The China Threat to UK Firms

September 2025, Daryl Flack, Partner

Published on: SC Magazine

The UK National Cyber Security Centre is warning that China is targeting governments and critical national infrastructure in the UK. How big is the threat to the UK, and how should organisations respond?

At the end of August, the UK National Cyber Security Centre (NCSC) issued an advisory alongside 12 international allies, warning that China is targeting governments and critical national infrastructure (CNI) in countries including the UK.

The alert links three China-based companies to a campaign targeting government, telecommunications, transportation, lodging and military infrastructure globally, “with a cluster of activity observed in the UK”.

The data stolen can ultimately provide Chinese intelligence services with “the capability to identify and track targets’ communications and movements worldwide”, the NCSC warned.

“We are deeply concerned by the irresponsible behaviour of the named commercial entities based in China that has enabled an unrestrained campaign of malicious cyber activities on a global scale,” NCSC chief executive Dr Richard Horne said.

The NCSC linked the attacks to an organisation linked with China’s intelligence services, previously tracked as Salt Typhoon.

According to the NCSC, UK organisations in critical sectors should now ensure they bolster their security against China state-sponsored cyber activity. How can this be done?

The China Threat

The threat from Chinese adversaries is not new, but the country’s tactics are evolving. As well as traditional espionage, China-linked threat actors are now increasingly targeting supply chains and deploying ransomware as part of attacks.

Amid growing geopolitical tensions, Chinese technology companies including those named are therefore thought to be a growing threat to the West.

The advisory from the NCSC and international partners names three Chinese technology companies as enablers of state-sponsored cyber campaigns: The Sichuan Juxinhe Network Technology Co Ltd, Beijing Huanyu Tianqiong Information Technology Co, and Sichuan Zhixin Ruijie Network Technology Co Ltd.

It contrasts to previous alerts from the NCSC and allies, which have been more cautious in their approach. The advisory and its content are “both a stark warning and a watershed moment”, says Daryl Flack, partner at Avella Security.

Previous allegations centred on “unnamed or loosely affiliated groups”, he says. But this move is “notable for its breadth of international unity, the depth of public detail, and the clear identification of specific Chinese companies, rather than generic labels”.

Advisory Warns of Campaign Targeting CNI

The recent joint advisory details “a sophisticated Chinese state-sponsored campaign that has been systematically targeting CNI since 2021”, says Martin Riley, CTO at Bridewell. “What we're seeing with Salt Typhoon and related adversaries demonstrates a clear strategic investment by the People's Republic of China to develop comprehensive cyber force capabilities as an extension of their military doctrine.”

The pattern of overlapping tactics, techniques and procedures across Volt Typhoon, Gingham Typhoon and Salt Typhoon over the four-year period reveals “shared research and coordinated vulnerability development”, according to Riley. “Adversaries have successfully weaponised weaknesses across major network infrastructure vendors, turning network perimeter devices into persistent intelligence collection platforms.”

Adding to the risk, Salt Typhoon is a formidable adversary. It is known to be “a well-organised group with a clear division of tasks”, says Boris Cipot, senior security engineer at Black Duck. The group usually exploits publicly known vulnerabilities rather than sophisticated zero-day exploits, he says.

The operation from Salt Typhoon is part of a broader espionage effort, says Cipot. “Their efforts are focused on compromising edge devices and core infrastructure with the goal to monitor communications, track movements and retrieve sensitive data. If persistent and access to devices and infrastructure is successful, it can present a long-term risk to national security and even economic stability, as the targets are either core or critical infrastructure providers.”

Based on the group’s previous activities, at-risk sectors include UK telecommunications, transportation, lodging and defence contracting companies, says Cipot.

Those sectors are “attractive targets” due to the sensitive data they handle and their role in national operations. However, private companies can also be targets and must consider this threat seriously, he says. “In any case, it is wise for all organisations to avoid outdated systems or poor patch management.”

This threat is “particularly insidious for UK businesses” because Salt Typhoon is “not always precisely targeted” in its initial compromise phase, Riley warns. “They perform wide-sweeping compromises based on IP geography, meaning any organisation can become either collateral damage or, more dangerously, a pivot point into actual targets.”

Patching and Other Measures To Tackle the China Threat

The NCSC’s advisory describes how adversaries have had “considerable success” taking advantage of known common vulnerabilities, rather than relying on bespoke malware or zero-day flaws to carry out their activities. This is could have been prevented by timely patching – a basic part of cyber security hygiene measures.

The NCSC’s advisory offers detailed guidance, including indicators of compromise and mitigation strategies. At the same time, the NCSC offers complimentary resources, such as the Early Warning service, sector-specific guidance, frameworks such as Cyber Essentials Plus, and its Cyber Assessment Framework.

Beyond this, firms should be taking steps such as comprehensive asset and vulnerability management – with priority given to prompt patching, says Flack.

Companies should also implement deep monitoring of network and edge devices, looking for unusual patterns or lateral movement that may otherwise go unnoticed, he advises.

Meanwhile, network segmentation and least-privilege access will help safeguard vital functions in sectors such as energy, communications, transport, and other national infrastructure, he adds.

In tandem, Flack advises “ongoing threat hunting for signs of compromise, particularly those that align with tactics attributed to China”.

Incident response playbooks and forthcoming legislation such as the UK Cyber Security and Resilience Bill are set to strengthen the regulatory backbone, extending requirements and powers where gaps remain, says Flack. “However, these cannot be a substitute for rigorous risk management and operational vigilance on the ground.”