Phishing and vulnerability exploitation accounted for the vast majority of initial access in cyber-attacks against EU organizations over the past year, according to ENISA.
The EU security agency revealed the news in its ENISA Threat Landscape 2025 report, which is based on analysis of 4875 incidents over the period July 1 2024 to June 30 2025.
Over the period, phishing accounted for 60% of observed intrusions, with vulnerability exploitation a distant second on 21%. Botnets (10%) and malicious applications (8%) round out the main culprits, with most (68%) intrusions leading to follow-up malware deployment.
Unsurprisingly, outdated mobile devices and operational technology (OT) systems were flagged by ENISA as “high-value targets” for these attacks. The agency also cited AI as helping threat actors to scale and refine campaigns, claiming that by early 2025, AI-powered phishing represented over 80% of social engineering activity worldwide.
The report also highlighted the growth of attacks targeting “critical dependency points” in the digital supply chain to amplify their impact. Although there were no statistics available to back this point, the recent disruption to European airports which stemmed from a ransomware attack on Collins Aerospace is a useful example.
“Systems and services that we rely on in our daily lives are intertwined, so a disruption on one end can have a ripple effect across the supply chain,” said ENISA executive director, Juhan Lepassaar.
“This is connected to a surge in abuse of cyber dependencies by threat actors that can amplify the impact of cyber-attacks.”
Read more on European cyber-threats: ENISA to Coordinate €36m EU-Wide Incident Response Scheme
DDoS and Hacktivism Dominate
While ransomware was named the “most impactful threat” in the EU over the year, it was DDoS that dominated in terms of attack volume, accounting for 77% of reported incidents. Only 2% of these actually led to service disruption.
However, the scale of the DDoS threat accounts for the fact that hacktivists were the number one threat actor type over the period, linked to 79% of attacks, versus 13% that were financially motivated and 7% focused on cyber-espionage.
Prolific Russian actor NoName057(16) was responsible for over 60% of claims, thanks to its DDoSia platform. Activity spiked during national elections and on occasions where the EU showed its support publicly for groups and causes geopolitically opposed to Russia.
However, it’s getting increasingly difficult to separate state-sponsored activity from hacktivism, due to a convergence in tactics, techniques and procedures (TTPs), and “faketivism” incidents where state groups pretend to be hacktivists, ENISA said.
Public administration (38%) was the most targeted sector during the period, largely driven by attacks from state-sponsored and hacktivist groups.
