EU Cyberattacks Increasingly Target Critical Infrastructure
▼ Summary
– ENISA’s 2025 Threat Landscape report shows 18.2% of EU cyberattacks targeted operational technology (OT) systems, reflecting their growing connectivity and targeting.
– The report analyzed 4,900 cybersecurity incidents from July 2024 to June 2025, combining public reports and submissions from EU countries and ENISA partners.
– Pro-Russian hacker groups like NoName057(16) and Z-Pentest Alliance are increasingly targeting OT systems to weaken Western industrial infrastructure and support Russia’s geopolitical goals.
– Newer groups such as Rippersec and Infrastructure Destruction Squad (IDS) have emerged, with IDS developing VoltRuptor malware specifically designed for industrial control systems.
– ENISA highlighted Italy as a particular focus for OT attacks since late 2024, with groups targeting public administration, media, transport, and industrial facilities.
A new report from the European Union’s cybersecurity agency reveals a troubling surge in cyberattacks targeting critical infrastructure systems. The ENISA Threat Landscape 2025 study, analyzing nearly 4,900 cybersecurity incidents from July 2024 through June 2025, indicates that operational technology networks are now a primary focus for malicious actors. These findings draw from both publicly reported events and confidential submissions by EU member states participating in threat intelligence sharing programs.
While mobile and web-based threats still dominate the overall attack landscape at 42% and 27% respectively, operational technology systems now account for 18.2% of all documented threats. ENISA emphasized that this reflects the growing exposure of industrial and critical systems as they become more interconnected and deliberately targeted. Many publicly disclosed incidents involving industrial control systems and other operational technology appear to originate from hacktivist groups, though investigators often trace these activities back to state-sponsored threat actors.
One prominent example is the pro-Russian collective NoName057(16), primarily recognized for its distributed denial-of-service campaigns. ENISA identified this group as part of a broader hacker alliance known as Z-Pentest Alliance, which has operated since October 2023. According to analysis from Orange Cyberdefense, Z-Pentest Alliance specifically aims to undermine industrial control systems in Western nations as part of efforts to strengthen Russia’s geopolitical influence by exploiting technological weaknesses in adversary infrastructure.
ENISA’s monitoring indicates that Z-Pentest Alliance members have progressively shifted their focus toward Italian operational technology systems since late 2024. Another pro-Russia collective, Rippersec, has also gradually escalated operations against EU member states. This group appears to concentrate on public administration and media sectors initially, with transportation networks and operational technology explicitly listed among their intended targets.
The report also highlights the emergence of Infrastructure Destruction Squad (IDS), a pro-Russia threat group that surfaced in June 2025. IDS reportedly developed VoltRuptor, a specialized malware designed for industrial control systems that incorporates sophisticated persistence mechanisms and anti-forensic capabilities. Security researchers indicate this malicious software is being marketed through dark web channels. ENISA documented one IDS attack targeting an Italian smart building automation firm, with additional unconfirmed reports suggesting incidents at industrial facilities in Ukraine, Romania, and the United States.
Given the recent appearance of this threat, ENISA stated that attributing the IDS persona to a Russia-linked intrusion set remains a plausible working theory. The complete ENISA Threat Landscape 2025 documentation is accessible through the agency’s official website. Industry professionals can explore these developments further at specialized conferences focusing on operational technology and industrial control system security, scheduled for late October 2025 in Atlanta. Recent complementary guidance from standards bodies also urges operators to maintain continuously updated system inventories and implement protective measures against USB-borne threats.
(Source: Security Week)
