Active Threat Actors Targeting UK Financial Services
| Actor / Group | Origin | Primary Method | Active Techniques (ATT&CK IDs) | SME Risk |
|---|---|---|---|---|
|
Scattered Spider
aka UNC3944, Octo Tempest
|
CYBERCRIME | SIM-swapping and social engineering to bypass MFA; targets IT helpdesks to gain access. | T1078 T1566.001 T1621 | HIGH |
|
ALPHV / BlackCat
Ransomware-as-a-Service group
|
CYBERCRIME | Ransomware deployment following stolen credentials and VPN exploitation. Known to target professional services firms. | T1486 T1190 T1657 | HIGH |
|
APT29 / Cozy Bear
SVR, Russian Foreign Intelligence
|
RUSSIA / STATE | Spearphishing and supply chain compromise. Primarily targets government and finance. Sophisticated, long-dwell operations. | T1566.002 T1195 T1071.001 | MEDIUM |
|
APT40 / BRONZE MOHAWK
Chinese MSS-linked group
|
CHINA / STATE | Exploitation of internet-facing services and VPNs. Actively targeting financial data and intellectual property. | T1190 T1133 T1041 | MEDIUM |
|
MuddyWater
STATIC KITTEN, Iranian MOIS
|
IRAN / STATE | Phishing and exploitation of web frameworks (Laravel, Zimbra). Targeting professional services and finance for espionage. | T1566.001 T1190 T1059 | MEDIUM |
|
LockBit 3.0 Affiliates
Ransomware-as-a-Service network
|
CYBERCRIME | Access brokers sell network entry to affiliates who then deploy LockBit ransomware. SMEs frequently targeted as easier entry points. | T1486 T1078 T1083 | HIGH |
|
TA4903 (BEC Specialists)
Business Email Compromise group
|
CYBERCRIME | Impersonation of senior staff, solicitors, and payment processors to redirect bank transfers. Primary threat vector for insurance brokers. | T1566.002 T1534 T1078 | HIGH |
How Much of This Does GET-IT Cover?
Coverage by Tactic
Techniques in Use Against UK SMEs This Week
Current Risk Status for UK Financial Services SMEs
NCSC-Confirmed Active Campaign — Fortinet Firewalls and VPN Gateways
NCSC issued a specific alert on 18 June 2026 following the global FortiBleed credential harvesting campaign targeting Fortinet FortiGate firewalls and SSL VPN gateways. An estimated 73,932 Fortinet instances across 194 countries have had administrator credentials exposed — many of which remain valid. This is an active, ongoing campaign using credential stuffing, hash cracking, and automated scanning rather than a new zero-day vulnerability. Organisations using Fortinet perimeter equipment should treat this as a priority action item this week, not a scheduled maintenance task. RAG status raised to HIGH for this edition.
Credential Stuffing / Valid Account Abuse (T1078) — FortiBleed: 73,932 Fortinet Instances Compromised
NCSC issued a formal alert on 18 June 2026 confirming active global targeting of Fortinet FortiGate firewalls and SSL VPN gateways. The "FortiBleed" dataset contains administrator credentials for approximately 73,932 Fortinet instances across 194 countries — with security researchers estimating this represents roughly half of all internet-facing FortiGate devices discoverable via Shodan. Critically, many of these credentials are believed to remain valid. The attack method is not a new zero-day: attackers are using credential stuffing from prior breach databases, infostealer logs, and interception of SSL VPN authentication hashes from active sessions — which are then cracked offline using GPU clusters. Fortinet migrated to PBKDF2 password hashing in newer FortiOS releases, but documentation confirms that existing passwords retain the older SHA-256 format until users log in post-upgrade or explicitly reset credentials. This means patched systems are not necessarily safe if passwords have not been rotated. The NCSC CEO separately confirmed this week that hostile states are linked to three-quarters of cyber attacks affecting UK critical systems — and that Russian state activity against UK targets is increasing. The Cisco Catalyst SD-WAN directory traversal vulnerability (CVE-2026-20262) added to CISA KEV this week provides a secondary attack vector for network infrastructure compromise.
ACTIVE — LockBit 3.0 Affiliates and ALPHV/BlackCat Successors Operational
Both ransomware-as-a-service ecosystems remain active with affiliate networks continuing to acquire access from initial access brokers. UK professional services firms make up approximately 18% of confirmed UK ransomware victims in Q1 2026 (NCSC data). Offline backups, patching cadence, and tested recovery plans are the three most effective mitigations at this level.
Live Source Summary
Does Your Security Stack Cover These Techniques?
64% coverage of active techniques is a starting point. If you'd like to understand exactly where your gaps are — and what it would cost to close them — book a resilience scan.
Book a Resilience Scan →Intelligence sourced from NCSC UK, the CISA Known Exploited Vulnerabilities Catalog, FCA ScamSmart, and the MITRE ATT&CK framework (licensed under CC BY 4.0). Technique descriptions are plain-English interpretations for SME audiences and are not verbatim reproductions of MITRE documentation. Coverage assessments reflect the GET-IT stack as configured for a typical SME client — actual coverage depends on your specific environment. This dashboard is updated weekly; data may not reflect events in the 24–48 hours prior to the last refresh date. GET-IT Solutions Ltd is not responsible for inaccuracies in third-party source data.