CFOtech UK - Technology news for CFOs & financial decision-makers
United Kingdom
UK banks face stealth cyber attacks, SonicWall says

UK banks face stealth cyber attacks, SonicWall says

Wed, 15th Jul 2026 (Today)
Karen Joy Bacudo
KAREN JOY BACUDO Finance Editor

SonicWall has identified a UK-specific pattern of cyber attacks against financial institutions, centred on covert reconnaissance rather than ransomware.

Data collected from specialised network-perimeter sensors in UK financial and insurance environments between January and May recorded 475,075 intrusion prevention system events and 28,192 distinct malware threats. Among them was a React Server Components remote code execution vulnerability affecting modern web frameworks such as Next.js, which reached 47% of monitored UK financial sensors.

That signature did not appear in SonicWall's global financial sector data, suggesting attackers were targeting British organisations that have adopted newer web application stacks.

The figures indicate a shift in the attacks hitting the sector. Only five ransomware hits were detected across the monitored sensors during the period, while credential-stealing Trojans accounted for 24,702 hits across 33 sensors.

The pattern suggests attackers are prioritising access and persistence over disruption. The data also showed 58,099 hits linked to legacy Java middleware across 37% of sensors, indicating older systems remain exposed.

Attack profile

Other activity in the dataset included 48,000 hits from SIPVicious across 15 sensors. The tool is commonly associated with attacks on voice-over-IP systems and can be used for toll fraud and network reconnaissance.

SonicWall also recorded 20,055 hits involving Hikvision camera vulnerabilities across 13 sensors in physical office environments. The figures suggest internet-connected devices at office sites remain part of financial institutions' attack surface.

The lower headline volume of intrusion prevention system events compared with 2025 should not be read as a sign of reduced risk. SonicWall attributed the decline from 14.4 million events to 475,075 to a smaller monitored sensor fleet and a shift by customers towards cloud-native security deployments.

That means the data reflects changes in visibility as well as shifts in attacker behaviour. Even with the lower event count, the mix of threats points to a more selective approach by threat actors.

Silent access

Spencer Starkey, Executive Vice President, EMEA, at SonicWall, described the pattern as pressure on both old and new systems.

"Our data confirms that UK financial institutions are dealing with a precise, double-edged threat matrix," Starkey said.

"The fact that the React Server Components exploit is hitting nearly half of our UK sensors, while remaining completely invisible globally, proves that attackers are carefully mapping out the specific digital footprints of British firms.

"The cyber game has changed.

"Disruptive ransomware has dropped to near-zero because attackers aren't trying to lock financial networks down anymore; they are quietly setting up camp. Between legacy Java infrastructure running unpatched and modern customer-facing portals being relentlessly scanned, threat actors are choosing silent persistence and credential theft over loud chaos."

The findings add to a broader picture of cyber risk in financial services, where banks and insurers must protect both ageing internal infrastructure and public-facing digital services. In practice, defenders are managing exposure across web applications, communications systems, and connected workplace hardware simultaneously.

For UK institutions, the standout result in the SonicWall data is the apparent localisation of web-exploit traffic. If the signature remains absent from global sector monitoring, it suggests attackers are selecting targets based on the software choices made by British firms rather than running a broad campaign across multiple markets.

The low level of ransomware in the sample does not mean extortion threats have disappeared. Instead, the dataset suggests that, at least in this part of the market, immediate disruption is being replaced by attempts to gain credentials, map systems and retain access without detection.