From prepositioning to action

Iran has shifted its UK-facing cyber activity from quiet infrastructure presence to operational disruption. The NCSC's August advisory on Salt Typhoon names three Chinese firms. The trajectory of 2025 is no longer ambiguous.

Two statements in the last six weeks deserve more board-level attention than they got.

The first is the NCSC's assessment that Iran is now concentrating cyber operations against UK and US targets in support of its regional military objectives following the Middle East crisis. The second is the joint advisory NCSC co-sealed with international partners last week, linking three China-based companies to the Salt Typhoon campaign — overlapping with state-aligned activity against telecommunications and critical infrastructure across the West.

Read together, the trajectory of 2025 is no longer ambiguous. State-aligned operators have moved from quiet infrastructure presence to active disruption and named attribution.

The shift, in plain English

For years, the public narrative around nation-state cyber activity has been prepositioning. The idea is that an adversary establishes a foothold in critical infrastructure — telecoms, water, energy, transport — without taking any disruptive action, and then waits for the political moment when disruption becomes useful. The threat is potential, not active.

The narrative was always thin. The 2021 Hafnium Exchange compromise showed Chinese state-aligned operators willing to move from quiet collection to mass exploitation when the operational moment demanded it. The 2021 Colonial Pipeline incident, although criminal rather than state-aligned, demonstrated that the gap between capability to disrupt and willingness to disrupt could close in days. The 2025 development is that nation-state actors are now demonstrating both the capability and the willingness simultaneously, in named campaigns, against UK targets.

Two things changed this year.

First, Iran moved into operational disruption. Following the regional crisis, Iranian-aligned actors began conducting active operations against organisations they had previously only mapped. The NCSC's assessment is careful about what it calls "highly likely" but it is not careful about whether it is happening; it is.

Second, China moved into named attribution. The Salt Typhoon advisory does what UK government rarely does — it names three specific commercial entities in a specific jurisdiction as participants in an espionage campaign. That kind of attribution carries diplomatic weight that careful avoidance of attribution previously did not.

Both shifts mean the prepositioning narrative is no longer sufficient. The relationships are operational now.

The 204 number, in context

The headline from NCSC's annual review period (September 2024 to August 2025) is that there were 204 nationally significant cyber incidents — up from 89 the year before. Four incidents per week, on average, each one significant enough to be tracked by the national authority.

The reflexive interpretation is that detection has improved. This is partly true. The interpretation that should bother more boards is that the increase reflects an actual increase in adversary tempo. NCSC explicitly attributes part of the rise to state-aligned activity, with eighteen of the 204 incidents classified as "highly significant" (Category 2) — up from twelve the year before.

The Category 2 count is the more important number. These are incidents with serious impact on central government, essential services, a large proportion of the population, or the UK economy. Eighteen of them in a year is a different operating environment from twelve.

What this means for UK boards

A few practical implications.

The threat surface has widened. State-aligned actors targeting CNI now means more sectors are in scope than before. Healthcare, water, transport, finance, and increasingly the supply chains underneath them are all credible targets. Sectoral boards that have historically assumed they were beneath state-aligned interest should re-examine that assumption.

Attribution carries new weight. When NCSC names a company in Beijing, the diplomatic and legal context shifts. Firms in regulated sectors should expect that public attribution events become reference points — for sanctions, for procurement decisions, for supplier risk assessments. Knowing which providers in your supply chain have any commercial relationship with named entities is no longer a hypothetical exercise.

Disruption is now a credible mode, not just espionage. The Iranian operational shift means UK firms need to plan for outage, data loss, and service degradation from a state-aligned source — not just intelligence collection. The threat model gets bigger.

For boards

The two questions worth asking the executive team this quarter:

What does our exposure to state-aligned cyber activity actually look like — not in the abstract, but mapped to our sector, our supply chain, and our customer base? Most firms have not done this work. The answer is usually less alarming than first feared and more specific than expected.

If a major UK sector were publicly disrupted by state-aligned activity tomorrow, what is our plan for the next forty-eight hours? Communications, regulatory notifications, customer messaging, supply chain calls. Most firms have an incident response plan. Few have a state-aligned incident response plan, and the differences matter — particularly around government liaison and the speed of public attribution.

The closing observation

The polite phase of state-aligned cyber activity against the West is over. We are in the active phase. NCSC has been telling us this for some months now, in language that is unusually direct for a national authority. The point of paying attention to direct language from NCSC is so that boards do not have to learn the same lesson by being in the next public incident.