Cyber threats facing the UK’s public sector have risen in recent years, partly due to the government’s continued support for both Israel and Ukraine.

The UK’s political influence and involvement with international affairs provides nation-state attackers with intent to leverage offensive cyber tactics to access sensitive government data, disrupt diplomatic relations, and to undermine the fabric of British democracy.

Strategic Threat Intelligence Consultant Craig Watt provides insights into the cyber threats impacting the UK’s local authorities and central government organisations.

Our Global Cyber Risk Outlook Report 2025 highlights that public sector assets, particularly central and regional government networks, continue to be the most frequently targeted compared to all other industry sectors. Last year alone saw approximately 2,550 cyber-attacks against government systems, a 91% increase from the 1,332 reported in 2023. With this trend, it is critical that public sector organisations in the UK implement the security measures necessary to defend against these cyber threats.

To learn how to strengthen UK public sector networks against all kinds of cyber threats, Quorum Cyber is offering a free two-hour Incident Readiness Workshop to local authorities throughout February and March, with no commitment required.

Organised crime groups capitalising for financial gain

Ransomware

It’s no exaggeration to state that every organisation in the UK public sector is facing the threat posed by financially motivated ransomware groups who see the highly sensitive data they store as a way of making money.

For example, the Medusa ransomware group, which is likely operated by Russian cybercriminals, recently attacked Gateshead City Council. Attacks like this one specifically focus on Windows operating systems. They exploit unpatched software vulnerabilities in public-facing assets, including Citrix, Fortinet, and Google Chrome products, hijack legitimate accounts, and collaborate with Initial Access Brokers (IABs) for infiltration. The ransomware employs a double-extortion model, where it not only encrypts victims’ files but also threatens to leak sensitive data on its dark web leak site known as the ‘Medusa Blog’.

Medusa ransomware advertises the sale of data belonging to Gateshead Council on 14th January 2025 (Source: Medusa Blog)

Ransomware incidents within the UK public sector will almost certainly result in the encryption and extraction of significant quantities of sensitive data stored on compromised systems prior to a ransom sum being issued by the threat actor. In some cases, the stolen data will then be published to dark web forums where it can be bought by other actors for initial compromise in future attacks, meaning that it is vital to get a step ahead of this threat.

Stealware

Stealware is also a malware payload of choice for cybercrime operations against the public sector due to the potential to capture and sell credentials that can be leveraged for future compromise. The stealware space has recently been dominated by the Lumma variant targeting users of both Mozilla Firefox and Google Chrome browsers, by stealing credentials and session data to sell on dark web forums for financial gain. Lumma also operates as a malware-as-a-service (MaaS) offering, making it an easy and cost-effective option for threat actors to obtain its capabilities.

Hacktivist disruption

The pro-Russian hacktivist threat group, known as ‘NoNameo57(16)’, has been highly active following the onset of the Russian invasion of Ukraine in February 2022. NoName057(16) has developed a new toolset known as ‘Project DDoSia’, which has enabled the group to launch multiple large-scale distributed denial-of-service (DDoS) campaigns against UK local council websites as it protests ongoing UK support for Ukraine as part of NATO defence spending commitments.

These DDoS attacks involve flooding target websites with network traffic, resulting in website downtime for up to a few hours at a time. The threat group’s Project DDoSia tool has also been developed to include the sharing of software to establish Command-and-Control (C2) servers, allowing for potential data extraction from UK public sector organisations.

In addition to DDoS attacks, NoNameo57(16) also has the capability to engage in web defacement attacks, replacing target website content with messages that propagate pro-Russian propaganda, carrying the potential to damage the reputation of public sector organisations.

NoName057(16) showcases DDoS attack against Dover District Council on 18th January 2025 (Source: Telegram)

Russia retaliating against the UK as a key NATO member state

Based on historical targeting, state-sponsored cyber targeting poses a severe risk to the UK public sector. Star Blizzard, a threat group that likely provides a counterintelligence function on behalf of Russian Federal Security Service (FSB) Centre 18, has demonstrated both intent and capability to compromise UK public sector data. Previous attacks have included:

• Leaking trade documents between the UK and the US ahead of the 2019 UK general election
• Releasing data to exacerbate Brexit-related divisions in the UK political space dating back to 2022.

Additionally, to seek awareness of Downing Street’s financial expenditure plans, Star Blizzard espionage against the UK government sector will likely intensify with the Labour Party pledging to set a deadline for spending 2.5% of GDP on defence as part of NATO guidelines this spring. Episodes of such attacks have already been reported with The Times disclosing that the group attempted to compromise the personal email account of the British prime minister, Sir Keir Starmer, before he entered office.

Any Star Blizzard attacks against UK public sector networks will likely involve the delivery of custom spear-phishing emails. Victims will then be redirected to server infrastructure hosted by the threat actor that is designed to harvest cloud email credentials, providing the group with access to sensitive data.

Chinese threat actors seeking to gauge the dynamics of UK politics

The UK is a member of the Inter-Parliamentary Alliance on China (IPAC), a democratic coalition of governing bodies that have historically been critical of the policies of the Chinese Communist Party (CCP). In response, UK government officials will likely continue to be targeted with spear-phishing attacks involving Chinese nation-state threat groups such as Violet Typhoon. The group’s initial attacks against the UK public sector were brought to light in March 2024 when the former UK deputy prime minister Oliver Dowden disclosed a wave of cyber interference launched by Violet Typhoon targeting a group of senior MPs who are sceptical of the Chinese government.

Violet Typhoon’s cyber espionage campaigns involve vulnerability scanning to identify web infrastructure exposed to the internet, such as web servers and then exploiting security flaws to install web shells. They also send spear-phishing emails as an initial access vector, that often contain links that redirect victims to credential harvesting sign-in pages.

How public sector authorities can protect themselves from cyber risks

With the complexity of these cyber threats ever increasing, it is critical that public sector organisations in the UK implement and maintain the security measures necessary to defend their data. To assist with this effort, our Incident Response team is offering a free two-hour Incident Readiness Workshop to local authorities throughout February and March, with no commitment required.

The workshop will include:

• Evaluation of your existing incident response plans
• A detailed walk-through of a real-life cyber incident
• Assessment of your organisation’s capability to respond to incidents
• Tailored recommendations to meet your specific needs aligned to the Cyber Assessment Framework.

Don’t miss this opportunity to enhance your cyber defence strategies. Sign up for the free Public Sector Incident Readiness Workshop today or request some time to speak with our expert Threat Intelligence team.