The European Union’s cybersecurity agency ENISA has published its 2025 Threat Landscape report, which shows that a significant percentage of the attacks aimed at the EU over the past year targeted operational technology (OT) systems.
The report is based on the analysis of nearly 4,900 cybersecurity incidents recorded between July 2024 and June 2025. This includes publicly reported incidents, as well as attacks reported to ENISA by EU countries and members of an ENISA information sharing program.
ENISA’s report covers a wide range of attacks and threats and it does not focus on OT. However, it reveals that 18.2% of threats observed during the study period were aimed at these types of systems, after mobile threats, which accounted for 42% of attacks, and web threats, which accounted for 27%.
“Operational technology threats represent 18.2%, reflecting the growing exposure of industrial and critical systems as they continue being increasingly connected and targeted,” ENISA noted.
Many of the publicly disclosed cyberattacks targeting industrial control systems (ICS) and other OT systems are conducted by hacktivists, or hackers who claim to be driven by an ideological or political agenda but are in fact a state-sponsored threat group.
One example is the pro-Russian hacker group NoName057(16), which is mainly known for its DDoS attacks.
NoName057(16) has been blamed for many attacks aimed at Europe and ENISA pointed out that the group is part of a larger alliance of hacker groups named Z-Pentest Alliance.
According to a report from Orange Cyberdefense, Z-Pentest Alliance has been around since October 2023 and it’s known for attacks aimed at ICS/OT systems.
“Z-Pentest’s attacks aim to weaken industrial and control systems (ICS/SCADA) in Western countries, thereby strengthening Russia’s geopolitical influence by exploiting the technological vulnerabilities of its enemies,” Orange Cyberdefense said.
ENISA has now reported that Z-Pentest Alliance members have increasingly targeted OT systems in Italy since the fourth quarter of 2024.
The cybersecurity agency has also highlighted another pro-Russia group, named Rippersec, which has slowly increased its activities against EU member states.
“This group appeared to specifically target the public administration and media/entertainment sectors, followed by transport, with a claimed intent to target operational technology (OT),” ENISA said.
The agency also pointed to the activities of Infrastructure Destruction Squad (IDS), a pro-Russia group that emerged in June 2025. IDS reportedly developed an ICS-specific malware named VoltRuptor. The malware, which is said to include advanced persistence and anti-forensics capabilities, is allegedly offered for sale on the dark web.
ENISA’s report mentions an IDS attack on an Italian smart building automation company. Others previously reported hearing about attacks on industrial facilities in Ukraine, Romania, and the United States.
“As this threat is too recent to assess, the leveraging of the IDS persona by a Russia-nexus intrusion set is a realistic working hypothesis,” ENISA said in its report.
The full ENISA Threat Landscape 2025 report is available in PDF format on the cybersecurity agency’s website.
Related: NIST Publishes Guide for Protecting ICS Against USB-Borne Threats
Related: New Guidance Calls on OT Operators to Create Continually Updated System Inventory
