Government & Public Sector Threat Intelligence

NCSC Warns: Volt Typhoon Reconnaissance Extends to Tier 2 UK Government Suppliers

Intelligence confirms Volt Typhoon pre-positioning activity has moved beyond primary CNI operators into the Tier 2 supplier networks that service UK central government and defence. Smaller suppliers with privileged access to government systems are now directly in scope.

APT28 Intensifies Targeting of European Government Networks Ahead of 2026 Election Cycle

Russia's GRU-linked APT28 has escalated spear-phishing and credential-harvesting operations against European government ministries, NATO-adjacent bodies, and political parties in the run-up to elections across the continent.

APT10 Renews MSP Targeting in UK and Europe — Cloud Hopper Techniques Persist

China's APT10 has resumed systematic targeting of UK managed service providers and professional services firms, using the same supply chain pivot techniques that characterised the Cloud Hopper campaign — now adapted for cloud-managed tenants.

APT29 Exploiting Trusted Vendor Relationships to Reach UK and European Government Networks

Russia's SVR-linked APT29 is using compromised software vendor and IT service provider accounts to pivot into government targets — a continuation of the SolarWinds playbook applied to UK and European supply chains.

LockBit Resurgence: Affiliate Network Active Across UK Healthcare and Professional Services

Despite Operation Cronos and the February 2024 infrastructure seizure, LockBit-affiliated actors continue to operate under the LockBit 3.0 and successor infrastructure. UK healthcare and professional services organisations have been among the most recent confirmed victims.

Volt Typhoon Activity Confirmed Across UK Water and Energy OT Networks

NCSC and Five Eyes partners have confirmed Volt Typhoon intrusions at operational technology networks in UK water treatment and regional energy distribution. The group is not causing disruption — it is waiting.

First Confirmed AI-Built Zero-Day: Google Thwarts Mass Exploitation Campaign

A threat actor used a large language model to write a working 2FA bypass exploit for a widely deployed open-source admin tool. Google's threat intelligence team detected the planned mass exploitation campaign before it launched. The code left distinctive LLM fingerprints.

AI in the Attack Chain: How Threat Actors Are Using Language Models Operationally

AI-assisted exploitation is no longer theoretical. From automated vulnerability research to AI-generated spear-phishing, the adoption of LLMs across the offensive lifecycle is accelerating. This analysis examines what is confirmed, what is emerging, and what it means for defenders.

Volt Typhoon: The Long Game in Western Critical Infrastructure

A deep analysis of Volt Typhoon's objectives, methods, and targets — and what the sustained Chinese pre-positioning campaign in Western CNI means for how operators, regulators, and governments need to respond.

Salt Typhoon: How China Compromised the West's Wiretap Infrastructure

The Salt Typhoon campaign against US and European telecommunications carriers was not a data breach in any conventional sense. It was a strategic intelligence operation targeting the systems governments use to conduct lawful surveillance.

The Attack Is Coming From Inside the Country: China's Compromised-Device Networks and Why Your Perimeter Controls Miss Them

A joint advisory from CISA, NCSC, and ten allied nations describes how China-linked threat actors have abandoned dedicated attack infrastructure in favour of networks of compromised home routers and IoT devices. The implication for defenders is worse than it sounds.

The Public Sector Cyber Gap: Why Government's Security Posture Trails the Threat

The structural factors that make the UK public sector a persistently soft target — fragmented IT estates, procurement cycles that optimise for cost over security, and a talent market that can't compete with private sector pay — are not going away. Here's what the gap looks like and what's actually being done about it.

Why Ransomware Groups Don't Die When You Arrest Their Leaders

The ransomware-as-a-service model has created a resilient criminal infrastructure that survives law enforcement actions, FBI seizures, and individual prosecutions. Understanding why is the first step to defending against it.

Nation-State Threats: What Business Leaders Get Wrong and Why It Matters

Most executives conflate nation-state cyber activity with the ransomware threat they're more familiar with. They are different in purpose, method, and the defences required. Getting this wrong shapes your entire risk posture.