Check Point Software Technologies: Germany becomes focal point of escalating DACH cyber campaign amid ransomware, geopolitical attacks

Cyberattacks in DACH Region Surge 124% in 2025, Driven by Hacktivism and Ransomware

New research from Check Point Software Technologies reveals a 124% spike in cyberattacks targeting organizations in Germany, Austria, and Switzerland (DACH) in 2025, fueled by a rise in hacktivist campaigns and ransomware operations. Germany bore the brunt of the attacks, accounting for over 80% of incidents in the region largely due to its economic prominence and geopolitical stance, particularly its support for Ukraine. The DACH region as a whole represented 18% of all tracked cyberattacks across Europe, surpassing France, Spain, and Italy in individual country share.

Website defacement emerged as the dominant attack vector, comprising 66% of incidents and primarily attributed to pro-Russian hacktivist groups like NoName057(16), Dark Storm Team, and Mr Hamza. These campaigns, designed for visibility, targeted public-facing services and were often announced via Telegram, with activity peaking in July and August following law enforcement actions against NoName057(16).

While hacktivists dominated by volume, ransomware remained the most financially damaging threat, responsible for nearly 30% of incidents. Key players included Akira, which exploits weak authentication in Windows and Linux environments; Qilin, a Rust-based ransomware-as-a-service (RaaS) group employing double extortion tactics; and Safepay, an emerging group active since 2024 that exfiltrates data before encryption. All three groups relied on compromised credentials, exposed remote access services, and unpatched systems highlighting identity security gaps as the primary vulnerability.

The report underscores Germany’s dual appeal as a target: its economic scale makes it a lucrative ransomware target, while its geopolitical positioning draws hacktivist retaliation. Researchers noted that hacktivist campaigns are highly reactive, with attacks spiking in response to political statements, regulatory actions, or law enforcement operations sometimes within hours.

Separately, Check Point also tracked an ongoing password-spraying campaign by an Iran-linked threat actor, targeting Microsoft 365 environments in the Middle East, primarily Israel and the UAE. The attacks, which expanded to limited targets in Europe, the U.S., and Saudi Arabia, focused on government entities, energy-sector organizations, and private companies amid regional conflicts.

Source: https://industrialcyber.co/ransomware/germany-becomes-focal-point-of-escalating-dach-cyber-campaign-amid-ransomware-geopolitical-attacks/

Check Point Software Technologies TPRM report: https://www.rankiteo.com/company/check-point-software-technologies

"id": "che1779467077",
"linkid": "check-point-software-technologies",
"type": "Cyber Attack",
"date": "1/2025",
"severity": "",
"impact": "1",
"explanation": "Attack without any consequences"

{'affected_entities': [{'industry': ['government', 'energy', 'various'],
                        'location': ['Germany',
                                     'Austria',
                                     'Switzerland',
                                     'Middle East (Israel, UAE)',
                                     'Europe',
                                     'U.S.',
                                     'Saudi Arabia'],
                        'type': ['government entities',
                                 'energy-sector organizations',
                                 'private companies']}],
 'attack_vector': ['website defacement',
                   'compromised credentials',
                   'exposed remote access services',
                   'unpatched systems',
                   'password-spraying'],
 'data_breach': {'data_encryption': ['yes'], 'data_exfiltration': ['yes']},
 'date_detected': '2025',
 'description': 'New research from Check Point Software Technologies reveals a '
                '124% spike in cyberattacks targeting organizations in '
                'Germany, Austria, and Switzerland (DACH) in 2025, fueled by a '
                'rise in hacktivist campaigns and ransomware operations. '
                'Website defacement and ransomware were the dominant attack '
                'vectors, with hacktivist groups like NoName057(16), Dark '
                'Storm Team, and Mr Hamza targeting public-facing services. '
                'Ransomware groups such as Akira, Qilin, and Safepay exploited '
                'weak authentication and unpatched systems.',
 'impact': {'systems_affected': ['public-facing services',
                                 'Microsoft 365 environments']},
 'motivation': ['geopolitical retaliation',
                'financial gain',
                'visibility',
                'data exfiltration'],
 'post_incident_analysis': {'root_causes': ['weak authentication',
                                            'identity security gaps',
                                            'unpatched systems',
                                            'geopolitical tensions']},
 'ransomware': {'data_encryption': ['yes'],
                'data_exfiltration': ['yes'],
                'ransomware_strain': ['Akira', 'Qilin', 'Safepay']},
 'references': [{'source': 'Check Point Software Technologies'}],
 'threat_actor': ['NoName057(16)',
                  'Dark Storm Team',
                  'Mr Hamza',
                  'Akira',
                  'Qilin',
                  'Safepay',
                  'Iran-linked threat actor'],
 'title': 'Cyberattacks in DACH Region Surge 124% in 2025, Driven by '
          'Hacktivism and Ransomware',
 'type': ['hacktivism', 'ransomware', 'password-spraying'],
 'vulnerability_exploited': ['weak authentication',
                             'identity security gaps',
                             'unpatched systems']}