Cyber operations have long been part of geopolitical conflicts. Iranian hacktivists, Chinese APT groups and Russian attackers are increasing the pressure on European organizations. The InfoGuard Threat Intelligence Report Q1/2026 analyzes the current threat situation and its consequences for companies.
The European cyber threat situation is at an all-time high. According to ENISA Threat Landscape 2025 (reporting period July 2024 to June 2025), 76.7% of all incidents were DDoS attacks driven by state-sponsored hacktivism. The public sector was the most affected sector at 38.2%, twice as high as the previous year. Phishing remains the most common initial vector at 60%, with over 80% of campaigns proven to use AI-generated content.
The CrowdStrike European Threat Landscape Report 2025 shows that ransomware is hitting the region at record levels, while nation-state attacks have increased by 150%. ENISA identifies 46 nation-state intrusion sets actively operating against EU Member States. The boundaries between cybercrime, hacktivism and state actors are becoming increasingly blurred. What used to be clearly separable is now a complex ecosystem of contract work, ideological motivation and state instrumentalization.
To understand the current situation, it is necessary to take a look at the escalation path. The twelve-day Israel-Iran conflict in June 2025 was the first major test of Iran's coordinated cyber ecosystem in the event of war. The Center for Strategic and International Studies (CSIS) analyzed over 250,000 Telegram messages from more than 178 hacktivist and proxy groups and documented rapid mobilization in sync with kinetic airstrikes. Groups such as Fatimion Cyber Team, Cyber Fattah and Cyber Islamic Resistance coordinated reconnaissance, DDoS attacks, website defacement and data theft in direct coordination with military action - a pattern indicative of institutional leadership, not organic hacktivism.
In parallel, the Iranian government deployed state-sponsored ransomware campaigns and paid bounties for infections against US and Israeli organizations. MuddyWater (MOIS) initiated Operation Olalampo, a structured cyber offensive against the META region (Middle East, Turkey, Africa) with overlaps to a parallel campaign called RedKitten - an indication of coordinated infrastructure of Iranian-aligned actors.
On February 28, 2026, the US and Israel launched the coordinated military operation "Epic Fury" / "Operation Roaring Lion" with strikes on Iranian command structures, IRGC facilities and nuclear infrastructures. Within hours, Iran launched a multi-stage retaliatory campaign - both kinetic and cyber.
A technically noteworthy factor: the Israeli countermeasure was also one of the largest cyber operations in history against Iran itself, reducing Iranian internet connectivity to 1-4% (Unit 42 / Palo Alto Networks, March 2026). This means that Iran's highly specialized APT groups are operationally restricted domestically in the short term.
This results in two parallel threat scenarios:
Cells and proxy groups operating outside Iran are now acting with tactical autonomy - without a direct command structure from Tehran. This makes their actions more difficult to predict.
In the medium term - once connectivity is restored - we can expect an intensified wave of state APT operations, as IRGC units have had time to prioritize and activate access points that have been "dormant" for some time.
On February 28, 2026, the "Electronic Operations Room" was founded - a coordinating body that bundles pro-Iranian hacktivist collectives in a structured cyber jihad. The umbrella network "Cyber Islamic Resistance" (also: Islamic Cyber Resistance Axis) coordinates groups such as RipperSec, Cyb3rDrag0nzz and numerous others for synchronized DDoS waves, data deletion operations and defacements. By the beginning of March 2026, over 150 documented hacktivism incidents had been counted, with around 60 individual groups active - including pro-Russian collectives (CloudSEK Situation Report, March 2026).
Europol explicitly warned of an increased threat to the EU on March 6, 2026: "Key risks are an elevated threat of terrorism and violent extremism, increased cyber-attacks targeting EU infrastructure, a rise in conflict-themed online fraud schemes, and the spread of disinformation and influence campaigns." France, Germany and other EU states have increased their security measures, as Iranian networks are also operating in Europe.
The UK National Cyber Security Center (NCSC) issued an explicit warning at the beginning of March 2026: Even though there is currently no significant increase in direct cyber attacks on UK networks, the authorities warn: The situation can change at any time and with little warning. Historically, Iran's cyber activity has repeatedly hit Europe - Germany, France, the Netherlands, and the UK - often as collateral damage or targeted secondary attacks on Middle East-related organizations.
The primary cyber risk profile for European organizations in the current context:
Critical infrastructure (energy, water, OT/ICS): Iran has been shown to prioritize ICS/SCADA systems as targets. The CVE-2025-1960 vulnerability in Schneider Electric EcoStruxure WebHMI has already been exploited in Iranian-affiliated campaigns.
Defense, aerospace, telecommunications: UNC1549 (Tortoise Shell) was the fourth most active Iranian actor in the second half of 2025, focusing on these sectors.
Government and diplomatic entities: MuddyWater spent 8 months undetected in a Middle Eastern government network - similar patterns can be expected with European entities.
Supply chain risk: Organizations using Israeli OT components (e.g. certain Unitronics systems) are considered indirect targets following the attack pattern of the CyberAv3ngers campaigns from 2023-2024.
Organizations with Iran-affiliated personnel or diaspora: Iranian actors are actively conducting persecution operations against regime opponents in Europe, including physical threats after cyber compromise.
Iran's cyber arsenal is heterogeneous: it ranges from highly complex APT campaigns to criminally used ransomware frameworks. The special feature is the structural mixture: state-controlled access is monetized for criminal purposes, while at the same time plausible deniability of state involvement is maintained. Sicarii - a RaaS operation active since December 2025 - has a critical flaw: the malware deletes its own decryption keys after encryption, making recovery permanently impossible, regardless of a ransom payment (Halcyon, March 2026).
Technically, Iranian groups prefer to operate via: Exploitation of VPN gateways and firewalls (Pulse Secure, Fortinet, Palo Alto, F5, Citrix), ASPX webshells on exposed servers, living-off-the-land techniques (LOLBins) for persistence and lateral movement, and AI-powered spear phishing campaigns with high levels of personalization.
While Iran attracts attention with loud hacktivism and politically charged operations, China operates according to the opposite principle: maximum silence, minimal traces, long-term positioning. This paradigm shift has become increasingly clear over the last two years: China is shifting its focus from traditional industrial and IP espionage to state organizations and critical infrastructure.
Volt Typhoon - the best-known Chinese APT group for infrastructure targeting - operated undetected on some US networks for over five years. CISA Director Jen Easterly put it clearly: what has been found so far is "probably just the tip of the iceberg." Volt Typhoon uses exclusively living-off-the-land techniques - no malware, just native system tools. This makes traditional signature-based detection largely ineffective.
Chinese cyber operations have long since arrived in Europe: The Dutch services MIVD and AIVD confirmed the first publicly attributed Chinese attack on the Ministry of Defense in 2024 ("Coathanger" malware for Fortinet FortiGate). In May 2025, the Czech Republic blamed APT31 for the compromise of the Ministry of Foreign Affairs during the EU Council Presidency in 2022. EU High Representative for Foreign Affairs Kaja Kallas stated that the EU was "ready to impose costs on Beijing".
Salt Typhoon - another Chinese group - infiltrated the telecommunications infrastructure of over eight US providers, including CALEA wiretaps, and went undetected in some environments for up to three years. The FBI notified over 600 organizations in more than 80 countries of possible compromises. ENISA explicitly warns of six Chinese APT groups (APT27, APT30, APT31, Ke3chang, GALLIUM, Mustang Panda) as "significant and persistent threats to the EU" in 2025. CrowdStrike identifies Vixen Panda as "the most prolific threat to European government and defense institutions" (November 2025).
The geopolitical framework: China's increasing decoupling from the West and its claim to Taiwan make this positioning strategic: "Pre-positioning" means laying out access points to critical infrastructure that could be activated in the event of an emergency Taiwan conflict - to distract, demoralize or directly sabotage Western support structures. A Chinese official hinted at a secret meeting in Geneva in December 2024 that the infrastructure hacks were directly linked to US military support for Taiwan.
According to ENISA 2025, Russia remains the most active state-sponsored threat to the EU. In 2024, APT28 (Fancy Bear, GRU) attacked the SPD headquarters, Czech government offices and German air traffic control (DFS), the latter alone costing around EUR 9 million. In April 2025, France blamed the APT28 group for cyberattacks on a dozen institutions since 2021. The affected targets included structures of the 2024 Olympic Games.
Sandworm (APT44) has been operating globally with its "BadPilot" campaign since 2022 and was responsible for destructive wiper attacks on wind and solar farms and power plants in Poland until December 2025 - the first confirmed destructive attack on an EU energy infrastructure. APT29 (Cozy Bear) continues to use sophisticated social engineering attacks against EU diplomats, most recently with fake wine tasting invitations and the new WINELOADER backdoor. Pro-Russian hacktivism by NoName057(16) - partially dismantled in July 2025 by Europol/Eurojust in "Operation Eastwood" - has caused 14 multi-day DDoS waves against around 230 organizations in Germany alone.
The geopolitical situation has fundamentally worsened in just a few weeks. Iranian cyber mobilization, Chinese pre-positioning and Russian hybrid warfare are increasing the cyber pressure on Europe. Organizations should not wait for attacks to be discovered. Threat hunting provides clarity before an attack becomes visible.
In the everyday life of an incident responder, what the data shows is confirmed time and again: state-sponsored APT attacks are rarely detected by in-house security systems. Mandiant M-Trends 2025 (based on 450,000+ hours of investigation) shows: 57% of all compromises were detected by external sources - not by the organization's own SOC or security infrastructure. Only 43% of cases were detected internally.
The median dwell time of an attacker in the network was 11 days globally in 2024 - in the EMEA region it was even 22 days. This means that, on average, an attacker moves through networks undetected for almost three weeks before a compromise is discovered. In the case of intrusions that are only discovered through external indications, the dwell time rises to 26 days.
There are three structural reasons for this:
LOTL techniques: 62% of all threat detections in 2024 did not use malware (CrowdStrike). Attackers use native system tools - PowerShell, WMI, WMIC - that simply do not flag signature-based systems as malicious.
Blind spots at perimeters: 44% of zero-days exploited in 2024 targeted edge devices such as VPNs and firewalls - systems that typically do not have EDR installed (Mandiant M-Trends 2025).
Supply chain compromises: Third-party related breaches have doubled to 30% of all cases in 2025, according to Verizon DBIR. Controls at the end victim are completely bypassed.
The prime example is Volt Typhoon: the group operated undetected in US infrastructures for over five years. It was discovered not by a SIEM, not by an EDR - but by dedicated threat hunting teams from CISA, who actively searched for indicators of compromise. The SolarWinds attack (dwell time 8-9 months, 18,000 compromised organizations) was discovered because FireEye accidentally came across the supply chain compromise while investigating another security incident.
The same pattern can be seen in real-life incident response operations: nation-state incidents are almost never uncovered by alerts from an organization's own security systems. They are usually discovered in the course of another cyber incident. For example, when an incident response team is called out in connection with a ransomware attack and the analysis then reveals a second, significantly older access path. It is also not uncommon for the discovery to come from outside sources: A CERT, an authority or a foreign partner reports that their own infrastructure is being misused as a command-and-control relay. These are not exceptions, they are the norm.
When reactive detection systematically fails, a different approach is needed: proactive threat hunting. Threat hunting is the hypothesis-driven, active search for malicious activity that has bypassed existing security controls - without waiting for an alert.
The difference lies in the basic approach: instead of "We react when something is noticed", "We assume that we could already be compromised and systematically search for it."
Why are incident responders the best threat hunters? Because they know how attackers think and act. IR teams know the tactics and techniques of real attackers from numerous operations and have forensic investigation skills in analyzing subtle anomalies. At the same time, they understand persistence mechanisms that traditional security teams often overlook. For the same reason, CISA's threat hunting team - a group of experienced incident responders - was able to detect the Volt Typhoon group while automated security systems failed.
In the current situation, threat hunting by experienced incident responders increases the chance of detecting ongoing APT attacks - whether Iranian, Chinese or Russian.
Incident Response answers the question "Are we compromised?" - forensically, systematically and with knowledge of the tactics, techniques and procedures of state attacker TTPs.
IR teams search specifically for:
LOTL artifacts and anomalous behavior of native system tools not detected by signature-based systems.
Dormanent backdoors and C2 channels in perimeter devices, edge systems and OT/ICS environments.
Persistence mechanisms based on Iranian, Chinese and Russian TTP patterns (MITRE ATT&CK-based).
Supply chain compromises and trust abuse access paths via third-party providers.
Data staging and exfiltration preparation, often weeks before the actual attack.
The results of this analysis determine the next steps. Organizations under increased cyber threat in the coming weeks and months - and this applies to every critical sector in Europe given the current geopolitical situation - should not wait for authorities or external partners to alert them to a compromise.
What organizations need now is not another layer of reactive security tools, but the proactive view of experienced incident responders who can specifically detect compromises.
Sources & References
- Palo Alto Networks Unit 42: Threat Brief - March 2026 Escalation of Cyber Risk Related to Iran (March 2026)
- Europol: Elevated terrorism threat in EU amid Iran conflict (March 6, 2026)
- CloudSEK: Situation Report Middle East Escalation 27 Feb - 1 March 2026
- CSIS: Beyond Hacktivism - Iran's Coordinated Cyber Threat Landscape (2025/2026)
- Canadian Centre for Cyber Security: Iranian Cyber Threat Response Bulletin (February 2026)
- Halcyon: Iranian Use of Cybercriminal Tactics in Destructive Cyber Attacks 2026 Updates
- Arctic Wolf: Heightened Cyber Risk Following February 2026 US/Israel-Iran Escalation
- Nozomi Networks: Iranian APT Activity During Geopolitical Escalation (March 2026)
- The Register: Iran's cyberwar has begun (March 2026)
- ENISA Threat Landscape 2025 (October 2025)
- Mandiant M-Trends 2025 (Google Cloud)
- CrowdStrike 2025 European Threat Landscape Report
- CISA Advisory AA24-038A: PRC State-Sponsored Actors / Volt Typhoon (2024)
- BSI situation report on IT security in Germany 2024
Caption: Image generated with AI