The UK’s National Cyber Security Centre (NCSC) has issued a fresh alert warning that Russian-aligned hacktivist groups continue to target British organisations with disruptive cyberattacks. The advisory, published on 19 January 2026, highlights a sustained campaign aimed at taking websites offline, disrupting online services, and disabling critical systems, particularly across local government and national infrastructure. The NCSC warning on hacktivist attacks urges organisations to strengthen their defences against denial-of-service (DoS) incidents, which, while often low in technical sophistication, can still cause widespread operational disruption. Officials say the activity is ideologically driven, reflecting geopolitical tensions linked to Western support for Ukraine, rather than financial motivations.

Persistent Threat from Russian-Aligned Hacktivist Groups

According to the NCSC, Russian-aligned hacktivist groups have been conducting cyber operations against UK and global organisations for several years, with activity intensifying since the Russian invasion of Ukraine. In December 2025, the NCSC co-sealed an international advisory warning that pro-Russian hacktivists were targeting government and private sector entities in NATO member states and other European countries perceived as hostile to Russia’s geopolitical interests. One group named in the advisory, NoName057(16), has been active since March 2022 and has repeatedly launched distributed denial-of-service (DDoS) attacks against public and private sector organisations. The group has targeted government bodies and businesses across Europe, including frequent DDoS attempts against UK local government services. NoName057(16) primarily operates through Telegram channels and has used GitHub and other repositories to host its proprietary DDoS tool, known as DDoSia. The group has also shared tactics, techniques, and procedures (TTPs) with followers to encourage participation in coordinated disruption campaigns. The NCSC said this activity reflects an evolution in the threat landscape, with attacks increasingly extending beyond traditional IT systems to include operational technology (OT) environments. As a result, the agency is encouraging all OT owners to review mitigation measures and harden their cyber defences.

NCSC Warning on Hacktivist Attacks and Resilience Measures

The NCSC warning on hacktivist attacks stresses that organisations, particularly local authorities and operators of critical national infrastructure, should review their DoS protections and improve resilience. While DoS attacks are often technically simple, a successful incident can overwhelm key websites and online systems, preventing access to essential services and causing significant operational and financial strain. NCSC Director of National Resilience Jonathon Ellison said: “We continue to see Russian-aligned hacktivist groups targeting UK organisations and although denial-of-service attacks may be technically simple, their impact can be significant. By overwhelming important websites and online systems, these attacks can prevent people from accessing the essential services they depend on every day.” He urged organisations to act quickly by reviewing and implementing the NCSC’s guidance to protect against DoS attacks and related cyber threats.

Guidance to Mitigate Denial-of-Service Attacks

As part of its advisory, the NCSC outlined practical steps organisations can take to reduce their exposure to DoS incidents. These include understanding where services may be vulnerable to resource exhaustion and clarifying whether responsibility for protection lies with internal teams or third-party suppliers. Organisations are encouraged to strengthen upstream defences by working closely with internet service providers and cloud vendors. The NCSC recommends understanding the DoS mitigations already in place, exploring third-party DDoS protection services, deploying content delivery networks for web-based platforms, and considering multiple service providers for critical functions. The agency also advises building systems that can scale rapidly during an attack. Cloud-native applications can be automatically scaled using provider APIs, while private data centres can deploy modern virtualisation, provided spare capacity is available.

Preparing for and Responding to Attacks

The advisory highlights the importance of a clear response plan that allows services to continue operating, even in a degraded state. Recommended measures include graceful degradation, retaining administrative access during an attack, adapting to changing attacker tactics, and maintaining scalable fallback options for essential services. Testing and monitoring are also central to resilience. The NCSC encourages organisations to test their defences to understand the volume and types of attacks they can withstand, and to deploy monitoring tools that can detect incidents early and support real-time analysis.

Broader Context and Ongoing Threat

This is not the first time the NCSC has called out malicious activity from Russian-aligned groups. In 2023, it warned of heightened risks from state-aligned adversaries following Russia’s invasion of Ukraine. The agency says the latest activity remains ideologically motivated and is carried out outside direct state control. Organisations are also being encouraged to engage with the NCSC’s heightened cyber threat reporting and information-sharing channels. Officials say building resilience now is critical as Russian-aligned hacktivist groups continue to test the UK’s digital infrastructure through persistent and disruptive campaigns.

The UK’s National Cyber Security Centre (NCSC) has issued a fresh warning about the growing threat of prompt injection, a vulnerability that has quickly become one of the biggest security concerns in generative AI systems. First identified in 2022, prompt injection refers to attempts by attackers to manipulate large language models (LLMs) by inserting rogue instructions into user-supplied content. While the technique may appear similar to the long-familiar SQL injection flaw, the NCSC stresses that comparing the two is not only misleading but potentially harmful if organisations rely on the wrong mitigation strategies.

Why Prompt Injection Is Fundamentally Different

SQL injection has been understood for nearly three decades. Its core issue, blurring the boundary between data and executable instructions, has well-established fixes such as parameterised queries. These protections work because traditional systems draw a clear distinction between “data” and “instructions.” The NCSC explains that LLMs do not operate in the same way. Under the hood, a model doesn’t differentiate between a developer’s instruction and a user’s input; it simply predicts the most likely next token. This makes it inherently difficult to enforce any security boundary inside a prompt. In one common example of indirect prompt injection, a candidate’s CV might include hidden text instructing a recruitment AI to override previous rules and approve the applicant. Because an LLM treats all text the same, it can mistakenly follow the malicious instruction. This, according to the NCSC, is why prompt injection attacks consistently appear in deployed AI systems and why they are ranked as OWASP’s top risk for generative AI applications.

Treating LLMs as an ‘Inherently Confusable Deputy’

Rather than viewing prompt injection as another flavour of classic code injection, the NCSC recommends assessing it through the lens of a confused deputy problem. In such vulnerabilities, a trusted system is tricked into performing actions on behalf of an untrusted party. Traditional confused deputy issues can be patched. But LLMs, the NCSC argues, are “inherently confusable.” No matter how many filters or detection layers developers add, the underlying architecture still offers attackers opportunities to manipulate outputs. The goal, therefore, is not complete elimination of risk, but reducing the likelihood and impact of attacks.

Key Steps to Building More Secure AI Systems

The NCSC outlines several principles aligned with the ETSI baseline cybersecurity standard for AI systems: 1. Raise Developer and Organisational Awareness Prompt injection remains poorly understood, even among seasoned engineers. Teams building AI-connected systems must recognise it as an unavoidable risk. Security teams, too, must understand that no product can completely block these attacks; risk has to be managed through careful design and operational controls. 2. Prioritise Secure System Design Because LLMs can be coerced into using external tools or APIs, designers must assume they are manipulable from the outset. A compromised prompt could lead an AI assistant to trigger high-privilege actions, effectively handing those tools to an attacker. Researchers at Google, ETH Zurich, and independent security experts have proposed architectures that constrain the LLM’s authority. One widely discussed principle: if an LLM processes external content, its privileges should drop to match the privileges of that external party. 3. Make Attacks Harder to Execute Developers can experiment with techniques that separate “data” from expected “instructions”, for example, wrapping external input in XML tags. Microsoft’s early research shows these techniques can raise the barrier for attackers, though none guarantee total protection. The NCSC warns against simple deny-listing phrases such as “ignore previous instructions,” since attackers can easily rephrase commands. 4. Implement Robust Monitoring A well-designed system should log full inputs, outputs, tool integrations, and failed API calls. Because attackers often refine their attempts over time, early anomalies, like repeated failed tool calls, may provide the first signs of an emerging attack.

A Warning for the AI Adoption Wave

The NCSC concludes that relying on SQL-style mitigations would be a serious mistake. SQL injection saw its peak in the early 2010s after widespread adoption of database-driven applications. It wasn’t until years of breaches and data leaks that secure defaults finally became standard. With generative AI rapidly embedding itself into business workflows, the agency warns that a similar wave of exploitation could occur, unless organisations design systems with prompt injection risks front and center.

Three London councils are responding to a major cybersecurity incident that has disrupted public services and triggered alerts across the capital. The Royal Borough of Kensington and Chelsea (RBKC), Westminster City Council (WCC), and Hammersmith and Fulham Council confirmed on Tuesday evening (November 25) that they were investigating a serious Account Takeover Fraud–related cyber issue affecting shared systems. The situation has raised concerns as local authorities increase monitoring and coordinate with national agencies to understand the scale of the London councils cyberattack.

London Councils Confirm Cybersecurity Incident

RBKC issued an official statement revealing that both its systems and those of Westminster City Council were impacted by what it described as a “cyber security issue.” The London councils cyberattack incident, detected early on Monday morning (November 24), prompted both councils to notify the UK Information Commissioner’s Office (ICO) and work closely with the National Cyber Security Centre (NCSC) and specialist cyber incident responders. Officials said the focus remains on securing systems, protecting data, and restoring essential services. The first public indication of disruption came when RBKC posted on X around 1pm on Monday, warning of “system issues” affecting online services. By Tuesday morning, the council described the situation as a “serious IT issue,” confirming wider service interruptions as investigations continued. [caption id="attachment_107162" align="aligncenter" width="488"] Source: X[/caption] WCC issued a similar update, explaining that its computer networks were temporarily shut down as a precaution. The council apologised to residents for the inconvenience but emphasised that immediate action was necessary to prevent further impact. “We are taking swift and effective action to bring all our systems back online as soon as possible,” the council stated on its website. Emergency contact numbers were provided for urgent issues.

Multiple London Authorities Heighten Threat Levels

In the wake of the London councils cyberattack, Hackney Council circulated an internal “urgent communication,” warning staff that intelligence indicated multiple London councils had been targeted by cyberattacks within the last 24 to 48 hours. As a result, the borough escalated its internal cyber threat level to Critical. Hackney officials have experience responding to major cybersecurity incidents, following a severe attack in 2020 that affected hundreds of thousands of residents and staff. Hammersmith and Fulham Council also reported that it had responded to a serious cybersecurity incident, although the local authority stated that, so far, there was no evidence that its systems had been breached. Across the affected boroughs, several IT systems, online portals, and phone lines remain disrupted. To maintain essential services, councils activated business continuity and emergency plans, prioritising support for vulnerable residents. Additional staff have been assigned to monitor phone lines and emails while restoration work continues.

Authorities Investigating Potential Data Exposure

RBKC and WCC noted that it is still too early to determine the root cause, the extent of the incident, or whether any personal data has been compromised. However, officials confirmed that investigations are underway to determine whether the attack involved techniques similar to Account Takeover Fraud or other targeted compromise attempts. “We don’t have all the answers yet,” RBKC said, “but we know people will have concerns, so we will be updating residents and partners further over the coming days.” Council IT teams worked overnight on Monday to apply several mitigation measures, and officials said they remain vigilant for any potential follow-up attempts.

National Agencies Monitoring the Situation

A spokesperson for the National Cyber Security Centre confirmed awareness of the incident and said the agency is “working to understand any potential impact.” The NCSC continues to support local authorities in managing the wider threat. The Metropolitan Police Cyber Crime Unit also confirmed it received a referral from Action Fraud on Monday following reports of a suspected cyber-attack against several London borough councils. “Enquiries remain in the early stages,” a spokesperson said, adding that no arrests have been made so far. All affected councils apologised for the disruption and urged residents to expect delays in accessing some services. They also committed to providing further updates as system recovery progresses. For concerns related to Westminster or Hammersmith and Fulham, residents were advised to contact those authorities directly.