Phishing Leads EU Cyber Intrusions, ENISA Reports

A new report from the European Union Agency for Cybersecurity (ENISA) reveals that phishing remains the dominant method for initiating cyber-attacks against organizations within the EU. The findings, detailed in the ENISA Threat Landscape 2025 report, analyze 4,875 security incidents recorded between July 2024 and June 2025. This comprehensive review highlights the primary techniques threat actors use to gain initial access to sensitive networks and systems.

During the reporting period, phishing was responsible for a staggering 60% of all observed intrusions. Exploiting software vulnerabilities trailed far behind as the second most common method, accounting for 21% of incidents. Other significant initial access vectors included botnets at 10% and malicious applications at 8%. The report further notes that the majority of these initial breaches, 68%, resulted in the subsequent deployment of malware. Outdated mobile devices and operational technology (OT) systems were specifically identified as high-value targets for these types of attacks.

The agency also pointed to the growing role of artificial intelligence in cybercrime. By early 2025, AI-powered phishing campaigns already constituted more than 80% of global social engineering activity. This technological advancement allows threat actors to scale their operations and create more convincing, personalized lures at an unprecedented rate.

Another critical trend highlighted in the document is the strategic targeting of “critical dependency points” within digital supply chains. Attackers focus on these interconnected systems to magnify the disruptive impact of a single intrusion. While specific statistics were not provided, the report referenced the recent ransomware attack on Collins Aerospace, which caused significant disruptions across European airports, as a prime example of this tactic. ENISA’s Executive Director, Juhan Lepassaar, emphasized that modern systems are deeply intertwined, meaning a disruption in one area can create a ripple effect throughout the entire supply chain, a vulnerability increasingly exploited by malicious actors.

In terms of attack volume, Distributed Denial-of-Service (DDoS) attacks were overwhelmingly the most common, making up 77% of all reported incidents. Despite their high frequency, only 2% of these DDoS attacks actually resulted in service disruption. This prevalence is closely linked to the rise of hacktivism, which was the leading threat actor motivation during the year. Hacktivists were connected to 79% of attacks, far surpassing financially motivated actors (13%) and those focused on cyber-espionage (7%).

The prolific Russian group NoName057(16) was identified as a key player, responsible for over 60% of claimed DDoS attacks through its DDoSia platform. The group’s activity notably surged during national elections and on occasions when the EU publicly expressed support for geopolitical causes opposed by Russia. ENISA also noted the increasing difficulty in distinguishing state-sponsored cyber operations from hacktivism, citing a convergence in tactics and the rise of “faketivism,” where state-affiliated groups deliberately masquerade as independent hacktivists.

The public administration sector bore the brunt of these cyber campaigns, being the most targeted sector at 38%. This high level of targeting is largely attributed to sustained attacks from both state-sponsored and hacktivist groups aiming to disrupt government functions and services.

(Source: Info Security)