Report an incident

Get 24/7 incident response assistance from our global team

Talk to sales

Just fill out the form, and our representative will contact you soon.

Join the Cybercrime Fighters Club

Please review the following rules before submitting your application:

1. Our main objective is to foster a community of like-minded individuals dedicated to combatting cybercrime and who have never engaged in Blackhat activities.

2. All applications must include research or a research draft. You can find content criteria in the blog. Please provide a link to your research or research draft using the form below.

Inside Europe’s Manufacturing Cyber Threat Landscape
← Research Hub

Inside Europe’s Manufacturing Cyber Threat Landscape

Why the biggest risks to industrial operations begin outside the factory
228
ransomware DLS posts
targeting European manufacturers
57
hacktivist claims of access
to industrial control systems
$250M
losses
from a single supply chain breach

Key trends

Ransomware has industrialized. Manufacturing is the primary target.Ransomware has industrialized. Manufacturing is the primary target.

Ransomware-as-a-Service groups like Qilin operate with sophisticated affiliate structures, and many attacks begin with network access that was already being sold on underground forums weeks earlier. The report documents the full Initial Access Broker (IAB) -to-ransomware pipeline and the actors driving it.

Hacktivists are no longer just disrupting websitesHacktivists are no longer just disrupting websites

They're reaching factory floors. Italy, Spain, and Germany recorded the highest OT access volumes. In multiple cases, attackers published video evidence of controlling physical production processes.

State-sponsored actors are pre-positioning for disruptionState-sponsored actors are pre-positioning for disruption

In December 2025, BlackEnergy destroyed industrial control devices across 30+ Polish energy and manufacturing sites using default credentials on internet-exposed VPN appliances. TAG-100 weaponized proof-of-concept exploits within days to target European engine manufacturers and defense contractors. The report profiles both groups and explains what European manufacturers should do now.

What’s inside

Full-year 2025 threat data across six European manufacturing economies: the UK, Germany, Italy, Spain, France, and the NetherlandsFull-year 2025 threat data across six European manufacturing economies: the UK, Germany, Italy, Spain, France, and the Netherlands

8 detailed threat actor profiles spanning ransomware, hacktivism, IABs, and state-sponsored espionage8 detailed threat actor profiles spanning ransomware, hacktivism, IABs, and state-sponsored espionage

Key companies attacked in 2025 – 2026Key companies attacked in 2025 – 2026

Actionable recommendations mapped to the threats targeting the sector Actionable recommendations mapped to the threats targeting the sector

MITRE ATT&CK heatmap: Top techniques targeting global manufacturingMITRE ATT&CK heatmap: Top techniques targeting global manufacturing


Infographic

There’s a serious intelligence gap in European manufacturing. Security teams in factories have invested heavily in OT visibility, but the attacks documented in our report all started outside the factory perimeter — on underground forums, through compromised VPN credentials, and via supply chain access, which is hard to detect for internal sensors. If you're in charge of protecting a manufacturing operations in Europe, or anywhere in a European supply chain, this is the intelligence you may be missing.
Anastasia Tikhonova
Anastasia Tikhonova
Global Threat Research Lead

If you want to learn more about threats targeting your industry and region, speak with our TI experts here.

Frequently asked questions

Where does the data in this report come from?

arrow_drop_down

All data is sourced from Group-IB Threat Intelligence, which provides continuous visibility into underground forums, dark web marketplaces, ransomware affiliate channels, hacktivist communities, and state-sponsored threat activity targeting industrial organizations.

Which countries does the report cover?

arrow_drop_down

The report covers six European manufacturing economies: the United Kingdom, Germany, France, Italy, Spain, and the Netherlands, with country-level incident data and threat actor targeting patterns for each. It also mentions key incidents in other European countries. The trends and threat actors described are relevant for manufacturers in all European countries.

Who is this report for?

arrow_drop_down

The report is designed for OT security leaders, SOC teams, threat intelligence practitioners, ICS security engineers, CISOs responsible for manufacturing environments, and manufacturing executives evaluating cybersecurity investment priorities.

What time period does the report cover?

arrow_drop_down

The report covers the full-year 2025 threat landscape with key incidents and emerging threats from early 2026.

Is the report free?

arrow_drop_down

Yes. The full report is available for download after completing the form.

Relevant reports

We see the full picture of the evolving cyber threat landscape thanks to unique tools for monitoring the infrastructure used by cybercriminals and data from battlefields:

Intelligence Insights Report, March 2026
New
Trend Report
Intelligence Insights Report, March 2026
Explore the most notable cybersecurity events in the region and the best practices
Learn more
High-Tech Crime Trends Report 2026
New
Trend Report
High-Tech Crime Trends Report 2026
The High-Tech Crime Trends Report 2026 reveals how this shift has industrialized cybercrime, exposed the...
Learn more
Intelligence Insights Report, December 2025
New
Trend Report
Intelligence Insights Report, December 2025
Explore the most notable cybersecurity events in the region and the best practices
Learn more
Intelligence Insights Report, November 2025
Trend Report
Intelligence Insights Report, November 2025
Explore the most notable cybersecurity events in the region and the best practices
Learn more