Why the record-breaking number of cyberattacks could be a prelude to the ‘big one’

Standing aboard an aircraft carrier in New York’s Hudson River in 2012, US defense secretary Leon Panetta warned of a looming attack that would “paralyse and shock the nation”. It would not come via air, land or sea, he said, but through the internet.

“A cyberattack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack on 9/11,” he claimed, citing a recent spate of high-profile hacks that had exposed the fragility of an increasingly digitised critical infrastructure.

“They could derail passenger trains, or even more dangerous, derail trains loaded with lethal chemicals,” he continued. “They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”

His speech marked a new era of cyberwarfare and a fundamental change in the way countries and corporations approached cybersecurity. It was also the first time such a senior figure had publicly recognised the existential threat of hackers, who were capable of pulling off what would come to be known as “the big one”.

The dire scenarios Panetta anticipated have since been the plots of Hollywood movies and TV shows – including Netflix’s 2025 blockbuster Zero Day – yet no real-world attacks have thankfully come close.

Cyber incursions have instead been far more insidious, typically focused on individuals or organisations rather than entire industries. In recent months, however, they have been ramping up to record levels.

Tens of millions of Brits have already been directly caught up in major hacks this year, with millions more impacted indirectly through site outages, loss of service, or even empty supermarket shelves. This week, more than a million Legal Aid users reportedly had their data exposed, which followed a breach of up to 10 million Marks & Spencer customers and 20 million Co-op members.

Data stolen from the attacks included the usual personal details – names, dates of birth, addresses – but also information that is potentially far more harmful, including criminal records and details of domestic abuse victims.

The attacks follow a broader trend of increasingly severe incidents, with several cybersecurity firms reporting a record number of ransomware attacks in the first quarter of 2025. Research from Check Point revealed that organisations were being hit with roughly 2,000 cyberattacks every week in the first three months of the year – up nearly 50 per cent compared to the same period last year.

Security researchers have attributed the sudden spike in attacks to a confluence of conditions, with some warning that the situation will likely become even more dire over the coming months.

“The surge is driven by a perfect storm of factors: the rapid digitisation of industries, increased reliance on third-party systems, and the rise of financially motivated, highly organised cybercriminal groups,” Spencer Starkey, an executive at cybersecurity firm SonicWall, tells The Independent.

“It is likely to get worse before it gets better. Attackers are innovating faster than defenders, and many organisations are still playing catch-up.”

Another reason behind the recent escalation is that hacking toolkits have become much cheaper and easier to use. Sophisticated tools that can be used to carry out massive campaigns can be purchased on the dark web or through apps like Telegram for as little as $50. Some tools, like the malicious chatbot WormGPT, are even found freely online, and can be used to conduct widespread fraud and social engineering attacks.

Their prevalence is reflected in figures released last month by fraud prevention service Cifas, which reported a record number of cases of identity fraud in the UK. In some cases, victims lost hundreds of thousands of pounds to scammers.

Another threat, which resurfaced in a formidable way this week, comes in the form of a new botnet capable of causing unprecedented online carnage. One Google researcher described the tool as powerful enough to “kill most companies”, after hackers demonstrated its capabilities in a 45-second attack on the website of cybercrime investigator Brian Krebs.

The botnet consists of millions of hijacked devices – ranging from smart fridges to security cameras – that can be instructed to perform distributed-denial-of-service (DDoS) attacks on websites and online services, overwhelming them with web traffic and knocking them offline.

Named Aisuru, the botnet is roughly 10 times more powerful than the Mirai botnet that ripped through the internet in 2016. According to Krebs, Aisuru could soon launch “crippling digital assaults that few web destinations can withstand”.

Security researchers have already seen cybercriminals advertising Aisuru as a DDoS-for-hire service within illicit forums, costing as little as $150 per day to use.

All of these trends, combined with infinitely evolving vulnerabilities, could well be a harbinger for a cyber catastrophe akin to “the big one”, experts warn.

“It’s not hyperbole,” says Phil Tonkin, the field chief technology officer at Dragos, which provides cybersecurity for national infrastructure. The organisation’s most recent report on industrial ransomware, published on Wednesday, revealed a significant increase in ransomware incidents against critical sectors in the first quarter of the year.

“As [computer] systems become more connected, we’re seeing routine ransomware events have outsized operational impacts. A ‘big one’ might not be dramatic – it might just be widespread failure from an attack that hits the wrong system at the wrong time.”

It is a sentiment shared by SonicWall’s Spencer Starkey, who notes that the cyber landscape is almost unrecognisable from when Defence Secretary Panetta first sounded the alarm about an impending digital disaster.

“The threat of a large-scale attack on critical infrastructure is no longer hypothetical,” he says. “The techniques used in retail and legal sector breaches – identity compromise, ransomware, lateral movement – are exactly the kinds of methods that could disrupt healthcare, utilities, or government systems.

“While we haven’t yet seen a ‘black swan’ cyber event at scale in the UK, the trajectory of these attacks suggests that it’s a matter of when, not if.”