Inside Europe’s Manufacturing Cyber Threat Landscape (original) (raw)

Ransomware has industrialized. Manufacturing is the primary target.Ransomware has industrialized. Manufacturing is the primary target.

Ransomware-as-a-Service groups like Qilin operate with sophisticated affiliate structures, and many attacks begin with network access that was already being sold on underground forums weeks earlier. The report documents the full Initial Access Broker (IAB) -to-ransomware pipeline and the actors driving it.

Hacktivists are no longer just disrupting websitesHacktivists are no longer just disrupting websites

They're reaching factory floors. Italy, Spain, and Germany recorded the highest OT access volumes. In multiple cases, attackers published video evidence of controlling physical production processes.

State-sponsored actors are pre-positioning for disruptionState-sponsored actors are pre-positioning for disruption

In December 2025, BlackEnergy destroyed industrial control devices across 30+ Polish energy and manufacturing sites using default credentials on internet-exposed VPN appliances. TAG-100 weaponized proof-of-concept exploits within days to target European engine manufacturers and defense contractors. The report profiles both groups and explains what European manufacturers should do now.

What’s inside

Infographic

There’s a serious intelligence gap in European manufacturing. Security teams in factories have invested heavily in OT visibility, but the attacks documented in our report all started outside the factory perimeter — on underground forums, through compromised VPN credentials, and via supply chain access, which is hard to detect for internal sensors. If you're in charge of protecting a manufacturing operations in Europe, or anywhere in a European supply chain, this is the intelligence you may be missing.

If you want to learn more about threats targeting your industry and region, speak with our TI experts here.

Frequently asked questions

Where does the data in this report come from?

arrow_drop_down

All data is sourced from Group-IB Threat Intelligence, which provides continuous visibility into underground forums, dark web marketplaces, ransomware affiliate channels, hacktivist communities, and state-sponsored threat activity targeting industrial organizations.

Which countries does the report cover?

arrow_drop_down

The report covers six European manufacturing economies: the United Kingdom, Germany, France, Italy, Spain, and the Netherlands, with country-level incident data and threat actor targeting patterns for each. It also mentions key incidents in other European countries. The trends and threat actors described are relevant for manufacturers in all European countries.

Who is this report for?

arrow_drop_down

The report is designed for OT security leaders, SOC teams, threat intelligence practitioners, ICS security engineers, CISOs responsible for manufacturing environments, and manufacturing executives evaluating cybersecurity investment priorities.

What time period does the report cover?

arrow_drop_down

The report covers the full-year 2025 threat landscape with key incidents and emerging threats from early 2026.

Is the report free?

arrow_drop_down

Yes. The full report is available for download after completing the form.