UK Critical Infrastructure Faces Pre-positioned Nation-State Threats: NCSC Warns of Intelligence Gathering for Future Kinetic Operations
UK National Cyber Security Centre leadership has warned that hostile nation-states are behind approximately 75% of cyber attacks on British critical infrastructure and are actively pre-positioning access for use in future kinetic conflicts. This represents a shift from opportunistic compromise to strategic preparation for wartime operations.
Affected
The NCSC's assessment reveals a strategic shift in adversarial cyber operations. Rather than pursuing immediate financial or intelligence gain through discrete attacks, hostile nations are conducting long-term reconnaissance and access establishment within British critical infrastructure networks. Richard Horne's statement that "kinetic targeting in any conflict tomorrow will be based on intelligence gathered today" indicates adversaries are building detailed operational knowledge of critical systems in preparation for potential military conflict scenarios.
The pre-positioning campaign suggests a multi-layered approach: initial reconnaissance to map network topology and identify high-value targets, lateral movement to establish persistence within air-gapped or hardened environments, and sustained low-visibility presence to avoid detection. Nation-states conducting this activity likely include Russia, China, Iran, and North Korea, each with distinct targeting priorities. Russian operations appear focused on energy and transport infrastructure; Chinese activity targets intellectual property and government networks; Iranian operations concentrate on disruptive capability; North Korean efforts centre on financial systems and sanctions evasion.
The 75% attribution rate to state actors signals that common criminal and hacktivist activity accounts for only one-quarter of attacks against critical infrastructure. This concentration underscores that defensive resources must prioritise nation-state threat models over commodity ransomware. Defenders cannot rely on perimeter-centric detection or incident response playbooks designed for traditional breaches; pre-positioning campaigns succeed through patience and low noise, often evading standard SOC alerting for months or years.
Defenders must immediately implement network segmentation, enforce application whitelisting on critical systems, deploy enhanced monitoring for lateral movement patterns, and establish baseline intelligence on existing access points. Organisations should assume that nation-state adversaries already possess access to some systems and focus on denial of progression: preventing lateral movement, restricting command and control, and eliminating the ability to achieve simultaneous strikes across multiple infrastructure targets. Incident response and threat hunting must become continuous activities rather than reactive disciplines.
This warning reflects the hardening reality that cyber operations are now acknowledged as warfare preparation. The UK and allied nations face a sustained, patient adversarial presence within their most vital systems. Detection and remediation timelines measured in months rather than hours suggest that the operational advantage lies with the attacker. Defenders require strategic investment in detection engineering, threat intelligence integration, and supply chain security to disrupt pre-positioning campaigns before conflict escalation occurs.
Sources