Three London councils — the Royal Borough of Kensington and Chelsea (RBKC), Westminster City Council, and the London Borough of Hammersmith and Fulham — experienced a significant cyber-attack that disrupted their shared phone and computer systems. In response to the attack, all three councils activated emergency response plans to manage the situation and mitigate potential harm to residents and staff.
The cyber-attack has affected services for hundreds of thousands of residents across the three boroughs. As a result, routine operations have been disrupted, causing inconvenience and uncertainty for individuals who rely on council services.
Investigations into the incident are underway, led by agencies such as the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA). As a precaution, the councils have shut down the affected systems to prevent further damage and protect sensitive information. At this stage, officials have not confirmed whether personal or financial data belonging to residents or staff has been compromised.
The cyber-attack targeting the three London councils took the form of a serious intrusion, bearing similarities to a ransomware incident. In addition, it is suspected to be a supply-chain attack, in which hackers compromised with a shared system and subsequently gained access to the networks of multiple councils.
Residents of the Royal Borough of Kensington and Chelsea, Westminster City Council, and the London Borough of Hammersmith and Fulham were directly impacted by the attack.
Individuals whose data was stored in council records, including names, contact information, financial details, or housing information—were potentially exposed.
All residents who rely on online council services experienced service outages due to the attack.
There is a heightened risk of future data leaks or identity fraud resulting from the theft of sensitive information.
Reducing reliance on shared IT infrastructure and implementing stronger segmentation could have limited the scope of the breach.
Promptly patching vulnerabilities and removing unused or dormant accounts would have minimized opportunities for unauthorized access.
Adopting a zero-trust security model and enforcing least privilege access would have restricted attacker movement within systems.
Maintaining secure and regularly tested backups, along with robust incident-response plans, would aid in quick recovery.
Improving monitoring and threat detection for unusual activity would help identify and respond to attacks more rapidly.
Providing comprehensive cybersecurity training for staff, particularly on phishing prevention, would strengthen human defenses against similar attacks.
sources
Author: The article was written by Robert Booth.
Source / Where it was published: It was published by The Guardian, in the “Technology / Cybercrime” section.
Date of publication: 26 November 2025.
The article maintains an objective tone, reporting facts and acknowledging where uncertainties remain, such as stating “too early to say who did this and why.” It presents a balanced perspective by including official responses, information about ongoing investigations, and the potential implications for services and residents.
The article cites official statements from the councils involved and references external agencies such as the NCA and NCSC in relation to the investigation and mitigation efforts. The Guardian+2Westminster City Council+2
It includes links to the councils’ own announcements and updates, as well as to previous related incidents—such as a 2020 ransomware attack on another London council—for additional context. The Guardian+2The Standard+2
The reporting is well-sourced and transparent, clearly distinguishing between verified facts and aspects still under investigation, such as whether data was stolen, the type of data involved, and the identity of the attacker. The Guardian+2Sky News+2
A Russian-linked hacker group, Calisto (aka Cold River/Star Blizzard), targeted Reporters Without Borders (RSF) in a cyber-espionage campaign.
The attack involved spear-phishing emails from seemingly trusted contacts, with the initial message omitting an attachment to encourage a response.
Victims received a follow-up email linking to a compromised website, which redirected them to a fake login page hosting malicious code or a credential-harvesting kit.
This fake page used Adversary-in-the-Middle (AiTM) tactics to steal usernames, passwords, and even two-factor authentication (2FA) codes during login attempts.
What kind of cyber-attack / security issue was it
This was a spear-phishing / credential-harvesting attack — a form of social engineering where attackers pretend to be trusted individuals or organizations to trick victims into giving up login information. More specifically, the attackers used a combination of phishing, spoofing, and an AiTM (Adversary-in-the-Middle) credential-stealing kit.
The incident was a spear-phishing and credential-harvesting attack. In this type of social engineering, attackers impersonate trusted individuals or organizations to deceive victims into disclosing their login credentials. Specifically, the attackers utilized a combination of phishing, spoofing, and an Adversary-in-the-Middle (AiTM) credential-stealing kit to compromise security.
The main target in this campaign was a staff member of Reporters Without Borders (RSF).
In a broader context, the group responsible for the attack, Calisto, has previously targeted high-value organizations, including NGOs, think tanks, defense contractors, and other entities connected to Western democratic institutions or those supporting Ukraine.
To protect against similar attacks, consider the following strategies:
Exercise caution when receiving unexpected emails, especially those that contain attachments or ask you to download or open files. Even if the sender appears familiar, verify their identity through a means other than email, such as a phone call or direct message.
Avoid clicking on suspicious links in emails, especially those that prompt you to log in or enter credentials. Instead, access the service directly by navigating to its official website.
Implement multi-factor authentication. Be aware that some phishing kits attempt to steal two-factor authentication (2FA) codes; whenever possible, use hardware-based authentication methods—such as security keys—instead of SMS codes.
Keep software and systems up to date, utilize reputable security tools like anti-malware solutions and secure email gateways, and educate yourself and others about phishing and spoofing techniques.
Be skeptical of unexpected requests to “review documents” or provide login information, even if these requests are part of ongoing email threads. Attackers may use broken attachments to initiate conversations and gain trust.
Author: The article was written by Priya.
Source / Website: It was published on Cyber Press, under the Cyber-Attack / Cybersecurity News section.
Date of publication: December 9, 2025.
(Priya, 2025)
The article references a write-up from the security firm Sekoia.io as the basis for its claims about the attack and attribution. Cyber Security News
It also situates the attack within a broader context of known operations by Calisto / ColdRiver, a group documented by independent cybersecurity trackers. Cyber Security News+2Council on Foreign Relations+2
The article provides some technical indicators (domain names, IP addresses, phishing-kit behavior) that — in theory — allow for verification or further investigation. Cyber Se
The facts presented in the article align with publicly available information about the threat actor discussed. The technical details are credible and appear to be informed by actual research. While attribution of attacks to state-backed groups is inherently uncertain, the article’s claims are in agreement with reports from security agencies and independent watchdogs.