David Dixon

The UK’s public sector – spanning the NHS, central and local government, emergency services, and education – is increasingly targeted by cyber criminals.

With digital transformation accelerating post-pandemic, the stakes have never been higher. According to recent government reports, ransomware attacks have cost public bodies over £1 million per incident, and more than 25% of breaches go undetected for months.

1. Skills Shortages

Public sector organisations face a critical shortage of cyber expertise. One in three cyber roles remains vacant or filled by costly contractors, and many departments lack senior digital leadership.

2. Financial Constraints

Budget pressures make it difficult to invest in proactive security measures. Yet prevention remains far more cost-effective than remediation.

Sophos Managed Detection and Response (MDR) offers 24/7 threat hunting and incident response, bridging the skills gap and providing scalable protection. It combines AI-driven detection with human-led analysis to:

• Proactively hunt and validate threats
• Assess severity and business impact
• Contain and neutralise attacks remotely
• Provide root cause analysis and remediation guidance

Deployment options include:

• Notify: Sophos alerts your team to threats
• Collaborate: Joint response with your internal team
• Authorise: Sophos handles containment and informs you of actions taken

This flexible model ensures public sector organisations retain control while benefiting from expert support.

Healthcare

An NHS Ambulance Trust adopted Sophos MDR to ensure uninterrupted access to patient data and services. Building an in-house 24/7 SOC was cost-prohibitive, making MDR a practical alternative.

Education

A leading independent school implemented Sophos MDR to protect student data and avoid ransomware-related downtime. Their proactive stance ensured continuity in teaching and learning.

Housing Associations

CyberLab has supported housing providers in deploying MDR to safeguard resident data and maintain operational integrity. These organisations now benefit from continuous monitoring and expert threat response.

The UK Government Cyber Security Strategy calls for a shift from reactive to proactive security across the public sector. Sophos MDR enables this transition by delivering round-the-clock protection, addressing talent shortages, and supporting digital resilience.

CyberLab is proud to support public sector clients across healthcare, education, housing, and government. As Sophos Public Sector Partner of the Year for ten consecutive years, and with a team of CREST and CHECK-certified testers, we’re here to help you strengthen your cyber defences.

Ministry of Defence, Microsoft, and more!

As we approach the halfway point of 2024, we have already witnessed several significant cyber incidents that have had far-reaching impacts on major global organisations. These incidents have led to the likes of the MITRE, Microsoft and even the Ministry of Defence (MoD), having to answer uncomfortable questions as to how these incidents occurred.

In this blog, we highlight the top five cyber incidents of the year so far, examining what happened, who was affected, the fallout, and the broader implications for cyber security practices. Join us as we cover these major cyber incidents and explore the lessons we can learn from them.

Hackers backed by China’s government spy agency have been accused by the US and UK of conducting a year-long cyber-attack campaign, targeting politicians, journalists, and businesses. The campaign, attributed to a Chinese state-sponsored hacking group, aimed to steal sensitive information, and disrupt critical infrastructure. These coordinated cyber attacks reveal the growing threat posed by nation-state actors and the need for international cooperation to combat hostile nation states or state backed cyber threats effectively. [source: The Guardian]

These attacks highlight that cyber threats don’t just originate from opportunistic cyber criminals, they also have the power of nation-states behind them. Organisations need to ensure they are regularly reviewing their cyber security posture to ensure that cyber defences are up to date and current best-practices are followed. A cyber security posture assessment can highlight the strengths of your organisation’s defences and also indicate where you should focus for improvement.

In a significant data breach reported earlier this month, personal information of an unknown number of serving and former UK military personnel was accessed through a payroll system used by the Ministry of Defence (MoD). The compromised data includes names, bank details, and, in some cases, personal addresses. The breach, which targeted a system managed by an external contractor, did not involve any operational MoD data. Immediate action was taken to take the system offline, and investigations are ongoing. Defence Secretary Grant Shapps is set to outline a response plan, which will include measures to protect affected individuals.

Whilst it has still not been revealed as to who is behind the attack, this incident highlights the importance of securing supply chains and systems managed by external contractors and demonstrates how easily vulnerable products can leave even the most mature organisations exposed to persistent threat actors.

In another unfortunate tale of supply chain security, MITRE disclosed a significant cyber-attack in April 2024, orchestrated by state-sponsored hackers that exploited zero-day vulnerabilities in Ivanti VPN software.

MITRE are a key player in R&D for US government projects and authors of the widely adopted MITRE ATT&CK framework . The attack, attributed to a Chinese cyber espionage group known as UNC5221, targeted MITRE’s NERVE (Networked Experimentation, Research, and Virtualization Environment) an unclassified network used for research and development.

The hackers leveraged vulnerabilities CVE-2023-46805 and CVE-2024-21887, deploying sophisticated malware such as BrickStorm and BeeFlush, and used compromised administrator credentials to create rogue virtual machines.

This breach again underscores the critical importance of supply chain security, as vulnerabilities in third-party products can serve as entry points for significant cyber attacks. Organisations looking to prevent these types of attacks should have rigorous vulnerability management and ensure they are using supply chain risk assessments to determine the best third-parties to work with.

Despite maintaining persistence and attempting lateral movement within the NERVE infrastructure, the attackers failed to access other resources. This highlights the importance of architecture and configuration as although the hackers got in, their movement within the network was restricted and therefore reduced the damage these cyber criminals could do.

According to an article posted by Spiceworks, Microsoft’s premier cloud service, Azure, suffered a data breach in February 2024 affecting hundreds of executive Azure accounts, raising concerns over the security of big cloud-based platforms. The breach revealed critical vulnerabilities in Microsoft’s security measures, similar to previous incidents.

The attackers exploited a zero-day vulnerability, CVE-2024-21410, in Microsoft Exchange servers, which allowed them to access and misuse Windows NT Lan Manager (NTLM) hashes to impersonate legitimate users. Up to 97,000 Exchange servers are vulnerable to this flaw, which has a severity rating of 9.1. Additionally, Microsoft disclosed two more zero-day vulnerabilities: CVE-2024-21412, a security feature bypass, and CVE-2024-21351, a SmartScreen bypass vulnerability. These issues affected Exchange server versions before the February 13th update.

The perpetrators are believed to be hacking groups from Nigeria and Russia using proxy services and phishing links embedded in documents, primarily targeting mid and senior-level executives. This attack, involving user impersonation, data extraction, and financial fraud, marks the first time such a breach has occurred on the Azure platform.

Microsoft has since implemented measures to mitigate the impact of the breach and enhance the security of its cloud services. This incident brought Microsoft back under fresh scrutiny as a similar incident occurred in 2023 where Chinese-backed hackers were able to access sensitive data stored within the Azure platform [source: NPR]

These two incidents underscore the importance of regular vulnerability scanning and patch management. Organisations looking to mitigate risks from outdated software and zero-day vulnerabilities should ensure they have a robust patch management process and conduct regular vulnerability scans across their infrastructure and applications to maintain the integrity of their estate.

With such a vast and evolving suite of customisable products and features, it can be hard to stay up to date with the most recent security recommendations for Microsoft 365. In a Microsoft 365 Security Assessment, CyberLab can help you ensure security in your day-to-day operations by reviewing your MS365 configuration against industry-standard benchmarks from the Centre for Internet Security (CIS).

Digital transformation has revolutionised processes and information management, especially within the healthcare sector. However, with these advancements come significant cyber security challenges.

NHS Dumfries and Galloway faced significant disruptions due to a cyber attack targeting its systems. The attack, which occurred in early 2024, prompted concerns over the security of sensitive healthcare data and patient records.

While details about the nature and extent of the breach remain limited, the incident underscores the persistent threat posed by cyber attacks on critical infrastructure, particularly in the healthcare sector.

Learn about the complexities of securing healthcare organisations amidst the evolving threat landscape and discover the strategies to mitigate risks in our Securing Healthcare Organisations blog.

In conclusion, the top five cyber attacks of 2024 so far serve as a stark reminder of the evolving threat landscape. By understanding these incidents and implementing a layered and strategic approach to cyber security, organisations can better protect their people, data, and customers.

Stay vigilant, continuously update your defences, and ensure your incident response plans are robust to safeguard against future cyber threats.

Artificial intelligence (AI) being used for malicious intent has surfaced as a significant concern within the digital space. Cyber criminals are using Large Language Models (LLMs), like ChatGPT, and deepfake technology to launch cyber-attacks and scams. In this blog, we focus on the darker facets of AI, shedding light on the exploitation of AI systems, its impact on the threat landscape, and what organisations can do now to better protect themselves and their most sensitive assets against this new wave of threats. 

Malicious ChatGPT Prompts for Sale on the Dark Web Marketplace 

• Recent reports reveal a disturbing trend where thousands of malicious prompts designed to jailbreak and exploit AI are up for sale on the dark web. These prompts deceive AI models, enabling threat actors to steal data, orchestrate sophisticated scams and other illegal activities with alarming efficiency. 
• According to recent research carried out by Kaspersky, thousands of these nefarious prompts and compromised premium ChatGPT accounts are now available for purchase, posing a significant threat to ChatGPT, its users and their data. (source: The Register) 

AI and deepfake technologies are becoming more readily available. OpenAI, for example, recently announced their new generative AI, Sora, that can create video from text. And, although this advancement in technology and its availability is exciting, it is also inevitable that there will be cyber criminals looking to use it maliciously. 

Around the globe we are already seeing examples of these technologies being exploited by advanced threat actors, including cyber criminals, nation states or nation sponsored hacker groups. 

$25 million theft executed through a sophisticated deepfake scam

A recent article by Ars Technica has shed light on a ground-breaking cyber crime incident considered to be the first successful heist of its kind: a $25 million theft executed through a sophisticated deepfake scam. The scam involved the creation of highly convincing AI generated deepfake videos, which were used to impersonate key individuals within a financial institution.  

By leveraging these deepfake videos, the scammer manipulated employees into authorising fraudulent transactions, resulting in the substantial loss. This unprecedented heist marks a significant escalation in the sophistication of cyber criminal tactics, underscoring the evolving threat landscape faced by organisations worldwide. As the prevalence of AI-driven scams will inevitably continue to rise, it becomes increasingly crucial for businesses to bolster their cyber security posture and remain vigilant against such deceptive schemes. 

Deepfake news segments 

Iran-backed hackers had recently disrupted TV streaming services in the United Arab Emirates (UAE) by injecting deepfake news segments into the broadcasts according to The Guardian. These deceptive deepfake videos, generated using AI technology, were designed to resemble legitimate news reports, spread misinformation, and sow discord among viewers. This incident underscores the growing threat posed by state-sponsored threat actors and the increasing weaponisation of deepfake technology for political purposes.  

As nations continue to grapple with the challenges of cyber warfare and disinformation campaigns, it becomes imperative for governments to collaborate and implement international legislation that both prohibits and protects against the use of such attack methods, as well as educate and inform organisations across all industries about AI threats and how best to protect themselves and their assets. Additionally, organisations need to enhance and adapt their cyber security capabilities to be able to identify and defend against orchestrated AI driven attacks, which is backed up by a recent assessment conducted by the NCSC. The assessment focuses on how AI will impact the efficacy of cyber operations and the implications for the cyber threat over the next two years. (source: NCSC) 

According to the above-mentioned assessment by the NCSC, AI is poised to significantly impact the cyber threat landscape in the near future. The report suggests that AI will almost certainly be utilised by cyber adversaries to enhance their capabilities, including the development of more advanced attack techniques and procedures (TTPs).  

As AI technologies evolve, cyber criminals are increasingly going to automate tasks, evade detection, and execute targeted attacks with greater precision. This assessment underscores the urgent need for organisations to adapt their cyber security strategies to effectively mitigate the evolving threats posed by AI-driven cyber-attacks. This includes enhancing detection and response capabilities, investing in AI-powered security solutions, enforcing zero trust policies, implementing a culture of sufficient cyber awareness and vigilance amongst staff, and staying informed about emerging AI-driven threat vectors. 

While ChatGPT and other LLMs may not yet be capable of being used to write sophisticated malware to be sold at scale on the dark web or be in possession of nefarious nation states, we may not be far away from AI being used to orchestrate attack chains or write malware that can evade detection. A separate recent report from the National Cyber Security Centre (NCSC) sheds light on how AI driven ransomware attacks could become a reality by 2025. (source: NCSC)

As AI technologies are rapidly evolving, the application of its use for both good and bad is evolving with it, leading to a rapid shift in the threat landscape. It is imperative for organisations to not just understand how to defend against AI driven threats, but to learn how to use AI technologies securely and in a manner that best protects their assets and does not expose them to new vulnerabilities or risk. 

Already we are seeing collaboration amongst the international community to tackle this very issue. A recent publication on how to engage with Artificial Intelligence has been developed by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) in collaboration with the NCSC, United States (US) Cyber security and Infrastructure Security Agency (CISA), Canadian Centre for Cyber Security (CCCS) and several other cyber security/government agencies from international partners. The publication highlights some key threats related to AI systems and summarises steps organisations should take when engaging with AI technologies (both in-house and 3rd parties) to mitigate risk. (source: ASD’s ACSC) 

While this new wave of advanced threats seems daunting and paints a bleak future for stakeholders responsible for managing risk, there are several steps organisations can do to protect against these threats. Many of these types of attacks still rely on the presence of human error and social engineering. Regularly training your people and creating a positive cyber awareness culture are key to reducing this type of threat.

Further to this, unsecured vulnerabilities are a common route of entry for cyber criminals and can be identified with regular vulnerability scanning and penetration testing to identify your security weak spots.

Organisations across all sectors, of all sizes should not neglect the fundamental steps that make up the foundations of any cyber security strategy. Few organisations have the right tools, people, and processes in-house to manage their security program around-the-clock while proactively defending against new and emerging threats. Adopting security defences like Sophos MDR can provide an elite team of threat hunters and response experts to take targeted actions on your behalf to neutralise even the most sophisticated threats.

For better or worse, AI is going to change how we live our lives greatly, and while its application for solving huge problems on a global scale is something to be embraced, we should also be aware of its capacity to cause great harm. Organisations need to adapt to the new world of AI driven technologies and attacks, whilst continuing to invest in the foundations of their cyber security posture.