The European Union’s cybersecurity agency ENISA has released its 2025 Threat Landscape report, warning that a growing share of cyberattacks in Europe are targeting operational technology (OT) systems.
The findings are based on nearly 4,900 incidents analyzed between July 2024 and June 2025. These cases include both publicly disclosed attacks and incidents reported to ENISA through EU member states and its information-sharing network.
While the report covers multiple attack categories, the data shows that 18.2% of all threats were aimed at OT systems. This makes OT the third most-targeted domain after mobile threats at 42 percent and web-based threats at 27 percent. ENISA noted that the surge reflects the rising exposure of industrial control systems and critical infrastructure as they become more connected and vulnerable.
The report highlights that many OT-focused attacks in Europe have been carried out by pro-Russian hacker groups. Though often presenting themselves as hacktivists with political motives, ENISA pointed out that these groups are usually linked to state-backed operations.
One such group, NoName057(16), is known for its distributed denial-of-service attacks against European targets. According to ENISA, the group is part of the Z-Pentest Alliance, a network of hacker collectives formed in October 2023. Research from Orange Cyberdefense suggests Z-Pentest specializes in disrupting industrial systems such as ICS and SCADA, aiming to weaken Western infrastructure and boost Russia’s geopolitical leverage. Since late 2024, Z-Pentest operations have increasingly focused on Italy, where multiple OT systems have been attacked.
Another group, Rippersec, has also expanded its campaigns across EU nations. ENISA noted that the group initially targeted public administration and media organizations before moving toward transportation networks, with an intent to compromise OT systems.
The most concerning development in 2025 is the emergence of Infrastructure Destruction Squad (IDS). The group appeared in June and is believed to have developed VoltRuptor, a type of malware designed specifically for industrial systems. ENISA reported that VoltRuptor has persistence and anti-forensics features and is already being advertised on dark web forums.
IDS has already been linked to an attack on an Italian smart building automation company. Reports also suggest similar intrusions in Ukraine, Romania, and the United States. ENISA cautioned that it is too early to fully assess the scope of the group’s threat, but its ties to Russian operations are considered a realistic possibility.
The agency warned that operational technology threats are no longer isolated incidents but part of a broader geopolitical strategy. European industries and governments are being urged to treat OT security as a top priority, as adversaries shift their attention from traditional IT systems to critical infrastructure.
The full ENISA Threat Landscape 2025 report can be downloaded as a PDF from the agency’s website.
