Full Report
Key findings from the 5th year of the Active Cyber Defence (ACD) programme.
Analysis Summary
# Incident Report: NCSC Active Cyber Defence (ACD) Year 5 Findings
## Executive Summary
This report summarizes the operational findings from the fifth year of the UK National Cyber Security Centre’s (NCSC) Active Cyber Defence (ACD) programme. The initiative focused on automating the removal of malicious content and reducing the UK's attack surface, successfully taking down 2.7 million malicious campaigns. The overall outcome shows a significant reduction in the lifespan of phishing attacks and improved public sector security posture.
## Incident Details
- **Discovery Date:** May 10, 2022 (Reporting Period Publication)
- **Incident Date:** 2021 Calendar Year
- **Affected Organization:** Various UK Public Sector and Private entities
- **Sector:** Cross-sector (Government, Healthcare, Finance, Small Business)
- **Geography:** United Kingdom
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing throughout 2021
- **Vector:** Predominantly Phishing and Vulnerability Exploitation
- **Details:** Massive scale branding impersonation (e.g., NHS, HMRC, and Gov.uk) used to lure victims into providing credentials or financial information.
### Lateral Movement
- **Details:** While the ACD report focuses on perimeter defense, it highlights that unpatched vulnerabilities in public-facing assets (identified by "Web Check") served as the primary bridge for attackers to perform internal reconnaissance.
### Data Exfiltration/Impact
- **Details:** 2.7 million malicious items were disrupted, including:
- Personal data harvested through phishing.
- Financial loss via banking trojans and crypto-investment scams.
- Compromised public sector email domains used for spoofing.
### Detection & Response
- **Discovery:** Automated scanning via "Web Check" and "Mail Check" services; community reporting via the Suspicious Email Reporting Service (SERS).
- **Response Actions:** Automated Takedown Service (TDS) engaged hosting providers to remove malicious content; Mail Check enforced DMARC policies to prevent domain spoofing.
## Attack Methodology
- **Initial Access:** Phishing (SMS/Email), Exploitation of unpatched web vulnerabilities.
- **Persistence:** Maintaining web shells on compromised shared hosting environments.
- **Privilege Escalation:** Not explicitly detailed, but implied via credential harvesting.
- **Defense Evasion:** Use of "fast flux" DNS and rapidly moving malicious content between global hosting providers.
- **Credential Access:** Spoofed login pages for UK Government services.
- **Discovery:** Scanning for vulnerable software versions (e.g., outdated WordPress/TLS versions).
- **Lateral Movement:** Automated exploitation of trust relationships between domains.
- **Collection:** Harvesting PII and financial data via fraudulent forms.
- **Exfiltration:** Standard HTTP/HTTPS POST requests to attacker-controlled servers.
- **Impact:** Fraud, brand damage, and operational disruption via unauthorized access.
## Impact Assessment
- **Financial:** Significant prevention of fraud (metrics suggest billions in protected value, though exact numbers vary by campaign).
- **Data Breach:** Millions of phishing URLs addressed; reduction in "celebrity scam" crypto-theft.
- **Operational:** Discovery and remediation of thousands of vulnerabilities across the public sector estate.
- **Reputational:** High impact due to impersonation of trusted government brands like the NHS during the COVID-19 pandemic.
## Indicators of Compromise
- **Network indicators:** hxxp[:]//www[.]ncsc[.]gov[.]uk[.]phishing-site[.]com (Defanged example of brand impersonation)
- **File indicators:** Malware lures disguised as PDF/Doc updates related to government grants.
- **Behavioral indicators:** Surge in SMS traffic (Smishing) containing shortened URLs redirecting to non-uk.gov domains.
## Response Actions
- **Containment:** Takedown requests issued to global ISPs and registrars.
- **Eradication:** Helping hosting providers identify and remove malicious files.
- **Recovery:** Public notifications and advice for individuals who succumbed to scams.
## Lessons Learned
- **Automation is essential:** The scale of 2.7 million campaigns cannot be handled via manual human intervention.
- **Speed of Takedown:** Reducing the time a phishing site is live (from days to hours) drastically lowers the "victimization rate."
- **Visibility:** You cannot protect what you cannot see; External Attack Surface Management (EASM) is critical for large organizations.
## Recommendations
- **Implement DMARC:** Use the "Mail Check" approach to prevent domain spoofing.
- **Vulnerability Management:** Regularly use tools like "Web Check" to identify outdated software and certificates.
- **Public Reporting:** Promote the use of reporting tools (like SERS) to nourish the threat intelligence ecosystem.
- **Adopt ACD 2.0:** Transition to proactive notification services as the threat landscape shifts toward more sophisticated EASM.