NCSC: COVID-19 vaccines were prime target for hackers in 2021
The GCHQ's cyber arm says 20% of cyber attacks this year targeted the health sector and key organisations involved in the vaccine rollout


The National Cyber Security Centre (NCSC) has said it played a crucial role in the COVID-19 vaccine delivery this year, intervening in a record number of cyber incidents and protecting key figures in the health sector.
That's according to findings in a new report released by GCHQ's cyber arm Wednesday morning. The NCSC handled 777 incidents this year, up from 723 in 2020, and 20% of these were attacks on the health sector and key organisations in the vaccine rollout.
Researchers at the University of Oxford were among those who received help from the NCSC this year. The team working on the Oxford/AstraZeneca vaccine called in cyber security experts after they were targeted with ransomware which had the potential to significantly disrupt the UK's pandemic response.
Elsewhere, other staff working in the health sector and on vaccine delivery were also protected by the NCSC's Protective Domain Name System service. The tool prevented staff from accessing malicious domains and blocked 4.4 billion potentially harmful interactions, it said.
The NCSC's Active Cyber Defence (ACD) programme eliminated 2.3 million cyber-enabled commodity campaigns including 442 phishing campaigns that used NHS branding and 80 mobile apps hosted outside of the usual, official app stores.
The ACD is a suite of free-to-use tools provided to organisations by the NCSC to protect against the most common cyber attacks that strike UK businesses and other organisations, rather than targeted attacks that require more bespoke attention.
"The growth in the number of incidents handled by the NCSC this year is partially reflected in the organisation’s ongoing work to proactively identify threats through the work of its Threat Operations and Assessment teams," said the NCSC.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
The report also echoed other corners of the industry in saying ransomware detections have once again increased on the previous year
One of the differentiating factors of ransomware activity in 2021 was the growing real-world impact of ransomware attacks on businesses and other organisations, the NCSC said.
With the JBS Foods attack, food supplies were affected and the Colonial Pipeline hack saw local fuel prices increase. Consumers were unable to complete on property purchases due to the Simplify Group and Hackney Borough Council cyber attacks. The latter also saw entire communities locked out of public services in an incident that took months and millions of pounds to recover from.
RELATED RESOURCE
"We will work with the FCDO to put cyber power at the heart of the UK’s foreign policy agenda, strengthening our collective security, ensuring our international commercial competitive advantage and shaping the debate on the future of cyberspace and the internet," said Lindy Cameron, CEO at the NCSC.
"We will need to reinforce our core alliances and lead a compelling campaign aimed at middle-ground countries to build stronger coalitions for deterrence and counter the spread of digital authoritarianism," she added. "This will involve better connecting our overseas influence to our domestic strengths, leveraging our operational and strategic communications expertise, thought leadership, trading relationships and industrial partnerships as a force for good."
The NCSC also expressed an interest in ramping up collaborative efforts from international law enforcement agencies to target ransomware operators overseas, namely in Russia and China, following related talks at the G7 summit held in Cornwall earlier this year.
Double extortion ransomware attacks which first rose to prominence in 2020, the NCSC said, are "almost certain to grow" next year with a high chance it will claim more victims in the UK.
Also expected to see an increase are supply chain attacks. Given the critical nature of the targets, attackers are highly likely to target this area again, the NCSC said, adding that successful compromises can lead to a highly effective campaign thanks to the global reach of supply chains.
“This year we have seen countless examples of cyber security threats: from state-sponsored activity to criminal ransomware attacks. It all serves to remind us that what happens online doesn’t stay online – there are real consequences of virtual activity," said Jeremy Fleming, director at GCHQ.
“In the face of rising cyber attacks and an evolving threat, this year’s NCSC’s Annual Review shows that world-class cyber security, enabled by the expertise of the NCSC as part of GCHQ, continues to be vital to the UK’s safety and prosperity.”

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
The unseen risk in Microsoft 365: disaster recovery
Businesses that assume they’re covered for data backup could come unstuck in a time of crisis
-
Anthropic CEO Dario Amodei's prediction about AI in software development is nowhere nearly to becoming a reality
News In March, Anthropic CEO Dario Amodei claimed up to 90% of code would be written by AI within six months – his prediction hasn't quite come to fruition.
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million reward
News The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attack
News The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalities
News The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
A notorious hacker group is ramping up cloud-based ransomware attacks
News The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Security researchers have just identified what could be the first ‘AI-powered’ ransomware strain – and it uses OpenAI’s gpt-oss-20b model
News Using OpenAI's gpt-oss:20b model, ‘PromptLock’ generates malicious Lua scripts via the Ollama API.
-
Data I/O shuts down systems in wake of ransomware attack
News Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
-
‘Hugely significant’: Experts welcome UK government plans to back down in Apple encryption battle – but it’s not quite over yet
News Tulsi Gabbard, US director of national intelligence, has confirmed the UK plans to back down on plans that would see Apple forced to create a "back door" for authorities.
-
Average ransom payment doubles in a single quarter
News Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate