Britain Names Iran and China Behind Majority of Critical Cyberattacks as Hormuz Ceasefire Expires
NCSC designates dual adversaries responsible for nation-state attacks hitting UK infrastructure four times weekly, as regulatory overhaul accelerates and geopolitical tensions converge.
Britain’s National Cyber Security Centre today designated Iran and China as responsible for the majority of ‘nationally significant’ cyberattacks on UK critical infrastructure—a threshold indicating threats to national security, economic stability, or essential services—as the agency now handles approximately four such incidents per week.
The attribution, delivered by NCSC CEO Richard Horne at the CYBERUK 2026 conference in Glasgow, arrives as Iran’s Strait of Hormuz ceasefire expires today and Chinese espionage campaigns continue targeting UK defence contractors, telecommunications networks, and parliamentary systems. The designation elevates both adversaries beyond routine threat actors to strategic peer competitors capable of sustained infrastructure disruption.
The NCSC’s annual review documented 204 nationally significant cyber incidents in the year to August 2025, more than double the 89 recorded the previous year. Of 429 total incidents handled, 18 were classified as ‘highly significant’—a 50% increase year-on-year and the third consecutive annual rise. Nation-states, operating directly or through proxies, account for the majority of attacks breaching the ‘nationally significant’ threshold.
Dual-Front Attribution
China now represents what Horne termed “a peer competitor in cyberspace,” according to The Register, upgrading Beijing’s status from capable adversary to strategic threat through a “whole-of-state approach” integrating intelligence services, technology firms, and academic institutions. The NCSC and allies exposed three China-based technology companies in August 2025 for enabling espionage campaigns against government, telecommunications, transport, and military infrastructure in the Salt Typhoon operation.
Iran’s designation reflects what the NCSC assessed as “almost certain” use of cyber operations to suppress perceived threats to the regime within Britain, per Computer Weekly. State-linked Iranian hackers executed the attack on Stryker medical technology systems in March 2026. The timing coincides with escalating tensions in the Strait of Hormuz, where Iran closed shipping lanes on 18 April despite declaring the strait reopened on 8 April. CNBC reported that US-Iran ceasefire negotiations collapsed multiple times before today’s expiration.
“The most serious threat comes from cyberattacks carried out directly or indirectly by other states.”
— Richard Horne, CEO, National Cyber Security Centre
Infrastructure Vulnerability at Scale
The threat landscape extends beyond government networks to energy grids, financial systems, and defence supply chains. A March 2026 survey by security firm Bridewell found that 93% of UK critical national infrastructure organisations experienced at least one successful cyber attack in the past 12 months. Regulatory drivers for cyber security investment jumped to 35% from 26% year-on-year as the Cyber Security and Resilience Bill advances through Parliament’s committee stage.
MI5 investigations into state threat activity increased 35% in the year to October 2025, according to the House of Commons Library, with espionage operations targeting Parliament, universities, and Critical Infrastructure documented across defence and technology sectors. The volume suggests systematic collection campaigns rather than opportunistic intrusions.
Policy Response Triggers
The Cyber Security and Resilience Bill, which passed first reading in November 2025 and second reading in January 2026, imposes mandatory incident reporting and baseline security standards on critical national infrastructure operators. The legislation’s committee stage progression suggests implementation within months rather than quarters, driven by the documented surge in successful attacks against energy, transport, and telecommunications networks.
Horne’s framing of the current threat environment as “the most seismic geopolitical shift in modern history” positions cyber defence as strategic infrastructure investment comparable to Cold War-era civil defence programs. The regulatory shift transfers accountability from voluntary frameworks to enforceable standards with financial penalties for non-compliance.
- Dual adversary designation creates distinct defence requirements—China’s whole-of-state espionage model versus Iran’s regime protection operations require different countermeasures
- 93% breach rate across critical infrastructure indicates systematic defensive gaps rather than isolated incidents, supporting mandatory baseline security standards
- Insurance market repricing likely as ‘nationally significant’ incidents quadruple—underwriters reassessing critical infrastructure cyber risk premiums
- NATO cyber coordination frameworks face pressure to expand beyond intelligence sharing to active defence cooperation as member states document similar attribution patterns
What to Watch
Track the Cyber Security and Resilience Bill’s progression through committee stage for timeline on mandatory CNI security standards and incident reporting requirements. Monitor whether the NCSC publishes technical indicators of compromise linking specific Chinese technology firms to ongoing campaigns, which would trigger supply chain exclusion decisions across Five Eyes partners. Watch for insurance market response—whether Lloyd’s syndicates and specialty cyber underwriters adjust critical infrastructure premiums or impose coverage exclusions based on the documented 93% breach rate. Observe NATO cyber defence cooperation announcements, particularly whether the alliance formalises active defence protocols beyond current intelligence-sharing frameworks. Finally, track whether the UK designates additional Chinese technology providers as national security risks under the National Security and Investment Act, following the Salt Typhoon attribution model established in August 2025.