Report | UK Threat Landscape, 2026

Report | UK Threat Landscape, 2026

Explore an in‑depth look at the UK threat landscape—from emerging trends to key threat actors and TTPs. Download now to read the full report.

Report | UK Threat Landscape, 2026

January 2026

Natalie Kapular Ruty Davidson

UK Threat Landscape

EXECUTIVE SUMMARY

Cyber threats against UK organizations intensified in 2025, making the UK the most targeted country in Europe with 16% of all regional attacks. Unlike previous years, ransomware was no longer the dominant threat; defacement surged to nearly half of all incidents, signaling a rise in hacktivist-driven campaigns focused on disruption and visibility rather than financial gain. This shift, combined with seasonal spikes—such as December’s record 455 attacks—underscores an evolving risk environment.

Every major sector faced impact, with business services emerging as the most targeted, followed by technology and retail. High-profile breaches disrupted critical operations: Marks & Spencer and Co-op suffered prolonged outages, Jaguar Land Rover halted production, and government agencies faced severe data compromises. These incidents highlight the growing operational and reputational risks across interconnected supply chains.

Threat actors ranged from financially motivated groups like Cl0p and Qilin exploiting critical vulnerabilities, to hacktivists such as NoName057(16) driving politically motivated disruption. Exploitation of flaws in Oracle E-Business Suite, Ivanti EPMM, and Microsoft Azure Entra ID enabled large-scale compromises, reinforcing the urgency for proactive defense. To counter these threats, organizations must accelerate AI-driven security, strengthen incident response, and integrate geopolitical risk into resilience planning. Enhanced intelligence sharing and supplier risk assessments remain essential to mitigating the complex and persistent challenges shaping the UK’s cyber landscape.

UK Threat Landscape 2025 2

UK VS EUROPE

In 2025, the United Kingdom was the most targeted country in Europe, with 1,314 attacks recorded out of a total of 8,249 incidents, representing approximately 16% of all attacks in the region.

MAIN THREAT VECTORS IN 2025

In 2025, a notable shift was observed in the distribution of attack vectors compared to recent years. Defacement accounted for nearly half of the attacks targeting the UK, whereas in 2024 ransomware had been the dominant threat affecting UK organizations and companies.

0 200 400 600 800 1000 1200 1400 1600 1800 2000 2200

Other (1761)

Denmark (220)

Poland (333)

Belgium (401)

Russia (416)

Ukraine (482)

Italy (541)

Spain (706)

France (1028)

Germany (1047)

United Kingdom (1314)

700

600

500

400

300

200

100

0 Data Breach Defacement DDoS Ransomware

171

635

210

302

UK Threat Landscape 2025 2

The increase in defacement attacks can be attributed to several factors. Defacement is generally more visible and easier to track than data breaches or ransomware incidents. While data breaches and ransomware attacks are often disclosed only after a delay or not at all, defacement is typically carried out in a highly public manner that allows threat actors to showcase their activity. In many cases, the primary objective is disruption and notoriety rather than financial gain or long-term access.

Moreover, this may indicate an increase in hacktivist activity, a trend that could persist into 2026 and lead to further disruption for UK companies.

MOST TARGETED SECTORS

In 2025, the business services sector was the most targeted among UK organizations, accounting for 20% of all attacks on UK sectors. Providers in this sector often serve as intermediaries for multiple organizations, making them appealing targets for supply chain compromises, data aggregation, and operational disruption.

The high concentration of attacks indicates that threat actors increasingly see this sector as a strategic way to maximize impact, either by reaching downstream clients or by causing widespread service interruptions.

0 50 100 150 200 250 300

Other (94)

Real State (18)

Transportation (35)

Automotive (44)

Charity and Non-Profit (44)

Manufacturing (48)

Entertainment (51)

Finance (53)

Gambling (55)

Healthcare (64)

Education (78)

Government (100)

Energy (108)

Retail (127)

Technology (132)

Business Services (267)

UK Threat Landscape 2025 2

ATTACKS PER MONTH

In 2025, December recorded the highest volume of attacks targeting the United Kingdom, with more than 450 incidents observed.

This elevated activity is consistent with a broader trend of increased targeting during the holiday season, when both organizations and individuals are more vulnerable due to heightened online activity and increased reliance on digital services. Threat actors often exploit this period to maximize disruption and potential impact, particularly as online shopping and transactional activity peak.

Consistent with the broader trends observed throughout 2025, December also saw defacement attacks account for approximately 90% of all incidents. This aligns with the holiday-season surge in activity noted above, as website defacements can significantly disrupt customer access and online services during a critical period of heightened consumer demand.

500

400

300

200

100

0 Jan Feb Mar Apr May Jun Jul Aug Set Oct Nov Dec

0 100 200 300 400 500

Ransomware (22)

Defacement (410)

DDoS (12)

Data Breach (11)

UK Threat Landscape 2025 2

MAJOR UK 2025 INCIDENTS

April 2025

Sector: Retail Impact: Hack forced the retailer to pause online orders & app sales for nearly 7 weeks; contactless payments and click-and-collect disrupted. Company said annual profits could be hit by ~£300 million.

April 2025

Sector: Retail Impact: Cyber-attack disrupted IT systems, forced shutdown of parts of its infrastructure — including store stock/payment systems — affecting stores and financial services arms.

May 2025

Sector: Public/Government Impact: Significant data breach: attackers accessed personal data of legal�aid applicants (names, DOBs, national-ID numbers, criminal/financial history) dating back to 2010. Online services suspended; major privacy, fraud & extortion risks for affected individuals.

August 2025

Sector: Manufacturing / Automotive Impact: Cyber-attack forced complete shutdown of production and IT systems at UK factories — severe disruption to manufacturing and supply-chain operations. UK government announced £1.5 billion loan guarantee to support the manufacturer + its supply-chain to preserve jobs and operations.

September 2025

Sector: Aviation Impact: Cyber-attack on airline check�in/boarding software disrupted operations at major European airports including UK (e.g. Heathrow), causing flight delays, check-in failures, manual processing for passengers.

November 2025

Sector: Government Impact: Shared IT systems of the three councils went down due to a cyber-attack, shutting down services — including phone lines — for more than half a million residents. the boroughs confirmed that attackers had copied data, turning the outage into a confirmed data breach; the extent of the stolen data (personal, financial or otherwise) remains under investigation.

UK Threat Landscape 2025 2

MOST PROMINENT THREAT ACTORS TARGETING UK

Scattered LAPSUS$ Hunters (SLH)

• Nationality: International, mostly UK and US • Social-engineering and data-extortion group • Description: A hybrid cyber-criminal collective formed in 2025 through the convergence of operators from Scattered Spider, LAPSUS$, and ShinyHunters. • Main TTPs: help-desk impersonation and identity intrusion techniques SIM-swapping, MFA bypass, credential harvesting, insider recruitment. data-theft and leak-extortion, breaching and monetizing large consumer datasets

Warlock

• Nationality: China • Financially motivated cybercrime group • Description: The group gained visibility in 2024 and expanded its activity in 2025 by aggressively targeting organizations across Europe, with a notable focus on UK entities in the finance, professional services and retail sectors. • Main TTPs: Opportunistic and rapidly evolving extortion operations, primarily involving data theft, double-extortion tactics and the use of custom-built or repurposed ransomware tools. Their operations have relied heavily on exploiting exposed services, weak credentials and unpatched enterprise software, along with purchasing initial access from brokers to scale rapidly. Warlock is recognized for its noisy leak-site activity, high posting frequency and tendency to publish stolen data quickly to pressure victims into payment.

NoName057(16)

• Nationality: Russia • Pro-Russian hacktivist group • Description: emerged in early 2022 and quickly became known for its large-scale, politically motivated disruption campaigns. • Main TTPs: Primarily DDoS attacks that target government institutions, critical infrastructure operators, financial services, and media organizations in countries that support Ukraine, with a notable and recurring focus on the United Kingdom. Their operations are highly coordinated, often timed with geopolitical events, and designed to create public disruption rather than steal data or maintain persistent access. • UK operations/victims: NoName057(16) frequently selects UK government portals, public service websites, and financial sector entities as high visibility targets to amplify its political messaging.

UK Threat Landscape 2025 2

Qilin (Agenda)

• Nationality: Russia • Financially driven ransomware and extortion group • Description: active since 2022 and recognized for its highly customizable ransomware strains and professionalized criminal operations. • Main TTPs: The group functions as a ransomware-as-a-service ecosystem that brings together affiliated intrusion operators, malware developers, and data extortion teams, allowing it to scale attacks across a wide range of sectors and geographies. Qilin is known for exploiting vulnerable remote access systems, weak credential hygiene, and unpatched enterprise applications to infiltrate networks before exfiltrating large data sets and encrypting critical systems. • UK Operations/Victims: The United Kingdom has been one of its primary targets, with Qilin responsible for major disruptions affecting UK healthcare, logistics providers, professional services, and government linked entities. The group maintains an active leak site, employs a structured negotiation process, and leverages public pressure campaigns to coerce payment, making it a prominent and persistent threat to UK organizations.

Cl0P

• Nationality: Russia • Financially motivated ransomware and extortion group • Description: Has been active since at least 2019 and is widely recognized for its large scale data theft operations and high profile enterprise targeting. • Main TTPs: Clop focuses on high impact extortion by exfiltrating large volumes of sensitive data and threatening public leaks to pressure organizations into paying. The group maintains multiple leak sites, uses aggressive negotiation tactics, and continues to play a major role in shaping the global ransomware threat landscape.The group is part of a broader cybercriminal ecosystem often referred to as the Cl0p ransomware cartel, which includes affiliates, intrusion specialists, and data handling teams working together to conduct coordinated attacks. • Victimology: Clop is known for exploiting major enterprise software vulnerabilities, including MOVEit Transfer and GoAnywhere MFT, which have enabled large-scale compromises across multiple sectors, and most recently, the Oracle E Business Suite (EBS) flaw identified as CVE-2025-61882. • UK operations/victims: The United Kingdom has consistently been one of the group's key target regions, with UK-based financial institutions, retail organizations, professional services firms, and critical infrastructure suppliers frequently appearing among its victims.

Hezi Rash

• Nationality: Kurdistan • Hacktivist collective • Description: A collective known for politically motivated cyber operations that focus on visibility and ideological messaging rather than financial gain. • Main TTPs: The group conducts website defacements, distributed denial of service attacks, and targeted data leaks intended to highlight Kurdish political causes and retaliate against perceived adversaries. The group’s activity emphasizes rapid, disruptive attacks tied to political events and public narratives, positioning Hezi Rash as an active hacktivist threat within the European and UK threat landscape. • UK operations/victims: The United Kingdom has been one of its recurring targets, with incidents directed at government linked websites, media outlets, and public facing services to maximize reach and attention.

UK Threat Landscape 2025 2

TRENDING VULNERABILITIES

CVE-2025-61882 (Oracle E-Business)

CVSS: 9.8 (Critical) Description: Remote Code Execution (RCE) Vulnerability in Oracle E-Business Suite's Concurrent Processing product affecting versions 12.2.3-12.2.14. Allows attackers with network access via HTTP to achieve full system takeover without credentials. Impact: Over 103 organizations reportedly compromised by Cl0P Ransomware group. Data from 18 victims already leaked, with some breaches involving hundreds of gigabytes or terabytes of files. Exploitation began around August 9, 2025 - nearly two months before patches were released.

CVE-2025-53770 (SharePoint ToolShell)

CVSS: 9.8 (Critical) Description: Successful exploitation could allow an unauthenticated remote attacker to execute arbitrary code on the SharePoint Server. Impact: Check Point Research found wide exploitation of the CVE, with more than 4600 compromise attempts on over 300 organizations, worldwide. While the initial exploitation wave was focused and targeted mostly government, software and telecommunications sectors, now it also targets financial services, business services and consumer goods sectors.

CVE-2025-4427/4428 (Ivanti EPMM)

CVSS: 5.3/7.2 (chained = critical) Description: CVE-2025-4427 is an authentication-bypass vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that lets attackers access protected API endpoints without valid credentials. CVE-2025-4428 is a remote-code-execution (RCE) vulnerability in EPMM’s API, where specially crafted requests can trigger arbitrary Java code execution on the server. Impact: These vulnerabilities have been actively exploited in the wild by a sophisticated threat actor (UNC5221, a China-nexus cyber-espionage group) targeting organizations across Europe, North America and the Asia-Pacific. Sectors hit include healthcare, telecommunications, aviation, municipal government, finance, defense and others.

CVE-2025-59246 (Microsoft Azure Entra ID)

CVSS: 9.8 (Critical) Description: critical elevation-of-privilege vulnerability in Microsoft Azure Entra ID.Due to a missing-authentication flaw an attacker with network access — and without any prior privileges or user interaction — could exploit this vulnerability to gain unauthorized administrative or directory-level access. Impact: Because CVE-2025-59246 affects Azure Entra ID — the identity backbone used by millions of organizations worldwide for authentication, directory management, and cloud-access control — exploitation could let an attacker elevate privileges to administrative or directory-level control across entire tenants. If abused, the flaw could enable attackers to modify user accounts, change security policies, register rogue applications, and tamper with access controls — potentially leading to full compromise of corporate cloud environments, data exfiltration, and persistent unauthorized access. UK Specific: No evidence yet of UK related exploitation.

UK Threat Landscape 2025 2

STRATEGIC RECOMMENDATIONS

1. Accelerate AI-Driven Security Adoption Deploy advanced AI-powered threat detection and response tools to identify anomalies and emerging attack patterns in real time. This is critical given the rise of hacktivist-driven defacement and the increasing sophistication of ransomware campaigns.

2. Strengthen Incident Response and Crisis Management Develop and regularly test rapid incident response playbooks. Ensure cross-functional coordination between IT, legal, and communications teams to minimize operational downtime and reputational damage during high-impact events.

3. Prioritize Vulnerability Management Implement continuous patching and vulnerability scanning programs, focusing on critical flaws such as Oracle E-Business Suite (CVE-2025-61882), Ivanti EPMM, and Microsoft Azure Entra ID. Establish strict timelines for remediation and monitor for exploitation attempts.

4. Enhance Supply Chain Security Conduct rigorous third-party risk assessments and enforce security standards for vendors, especially in business services and technology sectors, which are prime targets for cascading compromises.

5. Integrate Geopolitical Risk into Cyber Strategy Monitor geopolitical developments and associated hacktivist activity. Incorporate threat intelligence into risk assessments to anticipate politically motivated campaigns and adjust defenses accordingly.

6. Invest in Workforce Awareness and Training Educate employees on emerging threats such as social engineering, MFA bypass, and phishing. Regular simulations and awareness programs can significantly reduce the success rate of identity-based attacks.

7. Expand Intelligence Sharing and Collaboration Engage with industry peers, government bodies, and international frameworks to share threat intelligence and best practices. Collaborative defense is essential against highly coordinated adversaries.

UK Threat Landscape 2025 2

UK Threat Landscape 2025 2

ISRAEL Tel: +972-73-226-4555 5 Shlomo Kaplan Street Tel Aviv 6789159

Tel: +65-6435-1318 78 Shenton Way, #09-01 Tower 1, Singapore 079120

SINGAPORE

Tel: +44 20 7628 4211 85 London Wall, 4th Floor, London, EC2M 7AD

UK AND IRELAND

Tel: 1-800-429-4391 100 Oracle Parkway, Suite 800 Redwood City, CA 94065

USA

Tel: +63 2 8465 9200 Unit 2005, 20th Floor, Zuellig Building, Makati Avenue, corner Paseo de Roxas Makati City 1223, Metro Manila

PHILIPPINES

Tel: +81-3-6205-8340 Toranomon Kotohira Tower 25F, 1-2-8, Toranomon Minato-ku, Tokyo 105-0001

JAPAN

ABOUT CHECK POINT EXPOSURE MANAGEMENT

Check Point’s exposure management changes the game. We combine billions of internal telemetry points with billions of external signals from the open, deep, and dark web to deliver a unified intelligence fabric. This provides clear visibility across the full attack surface, including brand risk. The industry is moving from fragmented feeds to real context and real priorities. We support that shift through active threat validation, confirmation of compensating controls, and deduplication across tools, so teams can focus on what actually matters. With safe-by-design remediation, fixes aren’t just assigned, they’re implemented. Every fix is validated before enforcement, enabling measurable risk reduction without downtime. Gartner predicts organizations adopting continuous threat exposure management with mobilization will see 50% fewer successful attacks by 2028. We’re leading that shift with action, not just tickets, and Fortune 500 organizations across major industries already rely on Check Point Exposure Management.

For more information visit: checkpoint.com/exposure-management

© Check Point, 2026. All Rights Reserved.

Contact Us

https://www.checkpoint.com/exposure-management/


Item Type: pdf