The cyber threat to the UK and its allies continued to grow and evolve throughout 2021: from indiscriminate phishing scams against mass victims, to ransomware attacks against public and private organisations, to targeted hostile acts against critical national infrastructure and government.

In its annual report, the National Cyber Security Centre (NCSC), part of GCHQ, has been revealing how vulnerable we have all become to attacks and the work that is being carried out to try to keep organisations and individuals safe from the fallout.

While the threats came from a range of actors using an array of methods, they had one thing in common: they led to real-world impact. "Life savings were stolen, critical and sensitive data was compromised, healthcare and public services were disrupted, and food and energy supplies were affected."

In the past 12 months, the NCSC was engaged, in partnership with law enforcement, to monitor, counter and mitigate the threat, whether committed by sophisticated state actors, organised criminal groups or low-level offenders. "Covid-19 continued to shape the cyber security landscape.

HOSTILE STATES
Cyber criminals continued to exploit the pandemic as an opportunity, while hostile states shifted their cyber operations to steal vaccine and medical research, and to undermine other nations already hampered by the crisis. The pandemic has also brought about an acceleration in digitisation, with businesses and local government increasingly moving services online and essential services relying ever more on cloud IT provision.

"This has broadened the surface area for attacks and has often made cyber security more challenging for organisations. In response the NCSC built on the experiences of last year in protecting sectors responding to the pandemic, including the NHS (across all four nations), medical research, vaccine manufacturers and distributors, encouraging them to take up the services available to respond to threats to their security."

The compromise of software company SolarWinds and the exploitation of Microsoft Exchange Servers highlighted the threat from supply chain attacks. These sophisticated attacks, which saw actors target less-secure elements - such as managed service providers or commercial software platforms - in the supply chain of economic, government and national security institutions were two of the most serious cyber intrusions ever observed by the NCSC.

"In March 2021, Microsoft announced that four zero-day vulnerabilities in Microsoft Exchange Servers were being actively exploited with at least 30,000 organisations reportedly compromised in the US alone, affecting many more worldwide. In July, the NCSC assessed this attack was highly likely to have been initiated and exploited by a Chinese state-backed threat actor, with the objective of enabling large-scale espionage, including the acquisition of personal data and intellectual property."

The SolarWinds attack enabled the onward compromises of multiple US government departments, and the British cloud and email security firm Mimecast, among other victims. In April the NCSC assessed that Russia's Foreign Intelligence Service (SVR) was highly likely to have been responsible for the attack.

DOUBLE EXTORTION
Ransomware became the most significant cyber threat facing the UK this year, adds the NCSC. "Due to the likely impact of a successful attack on essential services or critical national infrastructure, it was assessed as potentially harmful as state-sponsored espionage. In 2020, the NCSC observed the evolving model of criminals exfiltrating data before encrypting victim networks; data which they then threatened to leak, unless the ransom was paid [known as double extortion]."

Ransomware gained increased public attention following attacks on Colonial Pipeline in the US, which supplied fuel to the East Coast, and against the Health Service Executive in Ireland. In the UK, there was an increase in the scale and severity of ransomware attacks. "Hackney Borough Council suffered significant disruption to services - leading to IT systems being down for months and property purchases within the borough delayed. Attacks this year were across the economy, targeting businesses, charities, the legal profession and public services in the education, local government and health sectors. "

Among other ransomware incidents investigated was a major attack on the American software firm Kaseya. In July, the NCSC helped to identify and support British victims after the Florida-based company was infiltrated by a hacking group, which seized troves of data and demanded $70m (£51.5m) in cryptocurrency for its return.

GLOBAL THREAT ACTORS
The NCSC welcomed international efforts in tackling ransomware when it was discussed at the G7 meeting of world leaders in Cornwall, underlining the need for co-ordinated multilateral attention. The NCSC reports that it continued its work with global partners to detect and disrupt shared threats, the most consistent of these emanating from Russia and China. In addition to the direct cyber security threats posed by the Russian state, it became clear that many of the organised crime gangs launching ransomware attacks against western targets were based in Russia.

---

"The NCSC's Early Warning service provides organisations with specialised alerts and potential cyber threats affecting their networks. Says Eleanor Fairford, NCSC's deputy director for Incident Management: 'This will help them resolve security issues quickly and reduce the risk of serious harm being done.'"

---

China remained a highly sophisticated actor in cyberspace with increasing ambition to project its influence beyond its borders and a proven interest in the UK's commercial secrets. How China evolves in the next decade will probably be the single biggest driver of the UK's future cyber security. While less sophisticated than Russia and China, Iran and North Korea continued to use digital intrusions to achieve their objectives, including through theft and sabotage.

Lindy Cameron, NCSC's CEO, says that she is all too aware of the task that lies ahead. "We will work with the FCDO [Foreign, Commonwealth & Development Office' to put cyber power at the heart of the UK's foreign policy agenda, strengthening our collective security, ensuring our international commercial competitive advantage, and shaping the debate on the future of cyberspace and the internet.

"We will need to reinforce our core alliances and lead a compelling campaign aimed at middle-ground countries to build stronger coalitions for deterrence and counter the spread of digital authoritarianism. This will involve better connecting our overseas influence to our domestic strengths, leveraging our operational and strategic communications expertise, thought leadership, trading relationships and industrial partnerships as a force for good."

And she also states: "Over the last 12 months, the NCSC has played a key role in managing significant events and taken action to make the UK a safer place to live and work online. A particular highlight has been the work that the NCSC did to support the Covid-19 vaccine roll out.

The NCSC dealt with 777 incidents - an increase on last year - of which 20% were linked to the health sector and vaccines. One of the trends that the NCSC has seen over the last year was a worrying growth in criminal groups using ransomware to extort organisations. In my view, it is now the most immediate cyber security threat to UK businesses and one that I think should be higher on the boardroom agenda."

RECORD YEAR FOR INCIDENTS
An international supply-chain data breach emanating from a compromise of SolarWinds was one of the most significant incidents that the NCSC dealt with over the last year.

"This attack involved one of the world's most popular IT system management platforms being breached by the Russian Foreign Intelligence Service and is an important reminder of the need for organisations to be resilient, if one of their suppliers is affected." It was a record year for incidents dealt with by the NCSC. The team managed 777 incidents, another increase on the previous record, breaking the 723 total from 2020. NCSC supported the NHS during eight 'high severity alerts' from April 2020 to March 2021.

This year's total means that, since the NCSC commenced operations in 2016, the organisation has co-ordinated the UK's response to a total of 3,305 incidents (annual totals of 590, 557, 658, 723 and 777). Several incidents came onto the NCSC's radar proactively, through the expert work of its threat operations and assessments teams.

Many others were raised by victims of malicious cyber activity. While the NCSC has world-leading capabilities in identifying, confronting and responding to cyber threats and deterring those responsible for them, it is just as important to improve defences to stop attacks getting through in the first place and, when they do, that organisations are better able to recover and limit the impact. In the last Annual Review, the NCSC set out how the ransomware model had shifted from not only withholding data, but threatening to publish it as well. This year, the model has developed further into what is termed Ransomware as a Service, (RaaS) where off-the-shelf malware variants and online credentials are available to other criminals for a one-off payment or a share of profits.

As the business model has become more and more successful, with these groups securing significant ransom payments from large businesses who cannot afford to lose their data to encryption or to suffer the down time while their services are offline, the market for ransomware has become increasingly 'professional'.

The NCSC has observed that some victims have been offered the services (from the attackers) of a 24/7 help centre to quickly pay the ransom and get back online.

'PAY THE RANSOM AND MOVE ON'
Everything is geared to make it as easy as possible simply to pay the ransom and move on. Organised crime groups spend time conducting in-depth reconnaissance on their targeted victims. They will identify exploitable cyber security weaknesses. They will use spoofing and spear phishing to masquerade as employees to get access to the networks they need. They will look for the business-critical files to encrypt and hold hostage. They may identify embarrassing or sensitive material that they can threaten to leak or sell to others. And they may even research to see if a potential victim's insurance covers the payment of ransoms.

This process can be painstaking and lengthy, but it means that, when they are ready to deploy, the effect of ransomware on an unprepared business is brutal. Files are encrypted. Servers go down. Digital phone lines no longer function. Everything comes to a halt and business is stopped in its tracks. But it's not all bad news. There are many services that organisations can use to protect themselves against ransomware or mitigate the impact of an attack. As well as implementing practical cyber security measures and following advice, an important defence against ransomware is to understand the ever-evolving threat picture and working with others to share information and good practice.

SECURE FORUM
The NCSC's Cyber Security Information Sharing Partnership (CISP) service provides a secure forum where companies and government can collaborate on threat information. CISP, which also gives access to regular sensitive threat reports, is one of many tools available. Indeed, the NCSC provides a range of free cyber security tools and services to eligible organisations as part of the Active Cyber Defence (ACD) programme. These initiatives help organisations to find and fix vulnerabilities, manage incidents or automate disruption of cyber-attacks.

While there are numerous entry points into a system, device or network, the NCSC has observed that threat actors have been increasingly exploiting vulnerabilities in virtual private networks, unpatched software and using phishing emails. The most commonly used attack vectors by ransomware actors targeting the UK include:

• RDP: Remote desktop protocol attacks are the most commonly exploited remote access tools used by ransomware hackers. Hackers use insecure RDP configurations collected through phishing attacks, data breaches or credential harvesting to gain initial access to the victim's environment
• VPN: Since the shift in remote learning and working since the pandemic began, threat actors have been exploiting vulnerabilities present in Virtual Private Networks to take over the remote access
• Unpatched devices: Attackers are targeting unpatched software and hardware devices to gain access to the victim's network. One example of this is the vulnerabilities in Microsoft Exchange Server that are known to have been used by persistent threat groups.

The NCSC released tools and advice designed to help organisations prevent ransomware attacks. These included guidance on mitigating ransomware attacks; a tool called Early Warning Service, designed to help organisations facing cyber attacks on their network; training for school staff, and a range of Active Cyber Defence services including Web Check - a tool that provides website configuration and vulnerability scanning services.

BUILDING RESILIENCE AT SCALE
The Active Cyber Defence (ACD) programme is seen as one of the NCSC's most successful ways to help bring about a real-world, positive impact against threats. "The programme seeks to reduce high-volume cyber attacks, such as malware, ever reaching UK citizens and aims to remove the burden of action from the user." The ACD programme's core services include Mail Check, Web Check, Protective DNS, Exercise in a Box, the Suspicious Email Reporting Service and the Takedown Service.

The last of these, for example, finds malicious sites and sends notifications to the host or owner to get them removed from the internet before significant harm can be done. The NCSC centrally manages the service, so departments automatically benefit without having to sign up. "This year, the UK's share of global phishing has remained consistent at approximately 2%, due to this service."

TAKEDOWN TAKEAWAY
This year the Takedown Service enabled the NCSC to remove a total of 2.3 million cyber-enabled commodity campaigns, including the following:

• 13,000 phishing campaigns which were disguised as coming from the UK Government
• 442 phishing campaigns which used NHS branding, compared to 105 in the same period in last year's report
• 80 instances of NHS apps (unofficial mirrors) hosted and available for download outside of the official Apple and Google app stores.

Looking ahead to what can be expected from the NCSC, in February this year it launched MyNCSC, a new platform as a single point of entry to its key digital services, including Active Cyber Defence. MyNCSC brought together in one place access to tailored advice, services and alerts.

"The new platform, which is due to replace the existing ACD hub, helps users reduce duplication, save time and better understand their security posture across a range of services. MyNCSC users are presented with service data, incident information and guidance to help them be more proactive in improving the security of their organisations."

At the time of publication, the platform was open to eligible users as part of the pilot.