UK probes cyber breach at foreign office

UK authorities are investigating a sophisticated cyber intrusion into the country’s diplomatic systems after attackers penetrated networks at the Foreign, Commonwealth and Development Office, accessed sensitive material and triggered a sweeping security review across government. The breach, discovered in October 2025 during routine monitoring, has been linked by officials to a state-aligned group assessed to have connections to China, sharpening concerns over espionage risks amid strained geopolitical ties.

According to officials briefed on the matter, the attackers gained unauthorised access to a segment of the foreign office’s IT environment used for policy coordination and diplomatic communications. While ministers have not disclosed the full scope of the data taken, people familiar with the investigation say the material included internal correspondence, briefing papers and contact details relating to overseas missions. Systems handling classified intelligence were described as segregated and unaffected, though the incident has prompted a broader audit of network architecture.

The government moved swiftly to contain the intrusion, isolating affected servers and bringing in the National Cyber Security Centre to lead technical forensics. The NCSC, part of GCHQ, has been working alongside the Cabinet Office and external specialists to trace the attackers’ methods, assess persistence mechanisms and close exploited vulnerabilities. Officials said there was no evidence of ongoing access after remediation steps were implemented.

Ministers have stopped short of a formal public attribution, but senior figures acknowledged that the tradecraft matched patterns associated with Chinese state-backed groups that have targeted diplomatic, defence and technology institutions in Europe and North America. Beijing has repeatedly denied sponsoring cyber espionage and has accused Western governments of politicising cybersecurity issues. UK officials said any attribution would follow established thresholds and be coordinated with allies.

The episode has intensified scrutiny of cyber resilience within Whitehall at a time when departments are accelerating digital transformation. The foreign office relies on a complex mix of legacy systems and modern cloud services to support a global network of posts, creating a broad attack surface. Cybersecurity experts say diplomatic services are attractive targets because they hold insights into policy thinking, negotiations and alliances that can be exploited for strategic advantage.

Within days of the breach being identified, the government ordered a cross-department review of access controls, identity management and third-party connections. Officials said mandatory password resets, enhanced monitoring and tighter segmentation were rolled out, alongside guidance to staff on phishing and credential hygiene. The Cabinet Office is also examining whether procurement standards for software and managed services require strengthening.

Parliamentary committees have sought briefings on the incident, with questions focusing on preparedness, transparency and deterrence. Lawmakers from across parties have argued that repeated cyber incidents underline the need for sustained investment rather than episodic responses. The foreign office declined to comment on whether diplomatic protests had been lodged, citing the sensitivity of ongoing investigations.

The breach sits within a wider pattern of state-linked cyber activity targeting government institutions worldwide. Over the past decade, diplomatic services in several countries have reported intrusions aimed at harvesting policy documents and monitoring communications. Analysts note that such operations often prioritise stealth and longevity over disruption, enabling adversaries to build intelligence pictures over time.

UK officials have emphasised coordination with partners, sharing indicators of compromise and defensive lessons through established channels. Cooperation with Five Eyes allies and European counterparts has been described as central to strengthening collective defences and raising the costs for hostile actors. The government has also reiterated its commitment to using a full spectrum of tools, including sanctions and public attribution, where evidence meets the bar.