26 March 2024

6 min read

NCSC issues cyber incident response advice to CEOs | Cyber Intelligence Briefing: 26 March

March 2024
Cyber Intelligence Briefing


Top news stories this week

  1. Top tips. The NCSC publishes advice on cyber incident response processes.
  2. Web of lies. China-linked cyberespionage fractures inter-governmental trust. 
  3. Takedown. Darknet marketplace Nemesis seized by German authorities.
  4. Glitch grills Greggs. Greggs stores across the UK forced to close following IT glitch.
  5. Hacktivism. Anonymous Collective claims to have breached Israeli nuclear research facility.
  6. Trade off. Data subjects extorted after data stolen from New Zealand’s Mediaworks.

Listen to the Cyber Intelligence Briefing

New call-to-action New call-to-action New call-to-action New call-to-action

1. NCSC issues cyber incident response advice to CEOs   

The UK’s National Cyber Security Centre has released new guidance on responding to cyber attacks, recommending a list of approved external experts to assist in response and recovery activities. The agency discouraged victims from making ransom payments, a viewpoint further emphasised through recent plaudits given to the British Library for refusing to pay a ransom during a ransomware attack last October.

So what?

Cyber incidents involve many complexities and considerations. It is important for organisations to consult experienced third party incident response firms during a crisis.

[Researcher: Adelaide Parker] 

2. China-linked threat actors hack government bodies, exploit inter-state trust  

A Chinese APT group has compromised 70 organisations across 23 nations, with a specific focus on foreign affairs ministries. The threat actor exploited vulnerable government web servers and sent spear-phishing emails from compromised government email accounts to carry out their cyberespionage across multiple government entities.

So what?

These tactics underscore the vulnerability of inter-governmental communication networks and the risk of supply chain compromise. This reinforces the need for comprehensive, network-wide cyber security measures.

[Researcher: Lawrence Copson]

3. German law enforcement seize darknet marketplace Nemesis

German authorities have seized the infrastructure of darknet marketplace Nemesis which was used to sell ransomware services and tools to facilitate phishing and DDoS attacks. The site had 150,000 users and over 1,000 registered sellers.

So what?

This action helps disrupt the cyber criminal ecosystem and shows that countries are taking steps to shutdown criminal infrastructure hosted within their territories.

[Researcher: Waithera Junghae]

New call-to-action


4. Greggs stores across the UK forced to temporarily close following IT glitch

Following an IT disruption, Greggs stores across the UK were prevented from accepting card payments, forcing some to only accept cash payments and others to close temporarily. The three-hour IT disruption resulted in the chain's share price dropping by GBP 40 million. This issue is the latest in a series of IT issues affecting large organisations including McDonald's, Sainsbury's, and Tesco.

So what?

This event demonstrates the repercussions that publicly traded companies can experience during a brief IT service outage. Having a documented and tested business continuity plan will help minimise the impact of unexpected disruptions.

[Researcher: Amy Gregan]

5. Anonymous Collective claims to have breached Israeli nuclear research centre

An Iran-linked hacking group related to the 'Anonymous' collective claims to have breached the IT network of an Israeli nuclear research centre. Whilst the group has published thousands of documents allegedly stolen from the facility, there is no evidence they have breached the operational technology network.

So what?

Political targets are often the prey of hacktivists. Organisations exposed to political risk directly or through their supply chain should ensure the implementation of robust cyber defences.

[Researcher: Amy Gregan]

6. Threat actor blackmails customers for payment in exchange for their data

The New Zealand company Mediaworks has confirmed that a cyber attack compromised a database containing customer information dating back to 2016. The threat actor has advertised the sale of the stolen data on a dark web forum and has reportedly resorted to extorting individual victims for USD 500 in Bitcoin.

So what?

Attempting to monetise data leaks by extorting individual users rather than the breached companies is a novel threat actor tactic. As the breached data ecosystem grows and data decreases in value, it is likely that threat actors will continue to pursue individual victims for payment.

[Researcher: Adelaide Parker]


The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.