UK's NCSC Sounds Alarm: Critical National Infrastructure Under Active Threat

Breached Company

Breached Company

11 min read
UK's NCSC Sounds Alarm: Critical National Infrastructure Under Active Threat

The UK's National Cyber Security Centre (NCSC) has issued an urgent alert to operators of critical national infrastructure, warning them to "act now" against what it describes as "severe" cyber threats. The warning comes in the wake of coordinated attacks on Polish energy infrastructure that officials have attributed to Russia's infamous Sandworm APT group—a stark reminder that the next Colonial Pipeline-style attack could be just hours away.

The Wake-Up Call: What Prompted the NCSC Warning

On February 10, 2026, Jonathan Ellison, Director for National Resilience at the NCSC, issued an uncharacteristically direct public warning to operators of critical national infrastructure across the United Kingdom. His message was clear and urgent: the threat is real, it's active, and organizations must act immediately.

"Cyber-attacks disrupting everyday essential services may sound far-fetched, but we know it's not," Ellison wrote in a LinkedIn post that quickly circulated across the cybersecurity community. "Incidents like this speak to the severity of the cyber threat and highlight the necessity of strong cyber defences and resilience. Operators of UK critical national infrastructure must not only take note but, as we have said before, act now."

The immediate trigger for this warning was a sophisticated attack on Poland's energy infrastructure in late December 2025. On December 29 and 30, 2025, threat actors deployed a new wiper malware—which security researchers at ESET have dubbed "DynoWiper"—targeting at least two combined heat and power (CHP) plants and a renewable energy system in Poland.

According to ESET principal threat intelligence researcher Robert Lipovsky, the attack bears all the hallmarks of Sandworm, the notorious Russian military intelligence (GRU) APT group that has been terrorizing critical infrastructure operators for over a decade.

"Based on our analysis of the malware and associated TTPs, we attribute the attack to the Russia-aligned Sandworm APT with medium confidence due to a strong overlap with numerous previous Sandworm wiper activity we analyzed," Lipovsky explained in a statement.

The timing of the attack was almost certainly deliberate: it occurred on the 10-year anniversary of Sandworm's 2015 attack on the Ukrainian power grid—the first-ever malware-facilitated blackout, which left approximately 230,000 people without electricity for several hours.

Understanding the Threat: What "Severe" Actually Means

When the NCSC uses the word "severe," it isn't engaging in hyperbole. The agency has provided specific definitions of what constitutes a severe cyber threat, and the implications are sobering for any organization responsible for maintaining essential services.

A severe threat, according to NCSC guidance, is defined as "a deliberate and highly disruptive or destructive cyber-attack." The objectives of such an attack could include:

  • Shutting down or damaging critical operations: Attackers may seek to halt essential services entirely, whether that means stopping power generation, disrupting water treatment, or grinding transportation networks to a halt.
  • Physical damage to Industrial Control Systems (ICS): Beyond digital disruption, sophisticated attackers may aim to cause actual physical damage to equipment. The infamous Stuxnet attack on Iranian nuclear centrifuges demonstrated this capability over 15 years ago, and the techniques have only grown more refined since then.
  • Data erasure to prevent recovery: Wiper malware, like the DynoWiper deployed against Poland, doesn't seek to extort victims—it aims to destroy. By erasing critical data and system configurations, attackers can make recovery impossible without complete rebuilds, potentially extending outages from days to weeks or months.

Google Cloud Security, in its Cybersecurity Forecast 2026 report, specifically warned that Europe faces an elevated risk of cyber-physical attacks targeting energy grids, transport, and digital infrastructure throughout 2026. The report anticipates that these attacks will take the form of "hybrid warfare, where cyber means support attacks impacting physical systems."

Which Sectors Face the Greatest Risk?

The NCSC defines critical national infrastructure as assets "essential for the functioning of society." This encompasses a broad range of sectors, each with unique vulnerabilities and potential consequences of compromise.

Energy Sector: Ground Zero for Nation-State Attacks

The energy sector remains the primary target for sophisticated nation-state actors, particularly those affiliated with Russia. Sandworm has an extensive track record of targeting energy infrastructure:

  • December 2015: The BlackEnergy attack on Ukrainian power distribution companies, causing the first-ever malware-induced blackout.
  • December 2016: The Industroyer/CrashOverride attack on a Ukrainian transmission substation.
  • 2022-2025: Continuous campaigns targeting Ukrainian energy, heating, and water facilities to amplify the impact of kinetic military operations.
  • March 2024: Attacks on energy infrastructure in 10 Ukrainian regions.
  • Q2-Q3 2025: Deployment of Zerolot and Sting wiper malware against government, energy, and logistics entities.
  • December 2025: The DynoWiper attack on Polish energy infrastructure.

Polish Prime Minister Donald Tusk, while confirming that Poland's defenses held, acknowledged the severity of the threat: "The systems we have in Poland today proved effective. At no point was critical infrastructure threatened, meaning the transmission networks and everything that determines the safety of the entire system."

But "proving effective" once doesn't guarantee future success. Each attack provides adversaries with intelligence about defensive capabilities and potential weaknesses to exploit in subsequent campaigns.

Healthcare: Lives on the Line

The healthcare sector presents an particularly attractive target for both nation-state actors and financially motivated cybercriminals. The UK has already experienced firsthand the devastating consequences of healthcare cyberattacks.

The 2024 ransomware attack on NHS supplier Synnovis demonstrated just how catastrophic healthcare sector breaches can be. The attack disrupted blood testing services across London, forcing hospitals to cancel surgeries and delay treatments. Some reports have linked patient deaths to the resulting delays in care—a stark reminder that cybersecurity in healthcare is quite literally a matter of life and death.

Healthcare organizations face unique challenges:

  • Legacy systems: Many medical devices and hospital systems run outdated software that cannot be easily patched.
  • Interconnected networks: The integration of medical devices, administrative systems, and patient records creates complex attack surfaces.
  • 24/7 operations: Unlike other sectors, healthcare cannot simply "shut down for maintenance" while security issues are addressed.
  • High-value data: Patient records command premium prices on dark web marketplaces, making healthcare organizations attractive targets for data theft.

Transportation: Cascading Consequences

Modern transportation networks—from rail systems to air traffic control to maritime shipping—depend on complex digital systems that present attractive targets for disruption.

The consequences of transportation cyberattacks extend far beyond immediate inconvenience. Supply chain disruptions can cascade through the economy, affecting manufacturing, retail, and every sector that depends on the movement of goods. The Colonial Pipeline attack in May 2021 demonstrated how a single ransomware incident could trigger fuel shortages across the eastern United States, causing panic buying and economic disruption that far exceeded the direct impact of the attack itself.

Financial Services: Economic Warfare

Financial institutions represent critical infrastructure not just because of the services they provide, but because of their role in maintaining economic stability. A successful attack on major financial infrastructure could trigger market instability, undermine confidence in digital payments, and potentially cause bank runs as customers lose faith in the security of their deposits.

Nation-state actors increasingly view financial system disruption as a tool of economic warfare. The 2016 Bangladesh Bank heist, attributed to North Korea's Lazarus Group, demonstrated that even the SWIFT interbank messaging system—the backbone of global finance—could be compromised.

Telecommunications: The Attack Enabler

Telecommunications infrastructure occupies a unique position in the critical infrastructure landscape: it's both a target in its own right and the means by which attacks on other sectors are conducted. Disrupting telecommunications can blind defenders, prevent coordination of response efforts, and isolate affected regions from outside assistance.

Recent state-sponsored intrusions into telecommunications networks, including the Salt Typhoon campaign targeting major US carriers, have demonstrated that adversaries are actively working to establish persistent access to these crucial systems.

What Organizations Must Do Immediately

The NCSC has issued comprehensive guidance for critical infrastructure operators, emphasizing three key areas: increasing situational awareness, hardening defenses, and preparing for incident response.

1. Increase Monitoring and Situational Awareness

Organizations must enhance their ability to detect and respond to threats in real-time:

  • Implement comprehensive network monitoring: Deploy sensors across all network segments, with particular attention to OT/ICS environments that may have previously been considered "air-gapped" or isolated.
  • Establish threat intelligence feeds: Subscribe to government and commercial threat intelligence services to receive timely warnings of emerging threats and indicators of compromise.
  • Monitor for anomalous behavior: Baseline normal network activity and implement alerts for deviations that could indicate compromise.
  • Participate in information sharing: Engage with sector-specific Information Sharing and Analysis Centers (ISACs) and government programs designed to facilitate threat intelligence sharing.

2. Harden Network Defenses

Implementing security best practices can significantly reduce the attack surface and make successful compromises less likely:

  • Patch aggressively: Prioritize patching of known vulnerabilities, particularly those being actively exploited in the wild. The NCSC and CISA maintain lists of known exploited vulnerabilities that should receive immediate attention.
  • Implement multi-factor authentication (MFA): Deploy MFA across all systems, with particular emphasis on remote access solutions, privileged accounts, and any internet-facing applications.
  • Apply secure-by-design principles: Ensure that network infrastructure is designed with security as a primary consideration, not an afterthought.
  • Segment networks: Isolate critical systems from general corporate networks to limit lateral movement in the event of a breach.
  • Review and restrict remote access: VPNs, remote desktop solutions, and other remote access tools represent common attack vectors. Ensure they are properly configured, monitored, and restricted to only those who require access.

3. Prepare for Incident Response

Even with robust defenses, organizations must prepare for the possibility that attacks will succeed:

  • Develop and test incident response plans: Document procedures for detecting, containing, and recovering from cyberattacks. Conduct tabletop exercises and full-scale simulations regularly.
  • Establish communication protocols: Ensure that incident response teams can communicate securely even if primary communication systems are compromised.
  • Maintain offline backups: Implement the 3-2-1 backup rule (three copies of data, on two different media types, with one copy stored offsite) and regularly test restoration procedures.
  • Identify critical dependencies: Map the systems and services your organization depends on, and develop contingency plans for operating without them.
  • Build relationships with responders: Establish relationships with law enforcement, national cyber agencies, and incident response providers before you need them.

As NCSC Director Ellison noted: "Although attacks can still happen, strong resilience and recovery plans reduce both the chances of an attack succeeding and the impact if one does."

Historical Context: The Rising Tide of CNI Attacks

The current warning from the NCSC must be understood in the context of an escalating campaign of attacks on critical infrastructure worldwide.

Colonial Pipeline (May 2021)

The DarkSide ransomware attack on Colonial Pipeline remains the most significant critical infrastructure cyberattack in US history. The attack forced the shutdown of a pipeline carrying 45% of the fuel consumed on the US East Coast, triggering widespread fuel shortages and panic buying. Colonial Pipeline ultimately paid a $4.4 million ransom to restore operations, though the FBI later recovered a portion of the payment.

The incident prompted a dramatic reassessment of critical infrastructure cybersecurity across the United States and globally, leading to executive orders, regulatory changes, and renewed focus on public-private partnership in cyber defense.

JBS Foods (May 2021)

Just weeks after Colonial Pipeline, the REvil ransomware gang struck JBS, the world's largest meat processor. The attack forced the temporary closure of all JBS beef plants in the United States and disrupted operations in Australia and Canada. JBS ultimately paid an $11 million ransom to prevent further disruption.

The attack demonstrated that critical infrastructure vulnerabilities extend beyond traditional targets like energy and utilities to include food supply chains and other sectors essential for daily life.

Synnovis/NHS (2024)

The ransomware attack on Synnovis, a pathology services provider to NHS hospitals in London, demonstrated the life-and-death stakes of healthcare cyberattacks. The attack disrupted blood testing services for months, forcing hospitals to cancel surgeries and delay treatments.

Reports have linked at least one patient death to delays caused by the attack—a tragic reminder that cybersecurity in healthcare is not just an IT issue but a patient safety issue.

Polish Energy Infrastructure (December 2025)

The Sandworm attack on Polish energy infrastructure represents the latest escalation in nation-state targeting of European critical infrastructure. While Polish defenses apparently prevented significant disruption, the attack demonstrates that adversaries continue to probe for weaknesses and develop new capabilities.

International Implications: A Global Problem

While the NCSC warning is directed primarily at UK organizations, the threat to critical infrastructure is fundamentally international in nature.

The US Perspective

American critical infrastructure faces similar threats from the same adversaries. The Volt Typhoon campaign, attributed to China, has established persistent access to US critical infrastructure networks, potentially positioning for disruptive attacks in the event of conflict over Taiwan. Salt Typhoon's penetration of US telecommunications networks has raised concerns about the security of the nation's communications backbone.

CISA has issued numerous warnings about threats to US critical infrastructure, including a February 2026 directive requiring federal agencies to decommission all end-of-support edge devices within 12 months to reduce exploitation risks.

European Coordination

The attack on Polish infrastructure underscores the interconnected nature of European critical infrastructure. Energy grids, transportation networks, and financial systems cross national boundaries, meaning an attack on one country's infrastructure can have cascading effects across the continent.

The EU's NIS2 Directive, which came into force in January 2023 with an October 2024 deadline for member state implementation, represents the most significant effort to date to establish common baseline security requirements for critical infrastructure operators across Europe. NIS2 mandates:

  • Strict incident reporting requirements, including 24-hour early warning notifications
  • Comprehensive risk management measures
  • Supply chain security assessments
  • Penalties of up to 2% of global annual turnover for serious violations

Poland, which successfully defended against the December 2025 attack, is now rushing to finalize its National Cybersecurity System Act—its implementation of NIS2—to mandate stricter requirements for risk management, IT and OT security, and incident response.

"I hope to implement this act as soon as possible," Prime Minister Tusk stated. "We will be equipping Polish institutions with tools to protect the market against systems and devices that would make it easier for foreign states to interfere and obtain information."

The UK's Cyber Security and Resilience Bill

The UK, having left the European Union, is not subject to NIS2. However, the government has introduced its own Cyber Security and Resilience Bill, which aims to update the UK's Network and Information Systems (NIS) Regulations 2018.

The bill, introduced to Parliament in early 2026, includes several significant provisions:

  • Expanded scope: Managed service providers (MSPs) will be regulated for the first time, bringing an additional 900-1,100 firms under the law's requirements.
  • Supply chain focus: New duties will require operators of essential services to manage supply chain risks, recognizing that attackers frequently target suppliers as a pathway to their ultimate targets.
  • Enhanced reporting: Incident reporting requirements will be expanded, with initial reports required within 24 hours of detection and full reports within 72 hours.
  • Proactive regulation: The powers of the Information Commissioner's Office (ICO) will be enhanced, enabling it to identify critical digital service providers and take a proactive approach to assessing cyber risk.
  • Tougher penalties: Turnover-based penalties will be introduced for serious offenses, aligning more closely with the GDPR and NIS2 penalty frameworks.

NCSC boss Richard Horne has emphasized the urgency of the legislation: "As a nation, we must act at pace to improve our digital defenses and resilience, and the Cyber Security and Resilience Bill represents a crucial step in better protecting our most critical services."

The government estimates that the average cost of a "significant cyber-attack" now exceeds £190,000, amounting to £14.7 billion per year across the entire UK economy—approximately 0.5% of national GDP.

Looking Ahead: The Threat Landscape in 2026

The NCSC warning arrives at a particularly dangerous moment in the evolution of cyber threats to critical infrastructure.

Google Cloud Security's Cybersecurity Forecast 2026 outlines several trends that CNI operators must prepare for:

  • AI-enhanced attacks: The use of AI for malicious campaigns is expected to shift "from the exception to the norm," enabling sophisticated multimodal attacks combining voice, video, and text deepfakes.
  • Expanded targeting: Non-state threat actors will continue targeting European supply chains, especially managed service providers and software dependencies, to gain access to numerous downstream targets.
  • Ransomware evolution: Some ransomware operations in 2026 will specifically target critical enterprise software such as ERP systems, "severely disrupting the supply chain of data essential for OT operations."
  • Strategic shift in Russian operations: Russian cyber operations are expected to undergo a strategic shift, moving beyond tactical support for the Ukraine conflict to prioritize long-term global strategic goals, including "obtaining strategic footholds within international critical infrastructure environments."

Conclusion: The Time for Action Is Now

The NCSC's warning to critical national infrastructure operators is not merely a routine advisory—it is an urgent call to action prompted by real attacks causing real damage to allies' infrastructure.

The attack on Polish energy infrastructure demonstrates that sophisticated nation-state actors are actively probing European critical infrastructure, developing new capabilities, and positioning for potential future attacks. The DynoWiper malware deployed against Poland is just the latest in a decade-long campaign by Sandworm to target energy infrastructure, and there is every reason to believe that similar attacks will target UK infrastructure.

Organizations responsible for critical national infrastructure must take immediate action to:

  1. Assess their current security posture against the NCSC's guidance for defending against severe cyber threats
  2. Implement enhanced monitoring to detect intrusions before they can cause damage
  3. Harden their networks against known attack vectors and vulnerabilities
  4. Prepare for incident response with tested plans and established relationships
  5. Engage with regulators and partners to share threat intelligence and coordinate defenses

As Jonathan Ellison concluded in his warning: "Cybersecurity is a shared responsibility and a foundation for prosperity, and so we urge all organizations—no matter how big or small—to follow the advice and guidance available at ncsc.gov.uk and act with the urgency that the risk requires."

The question is no longer whether critical infrastructure will be targeted, but when—and whether defenders will be prepared when that moment arrives.

For the latest guidance on protecting critical national infrastructure, visit the NCSC's severe threat guidance and the Cyber Assessment Framework.

Read more

Operation Leak: FBI and Global Partners Dismantle LeakBase, One of the World's Largest Cybercriminal Data Forums

Operation Leak: FBI and Global Partners Dismantle LeakBase, One of the World's Largest Cybercriminal Data Forums

March 4, 2025 — In one of the most sweeping international cybercrime enforcement actions of the year, the Federal Bureau of Investigation, Europol, and law enforcement agencies spanning 14 countries have dismantled LeakBase — a massive open-web forum where cybercriminals bought, sold, and traded stolen data from breaches targeting American corporations, individuals,

By Breached Company