Foreign states ramp up cyber attacks on EU with AI-driven phishing and DDoS campaigns

A CGI render of the EU flag shown as 12 gold stars hovering and creating a ripple effect in a wave of blue data

(Image credit: Getty Images)

published 2 October 2025

The EU is being battered by cyberattacks, with government and critical infrastructure the top targets, EU cybersecurity agency ENISA has warned.

The latest ENISA Threat Landscape report found that state-aligned threat groups have been intensifying their operations towards EU organizations. It's seen such groups carrying out cyberespionage against the public administration sector, while feeding EU audiences with misinformation.

At the top of the target list is public administration, at 38%, mostly hacktivism and state-nexus intrusion to conduct cyberespionage campaigns against diplomatic and governmental bodies.

Next is the transport sector, at 7.5%, followed by digital infrastructure and services at 5%, finance at 4.5% and manufacturing at 3%.

Hacktivism accounted for almost 80% of the total number of incidents, mainly through low-impact DDoS campaigns targeting EU member states organizations' websites. Only 2% of hacktivism incidents resulted in service disruption.

Phishing – including vishing, malspam, and malvertising – is the main method for initial intrusion, accounting for about 60% of cases.

"The recent ENISA report makes it clear that phishing is still the leading entry point for attackers. What's interesting is how the technique is being reshaped by AI," said Mick Leach, field CISO at Abnormal AI.

"As shown in the report, attackers don't need to innovate while they continue to see success with tried-and-true techniques. Instead, they can make these methods more impactful with generative models that allow the creation of highly convincing and context-aware campaigns."

Vulnerability exploitation was the next most common vector.

"Vulnerability exploitation, which accounts for 21.3% of all attacks according to ENISA, is continually seen as a problem for businesses," said Sylvain Cortes, VP strategy, Hackuity.

"The challenge is that organisations often have difficulty with visibility and prioritization; they need both a centralised view to identify vulnerabilities and then the context around these to know where to prioritise remediation efforts. There's an inherent imbalance in the time it can take for organisations to patch critical vulnerabilities and the speed with which attackers can exploit them."

DDoS hacktivism

DDoS attacks were the most common type of incident, accounting for 77%, with most carried out by hacktivists rather than cyber criminals. But, said the researchers, there has been a notable convergence between threat groups. State-aligned actors are showing hacktivist characteristics, while the two groups are using increasingly similar tools.

The report highlighted the abuse of critical dependency points, for example in the digital supply chain. And AI, meanwhile, is being used both as an optimization tool for malicious activities and also as a new point of exposure. LLMs are enhancing phishing and automating social engineering activities.

"The growing role of AI has become an undeniable key trend of the rapidly evolving threat landscape, the researchers said.

And, they warned, "While the focus of threat activities involving AI was the use of consumer-grade AI tools to enhance their existing operations, the emergent malicious AI systems is raising concerns about their capabilities in the future due to the widespread use of AI models."

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

TOPICS

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.