ZIUR's Cyber Intelligence report warns of a dramatic increase in attacks against state entities.
Coinciding with World Internet Day this Saturday, the center warns of a coordinated hacktivist campaign against Spain
ZIUR has published a new Industrial Cyber Intelligence report, coinciding with World Internet Day this Saturday, warning of a "drastic increase" in the number of attacks recorded against state entities in the first quarter of 2025, thus breaking the trend compared to the last quarter of last year. This was mainly due to several hacktivist groups joining forces in a coordinated distributed denial of service (DDoS) attack campaign targeting various public and private entities in Spain. The operation, dubbed #OpSpain, was primarily motivated by the Spanish government's support for Ukraine.
The main actor behind the attacks in Spain was NoName057, a pro-Russian hacktivist group working against Ukraine and its supporting countries, as well as NATO member states. Its operations are managed through Telegram, and participants are rewarded with cryptocurrency based on their contribution to the success of the attacks, which fuels the group's growing network.
Among the most affected sectors, in addition to government, are transportation, energy, and manufacturing. Furthermore, in this first quarter, a total of 33 alleged data leaks involving Spanish organizations and institutions were detected in underground forums and Telegram channels, 16 more than in the last quarter of 2024.
Cl0p, the most hostile ransomware
Regarding ransomware, Cl0p was the hostile actor with the most incidents worldwide, surpassing Ransomhub, which was the most active group during the last quarter of 2024. Overall, an 11.07% increase in attacks was detected compared to the third quarter. However, in Spain, the actor responsible for the highest number of incidents was Akira.
Among the detected campaigns, a new malware attributed to a pro-Iranian hacktivist group stands out. It poses a serious threat to critical infrastructure as it allows attackers to execute commands, steal information, and maintain long-term presence within systems. There has also been an increase in the use of Ghost ransomware, a highly aggressive and persistent strain that has compromised critical infrastructure, government entities, and businesses in more than 70 countries. Operating out of China, this cybercriminal group infiltrates networks to steal credentials, disable defenses, and encrypt data in a matter of hours, a threat that is exacerbated in industrial environments. Joining them is UAC-0063, a Russian-linked group, which has expanded its cyberattacks to European embassies using stolen documents as bait. Regarding the number of vulnerabilities published during the first quarter of 2025, it reached 12,173, representing a 13.72% increase compared to the 10,963 published during the previous period, according to the ZIUR Industrial Cyber Intelligence Report. However, the total number of critical vulnerabilities has decreased.
ZIUR Recommendations
After analyzing the entry vectors used by ransomware groups based on public negotiations, the ZIUR Industrial Cyber Intelligence Report concludes that most intrusions occur due to human error. Therefore, the Gipuzkoa Industrial Cybersecurity Center, under the Provincial Council, insists that the use of weak passwords and their reuse across multiple services is one of the main problems.
“It's essential to implement policies that require strong passwords, with complexity requirements such as minimum length, special characters, and the use of upper and lower case. Furthermore, it's vitally important to encourage the use of password managers to ensure each account has unique credentials. Additionally, conducting periodic audits can identify weaknesses in this area,” says ZIUR Director María Penilla, who calls for mitigating the success of phishing operations by offering training programs to employees.
You can also consult the report here.