistication.” He further warned that Iran is “almost certainly using cyber activity to support the repression of British individuals on our streets who are seen as a threat to the regime.” These remarks were widely reported by BBC News and Reuters.

 

2. Doubling of Cyber Incidents Highlights Growing Threat to UK

According to the NCSC’s Annual Review 2025, the UK experienced a dramatic increase in nationally significant cyber incidents, with 204 reported between September 2024 and August 2025, compared to just 89 the previous year. This represents a doubling of incidents and equates to an average of four major incidents per week. The Guardian and The Independent reported that these attacks targeted a wide range of sectors, including government, healthcare, finance, defense, and critical infrastructure. This surge mirrors global trends, as state-sponsored actors increasingly exploit the expanding digital infrastructure of advanced economies. Horne noted that the sophistication and scale of these incidents underscore the urgency of bolstering national cyber defenses.

 

3. China’s Cyber Operations: Sophistication and Scale

The UK government and the NCSC have formally attributed the compromise of the UK Electoral Commission’s systems to APT31, a Chinese state-affiliated group. In March 2024, the Foreign, Commonwealth & Development Office summoned the Chinese Chargé d’Affaires in response to this activity. Additional Chinese groups identified by the NCSC include APT40, Volt Typhoon, Salt Typhoon, and Flax Typhoon. According to joint advisories, Flax Typhoon, operated by Integrity Technology Group, managed a botnet of over 260,000 compromised devices worldwide, including approximately 8,500 in the UK. These groups have targeted government departments, critical infrastructure, and supply chains using advanced techniques such as “living off the land” and large-scale botnets.

 

4. Iranian State-Sponsored Actors and Tactics

Iranian state-sponsored groups, including Charming Kitten (APT35), MuddyWater, and CyberAv3ngers, have been confirmed as active threats to the UK, with clear links to the Islamic Revolutionary Guard Corps. According to the NCSC and reporting by HSToday, these groups have targeted UK government, healthcare, and dissident communities. Their tactics include ransomware, wiper malware, spear-phishing, and attacks on operational technology. The NCSC has documented that Iranian actors are increasingly leveraging cyber operations for both espionage and transnational repression.

 

5. UK Government Policy Responses

The UK government has implemented a multi-layered response to the surge in state-sponsored cyberattacks. In December 2025, the Foreign, Commonwealth & Development Office announced sanctions on Chinese technology companies i-Soon and Integrity Technology Group. In September 2025, sanctions were imposed on Iranian-linked individuals and entities. The National Security Act 2023 introduced new offences related to espionage and foreign interference, while the Foreign Influence Registration Scheme, launched in July 2025, placed Iran on an enhanced tier. In November 2025, new legislation strengthened cyber resilience requirements for operators of critical infrastructure.

Conclusion
Richard Horne’s public statements, supported by official NCSC statistics and government policy actions, provide a clear assessment of the cyber threat posed by China and Iran to the United Kingdom. The UK’s multi-layered response reflects the seriousness of the challenge and the need for continued vigilance and international cooperation.