Threat Intelligence: Ireland & Europe — Q1 2026 Briefing
Share
A ransomware gang shuts down six Irish public bodies. Russia-linked hackers run a 72-hour spear-phishing blitz across nine European countries. A new national survey finds 80% of Irish workers personally experienced a cyberattack in the past year. This is what the threat landscape looks like right now.
Ireland: Office of the Ombudsman Ransomware Attack
On 12 December 2025, staff at the Office of the Ombudsman found themselves locked out of their systems. Five days later, the office confirmed it was dealing with a financially motivated ransomware attack that had forced all systems offline and disrupted six connected public bodies.
The NCSC, An Garda Síochána, and the Data Protection Commissioner were all notified. Forensic investigators were brought in. The full extent of data accessed has not been publicly disclosed.
This is not an isolated incident. It follows a pattern that has been consistent since the HSE attack of 2021: public sector organisations hold sensitive data, face public pressure to restore services quickly, and often carry security budgets that do not reflect the value of what they are protecting. That combination makes them attractive targets.
The practical lesson for any organisation — public or private — is detection speed. The HSE attackers operated undetected for eight weeks before deploying ransomware. The earlier you catch an intrusion, the less damage it does. That requires active monitoring, not just perimeter defences.
Ireland: 80% of Workers Hit by a Cyber Incident in the Past Year
Research published in February 2026 by Landmark Technologies, based on a Censuswide survey of Irish workers, found that 80% had personally experienced a cyberattack or security incident at work in the past 12 months. Of those, 43% had experienced multiple incidents.
Half of respondents expect their organisation to suffer a data breach in the next 12 months. One in eight admitted they had clicked a malicious link without reporting it. Thirteen percent said a senior leader in their organisation had fallen victim to a phishing or social engineering scam in the past year.
The figure that stands out most is not the frequency of attacks — it is the silence. Staff clicking malicious links and not reporting it is how small incidents become large ones. An unreported click is a week's head start for an attacker before anyone knows something is wrong.
If your organisation does not have a clear, low-friction process for reporting suspicious emails and security incidents — one that does not punish staff for coming forward — this is where to start.
Ireland: NIS2 Transposition Still Outstanding
NIS2 became legally binding across the EU in October 2024. Ireland has still not transposed it into domestic law, and is now subject to infringement proceedings by the European Commission. An update on the National Cybersecurity Bill is expected in the first half of 2026.
NIS2 expands the number of sectors under mandatory cybersecurity obligations and introduces stricter incident reporting timelines. Organisations in healthcare, digital infrastructure, transport, energy, and professional services should already be reviewing their exposure — transposition into Irish law does not change the underlying obligations that are coming.
Europe: APT28 Spear-Phishing Campaign Targets Maritime and Transport Sectors
In late January 2026, the Russian military intelligence-linked group APT28 conducted a concentrated 72-hour spear-phishing campaign targeting organisations across nine European countries, including Poland, Slovenia, Greece, and Romania. The campaign focused on maritime and transportation entities.
The attack exploited CVE-2026-21509, a vulnerability in Microsoft Office and Microsoft 365 that allows malicious documents to execute code without requiring any user interaction beyond opening the file. The flaw was disclosed by Microsoft in late January; APT28 began weaponising it almost immediately.
The response here is straightforward: ensure Microsoft Office and Microsoft 365 are fully patched. If your organisation uses managed IT services, confirm with your provider that this CVE has been addressed. If you manage your own systems, check Windows Update now.
Europe: State-Sponsored Signal Phishing Campaign Targets Politicians and Journalists
German authorities reported in February 2026 that a sophisticated phishing campaign had been targeting politicians, military personnel, and journalists across Europe. The attack impersonated Signal's official support communications, prompting targets to re-enter their PIN or re-register their device — effectively handing over account access.
The campaign is assessed as likely state-sponsored. Signal is widely used by high-value targets precisely because of its security reputation, which makes it an effective lure. A message appearing to come from Signal itself, warning of an account issue, is credible enough to catch careful people off guard.
The broader point: legitimate apps and platforms do not ask you to re-enter credentials or re-register via an unsolicited message. Any communication requiring urgent account action should be verified through the official app directly, not by following a link.
Europe: China-Linked Espionage Campaign Against Italian Government Ministry
Italian media reported in February 2026 that a suspected China-linked espionage operation had targeted an Italian government ministry over the period 2024–2025, resulting in the theft of data on approximately 5,000 law enforcement personnel — including those involved in investigations into Chinese dissidents and organised crime.
This type of operation — patient, long-term, targeting specific personnel records — is characteristic of state intelligence gathering rather than financially motivated crime. It is a reminder that not all breaches announce themselves with ransomware. Some are designed to be invisible for as long as possible.
Europe: Russia-Linked Group Expands Targeting to Western European Financial Institutions
In late February 2026, BlueVoyant reported that the Russia-linked threat group tracked as UAC-0050 — previously focused almost entirely on Ukrainian targets — had conducted a spear-phishing attack against a European financial institution supporting Ukraine's reconstruction efforts. The target was a senior legal and policy advisor with access to procurement and financial operations.
The attack spoofed a Ukrainian judicial domain to deliver a remote access payload. CrowdStrike's 2026 Global Threat Report notes that Russia-linked groups are expected to continue expanding intelligence-gathering operations into NATO member states and Western European entities that support Ukraine.
Irish financial institutions, professional services firms, and any organisation with connections to Ukraine-related funding or contracts should treat this as a relevant threat, not a distant one.
What This Means for Your Business
The pattern across these stories is consistent. Attackers are moving faster than organisations are patching. Staff are the most common entry point, and unreported incidents are giving attackers time they should not have. State-sponsored groups that previously focused on military and government targets are now routinely hitting professional services, financial institutions, and supply chain organisations.
None of the attacks covered in this briefing required novel techniques. They used phishing, known vulnerabilities, and social engineering — the same vectors that have dominated the threat landscape for years. The defences are known too. The gap is in applying them.
Not sure where your organisation stands? Our Threat Susceptibility Assessment gives you a scored risk report across eight security domains, delivered to your inbox within 24 hours.