Active Threat Actors Targeting UK Financial Services
| Actor / Group | Origin | Primary Method | Active Techniques (ATT&CK IDs) | SME Risk |
|---|---|---|---|---|
|
Scattered Spider
aka UNC3944, Octo Tempest
|
CYBERCRIME | SIM-swapping and social engineering to bypass MFA; targets IT helpdesks to gain access. | T1078 T1566.001 T1621 | HIGH |
|
ALPHV / BlackCat
Ransomware-as-a-Service group
|
CYBERCRIME | Ransomware deployment following stolen credentials and VPN exploitation. Known to target professional services firms. | T1486 T1190 T1657 | HIGH |
|
APT29 / Cozy Bear
SVR, Russian Foreign Intelligence
|
RUSSIA / STATE | Spearphishing and supply chain compromise. Primarily targets government and finance. Sophisticated, long-dwell operations. | T1566.002 T1195 T1071.001 | MEDIUM |
|
APT40 / BRONZE MOHAWK
Chinese MSS-linked group
|
CHINA / STATE | Exploitation of internet-facing services and VPNs. Actively targeting financial data and intellectual property. | T1190 T1133 T1041 | MEDIUM |
|
MuddyWater
STATIC KITTEN, Iranian MOIS
|
IRAN / STATE | Phishing and exploitation of web frameworks (Laravel, Zimbra). Targeting professional services and finance for espionage. | T1566.001 T1190 T1059 | MEDIUM |
|
LockBit 3.0 Affiliates
Ransomware-as-a-Service network
|
CYBERCRIME | Access brokers sell network entry to affiliates who then deploy LockBit ransomware. SMEs frequently targeted as easier entry points. | T1486 T1078 T1083 | HIGH |
|
TA4903 (BEC Specialists)
Business Email Compromise group
|
CYBERCRIME | Impersonation of senior staff, solicitors, and payment processors to redirect bank transfers. Primary threat vector for insurance brokers. | T1566.002 T1534 T1078 | HIGH |
How Much of This Does GET-IT Cover?
Coverage by Tactic
Techniques in Use Against UK SMEs This Week
Current Risk Status for UK Financial Services SMEs
Sustained High-Activity Period — Financial Services Sector
NCSC and industry sources indicate continued elevated threat activity targeting UK professional services and financial sector SMEs. BEC attacks on insurance brokers are up approximately 34% year-on-year. Ransomware affiliate groups continue to prioritise SME targets identified as having weaker controls than enterprise counterparts. No specific imminent threat to a named organisation — but the baseline risk for this sector remains above normal.
Software Supply Chain Attacks (T1195) — NCSC Advisory: Check Your Dependencies
NCSC published a significant advisory on 4 June 2026 on software supply chain attacks, urging businesses to audit third-party software dependencies. Supply chain attacks occur when attackers compromise software at source — before it reaches the end user — meaning businesses can be infected through legitimate, trusted software updates. This is a particularly difficult attack vector to defend against because the compromised software passes normal security checks. The CISA KEV this week adds Oracle WebLogic Server (CVE-2024-21182) — an unauthenticated remote access vulnerability allowing attackers to read or fully access all data on affected servers. UK professional services firms using WebLogic-based platforms should treat this as urgent. Additionally, four SolarWinds Serv-U and Android Framework vulnerabilities were added to CISA KEV — confirming a broad exploitation sweep across multiple platforms this week.
ACTIVE — LockBit 3.0 Affiliates and ALPHV/BlackCat Successors Operational
Both ransomware-as-a-service ecosystems remain active with affiliate networks continuing to acquire access from initial access brokers. UK professional services firms make up approximately 18% of confirmed UK ransomware victims in Q1 2026 (NCSC data). Offline backups, patching cadence, and tested recovery plans are the three most effective mitigations at this level.
Live Source Summary
Does Your Security Stack Cover These Techniques?
64% coverage of active techniques is a starting point. If you'd like to understand exactly where your gaps are — and what it would cost to close them — book a resilience scan.
Book a Resilience Scan →Intelligence sourced from NCSC UK, the CISA Known Exploited Vulnerabilities Catalog, FCA ScamSmart, and the MITRE ATT&CK framework (licensed under CC BY 4.0). Technique descriptions are plain-English interpretations for SME audiences and are not verbatim reproductions of MITRE documentation. Coverage assessments reflect the GET-IT stack as configured for a typical SME client — actual coverage depends on your specific environment. This dashboard is updated weekly; data may not reflect events in the 24–48 hours prior to the last refresh date. GET-IT Solutions Ltd is not responsible for inaccuracies in third-party source data.