Topics:
The European Union Agency for Cybersecurity (ENISA) has issued a stark warning about mounting risks facing critical infrastructure, revealing how threat actors have intensified targeting of operational technology (OT) systems with sophisticated malware and persistent campaigns that could disrupt essential services across the continent.
ENISA's newly released Threat Landscape 2025 report, analyzing nearly 4,900 cybersecurity incidents between July 2024 and June 2025, identifies critical infrastructure and industrial control systems (ICS) as prime targets for both state-aligned threat groups and hacktivist organizations. The findings underscore a troubling convergence: advanced techniques once reserved for nation-state espionage are now being deployed with alarming frequency against power grids, transportation networks, and manufacturing facilities.
"Hacktivists increasingly view OT as a pressure point, not for ransom, but for visibility; these are symbolic attacks to make an operational impact," Daniel Gaeta, managing OT security engineer at GuidePoint Security, said.
Aaron Crow, senior director at MorganFranklin Cyber, added that the convergence of hacktivists, gray-zone actors, state units such as GRU 74455, CCP-linked operators, and trans-national criminals has elevated OT environments onto the frontline. "Defending them requires not only better hygiene and segmentation but also intelligence fusion and forward-looking security," Crow said.
What makes the current threat environment particularly concerning is the reported emergence of purpose-built malware explicitly designed to compromise industrial control systems. In June 2025, a new hacktivist group calling itself Infrastructure Destruction Squad reportedly debuted VoltRuptor, an ICS-specific malware package offering advanced multi-protocol support, persistence capabilities, and anti-forensics features that security teams may find exceptionally difficult to detect.
"Hacktivists increasingly view OT as a pressure point, not for ransom, but for visibility; these are symbolic attacks to make an operational impact."
— Daniel Gaeta, managing OT security engineer at GuidePoint Security
"Hacktivist groups have demonstrated intent, capacity, and opportunity to target operational technology systems," ENISA researchers conclude.
Z-PENTEST-ALLIANCE has reportedly become the dominant hacktivist collective focusing on energy infrastructure across Italy, Czechia, Lithuania, Poland, Portugal, the Netherlands, and Spain. Such groups are broadly adopting ransomware operations, blending political messaging with financial extortion in ways that blur the lines between cybercrime and politically motivated disruption.
Still, the majority of hacktivist attacks are denial-of-service attacks, with only 5% being claimed data breaches or intrusions. Even so, the increased activity creates increased risk for OT/ICS operators.
State-aligned intrusion groups have intensified their long-term cyber espionage campaigns against critical infrastructure. China-nexus groups demonstrate the broadest reach, with Salt Typhoon maintaining particular focus on telecommunications since December 2024, successfully compromising operators in at least three EU member states. Russia-nexus groups have targeted diplomatic entities, ministries, law enforcement agencies, political parties, IT service providers, and telecommunications infrastructure.
Perhaps no trend poses greater systemic risk than the exploitation of supply chain dependencies. Threat actors have recognized that compromising third-party providers and digital suppliers can be more effective than directly attacking hardened industrial facilities.
North Korean state-nexus group Lazarus has been inserting malicious packages into Node Package Manager (NPM) repositories hosted on GitHub, exploiting developer trust in open-source components. The scale of exposure is staggering: detected secrets in code repositories increased 25% between 2023 and 2024, providing threat actors with credentials and access tokens that can unlock privileged access to industrial systems.
Third-party service provider breaches have cascaded across entire sectors. When Italy's Plus Service was compromised, multiple transport companies found their operations paralyzed. Operation Digital Eye, in mid-2024, specifically targeted professional IT providers in Southern Europe with the explicit goal of infiltrating the supply chain.
The mobile ecosystem presents an additional supply chain risk that many OT operators overlook. State-aligned Android spyware, including KoSpy, BoneSpy, PlainGnome, and EagleMsgSpy, has been documented targeting mobile devices used by critical infrastructure personnel. Russia-nexus groups have actively targeted WhatsApp, Signal, and Telegram accounts. At the same time, exploitation of SS7 and Diameter telecommunications protocols enables state-linked actors to remotely monitor and manipulate mobile communications without ever touching the device itself.
Artificial intelligence has dramatically amplified these threats. By early 2025, over 80% of all phishing emails used AI to some extent. For operators of industrial control systems, this means social engineering attacks targeting their employees have become more convincing, more personalized, and vastly more numerous. Threat actors are deploying jailbroken large language models, including WormGPT, EscapeGPT, and FraudGPT, to automate social engineering and accelerate the development of malicious tools.
The complexity of modern threats demands that critical infrastructure operators move beyond perimeter defenses and adopt intelligence-driven, systemic defensive strategies that emphasize proactive threat hunting and behavioral detection.
"Early warning often comes from open-source intelligence and social media chatter; tracking narratives tied to ideology or geopolitics can reveal who's calling their shot' before an incident," said Gaeta. "Continuously monitor for changes in baseline behavior using passive network detection tools and run regular tabletop and incident-response exercises specific to OT systems."
"Companies should start by really understanding their threat landscape. That means doing targeted threat modeling and scenario planning that includes hacktivist risks—things like website defacements, data leaks, or disruptions to industrial control systems.”
It's also smart to connect these scenarios to real-world events, such as protests or geopolitical flashpoints, to see how well the organization can respond, allocate resources, and coordinate across IT, OT, security, legal, and safety teams," Mike Hamilton, a senior penetration tester at Centric Consulting, said.
As we've covered extensively, asset visibility forms the foundation of any effective OT security program — operators cannot protect what they don't know exists. And complete asset inventories should extend beyond traditional IT equipment to encompass all connected devices, industrial controllers, and even mobile devices used by maintenance personnel and contractors. "Organizations need a complete, up-to-date inventory of OT and ICS assets and should map how they connect and depend on one another," Hamilton advised.
Network segmentation becomes even more critical when defending industrial control systems. Operators should implement network intrusion prevention specifically tuned to detect ingress tool transfer and web protocol abuse targeting industrial protocols. Network traffic filtering must prevent command-and-control communications while meeting the real-time requirements of industrial processes.
"When intelligence shows elevated risk—geopolitical tension, your sector being called out, reconnaissance detected—tighten security automatically."
—Nilesh Jain, CEO at CleanStart
Access and privilege management deserve particular attention. Multi-factor authentication must be resistant to bypass techniques, as phishing-as-a-service platforms specifically target traditional MFA implementations. Given that 68% of intrusions involving vulnerability exploitation resulted in the deployment of malicious code, according to ENISA, behavioral prevention becomes essential for detecting threats that evade traditional defenses.
Supply chain security also demands vigilance. Organizations should implement software configuration controls, enforce code signing requirements to prevent malicious driver abuse, and conduct third-party security assessments before granting suppliers access to industrial networks. The 25% increase in detected secrets ENISA identified within code repositories underscores the need for secrets management and continuous repository scanning.
The threat landscape facing critical infrastructure has fundamentally shifted. Where attacks were once opportunistic and scattered, they are now persistent, sophisticated, and coordinated. Most importantly, in a shifting threat environment, it's critical to adjust the security posture as risk changes. "When intelligence shows elevated risk—geopolitical tension, your sector being called out, reconnaissance detected—tighten security automatically," Nilesh Jain, CEO at CleanStart, advised.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
