Over half of UK companies fell victim to nation state cyber attacks in 2025, marking a sharp escalation in state-sponsored cyber warfare against British businesses. New research from Armis reveals that 54% of UK firms experienced nation state attacks over the past year, representing a significant increase from the 47% recorded in the previous study.
The research exposes how geopolitical tensions are translating directly into cyber threats for UK mid-market businesses. Nation state attacks involve sophisticated, government-backed hacking operations that target organisations for espionage, disruption, or strategic advantage rather than immediate financial gain. With 80% of UK IT leaders reporting that rising geopolitical tensions have intensified cyber warfare threats, the traditional concept of "mutually assured disruption" appears to be failing as a deterrent.
Key Facts:
- 54% of UK companies were targeted by nation state attacks in 2025, up from 47% previously
- 80% of UK IT leaders report increased cyber warfare threats due to geopolitical tensions
- Recent Iranian attacks on critical infrastructure demonstrate the erosion of traditional cyber deterrence
- Mid-market businesses increasingly face the same sophisticated threats previously reserved for government targets
According to reporting from Infosecurity Magazine, this escalation reflects a fundamental shift in how state actors approach cyber warfare, with traditional boundaries between military and commercial targets becoming increasingly blurred.
Why Traditional Cyber Deterrence Is Breaking Down
The doctrine of mutually assured disruption, which historically kept state-sponsored attacks within certain bounds, is proving inadequate against current threats. Recent attacks attributed to Iranian state actors against critical infrastructure demonstrate how adversaries are willing to risk significant retaliation to achieve strategic objectives. The NCSC has documented increasing sophistication in state-sponsored campaigns, with attackers developing capabilities specifically designed to evade traditional enterprise security measures.
This breakdown creates particular vulnerability for mid-market businesses, which often lack the resources for the advanced threat detection capabilities deployed by government agencies and large enterprises. State actors increasingly view these organisations as valuable targets for supply chain infiltration, intellectual property theft, and economic disruption. The attacks documented in the Armis research frequently involved multi-stage operations lasting months, with attackers establishing persistent access before activating destructive capabilities.
The Iran Factor: New Patterns in State-Sponsored Attacks
Iranian state actors have emerged as particularly aggressive in targeting UK businesses, employing increasingly sophisticated techniques that blend traditional espionage with cybercriminal tactics. Iran's adoption of real criminal networks has created hybrid threat scenarios where state objectives merge with profit-driven cybercrime, making attribution more complex and defensive planning more challenging.
Recent Iranian operations have demonstrated willingness to cause significant operational disruption, moving beyond traditional espionage to attacks designed to degrade UK economic capabilities. The recent Stryker incident, where Iranian-linked hackers wiped 80,000 devices using Microsoft Intune, illustrates how state actors are weaponising legitimate management tools to achieve strategic objectives. This represents a fundamental shift from covert intelligence gathering to overt economic warfare.
How Mid-Market Businesses Become Strategic Targets
The research reveals that nation state actors increasingly target mid-market businesses not as end objectives, but as pathways to larger strategic goals. These organisations often maintain supply chain relationships with critical infrastructure providers, government contractors, or major corporations, making them valuable stepping stones for broader campaigns.
State-sponsored groups exploit the security gap that exists in many mid-market organisations—sophisticated enough to hold valuable data and relationships, but lacking the advanced security capabilities of major enterprises. The attacks documented by Armis frequently began with compromise of smaller suppliers or partners before pivoting to primary targets. This supply chain approach means that even businesses with limited government contracts or critical infrastructure roles may find themselves in the crosshairs of nation state campaigns.
Defensive Strategies Against State-Level Adversaries
Defending against nation state attacks requires fundamentally different approaches than protecting against cybercriminals. State actors operate with longer timeframes, greater resources, and strategic rather than purely financial objectives. The NCSC's Active Cyber Defence programme provides frameworks specifically designed for this threat level, emphasising assumed breach scenarios and lateral movement prevention.
Critical defensive measures include implementing zero-trust network architectures that assume compromise, establishing robust monitoring for advanced persistent threats, and developing incident response capabilities that account for state-level adversaries' tendency to maintain long-term access. Organisations must also consider the intelligence value of their data and relationships, not just immediate financial impacts. This includes protecting intellectual property, customer data, and strategic business information that could provide economic or political advantage to hostile nations.
Boardroom Questions
- Have we assessed our organisation's potential value to nation state actors, including our supply chain relationships, intellectual property, and strategic business information?
- Do our current security controls and monitoring capabilities account for sophisticated, persistent adversaries with extended operational timeframes?
- Are our incident response plans adequate for state-sponsored attacks that may involve destruction of evidence, system sabotage, and coordinated disinformation campaigns?
Quick Diagnostic
- Do you have advanced threat detection capabilities specifically designed to identify nation state attack patterns and indicators of compromise?
- Have you conducted tabletop exercises simulating nation state attacks that include supply chain compromise and strategic data exfiltration scenarios?
- Are your security controls configured to detect and prevent the advanced persistent threat techniques commonly used by state-sponsored actors?
Related Reading
Trump's Cyber Strategy Prioritises Offensive Operations Over Defence — New US cyber strategy shifts focus from protection to projection of power. UK businesses with American ties face elevate
Iran-Linked Hackers Use Microsoft Intune to Wipe 80,000 Devices in Stryker Attack — Attackers compromised an admin account and weaponised Microsoft Intune to destroy 80,000 devices in three hours, demonst
Iran's New Strategy: Why State Hackers Now Hire Real Criminals — Iranian intelligence services have moved from imitating cybercriminal groups to actively collaborating with them, fundam
5 Million UK Companies Left Exposed as Security Flaw Lets Directors Access Any Business Records — Companies House vulnerability exposed confidential data of 5 million UK businesses through basic browser navigation flaw
NIS2 Becomes Operational Reality for UK Businesses in 2026 — First operational deadlines hit January 2026 with registration closing February 28th. UK businesses with EU operations f
Strengthen your organisation's security posture