Can Europe’s APT response keep up?

‘We are in the middle of hybrid warfare. [Cyber] operations span espionage, prepositioning, ransomware and disruptive operations,’ warned EU Commissioner Henna Virkkunen while presenting the new EU cybersecurity package in January 2026. ‘Cybersecurity has … become an integral part of our comprehensive security.’

Not a month passes without a report of an advanced persistent threat (APT) being uncovered in European network infrastructures or exploiting newly discovered vulnerabilities. APT groups, which combine four major elements – organised crime, cybercrime, espionage, and national security threats – pose a serious challenge.

In the current, rather tense geopolitical context, countering state-sponsored cyber threats has become increasingly important. Consequently, advanced persistent threats are framed as national security concerns in political discourse, and yet, they are often treated as ordinary cybercrime. Europe must adapt its approach to face this growing threat. 

APTs and organised cybercrime are converging

Of the 263 public cyber incidents the European Repository of Cyber Incidents (EuRepoC) recorded in 2025 for European states, only 24 were officially attributed to state or state-affiliated actors. Half of all incidents were unattributed or of unknown origin, suggesting many more state-sponsored attacks remain hidden.

The term ‘APT’ was coined by the US Department of Defense in 2006 to label state-sponsored, highly-capable, long-duration cyber operations. Today, governments still use state affiliation as the primary criterion, while private sector analysts often use the term more broadly to describe groups with highly complex behaviours and motives. 

An attack may be labelled as coming from a specific APT or ‘just’ a cybercrime group only years after the fact, and groups often overlap or split into sub-units. Their ability to hide and the lack of available information hinder the identification of these groups as units, their patterns, and their governance structures, thus hampering possible counteractions. 

In its threat landscape report 2025, ENISA notes that ‘the lines between hacktivism, cybercrime and state-nexus activity continued to blur.’ Europol issued a similar analysis: ‘The crime-as-a-service model also supports external actors … Hybrid and traditional cybercrime actors will increasingly be intertwined, with state-sponsored actors masking themselves as cybercriminals to conceal their origin and real disruption motives.’

This convergence is evident in the Russian APT known as Turla, linked to the Russian Federal Security Service (FSB) and characterised as a state-sponsored cyberespionage group since the early 2000s. Focused mostly on governmental and military targets, as well as research institutions, it has been shown to piggy-back on criminal groups’ malware or backdoors and to masquerade as other cybercriminal groups. APTs’ use of tools and information provided by cybercrime groups to enhance their own activities makes distinguishing activity patterns and actors more difficult. 

Other APTs have inhabited the grey zone between state-sponsored groups and cybercrime since the beginning of their operations. For example, North Korean state-linked umbrella APT Lazarus, active since at least 2009, is known for large-scale thefts of money and cryptocurrency and resembles a self-financing global cybercrime cartel. 

The Chinese APT Silk Typhoon/Murky Panda, meanwhile, is allegedly a hack-for-hire network, active since at least 2020. In contrast to APTs directly managed by government entities, it is suspected of selling information to customers with ties to the Chinese government.

At the same time, organised crime groups themselves have become capable of more complex and long-term cyber campaigns. Increased inter-group cooperation and the use of AI tools have allowed the cybercrime ecosystem to grow. As APTs and cybercrime groups converge, so must the responses of the digital infrastructure providers, law enforcement, intelligence services, and militaries that combat them.

Discourse versus action in the EU

In well-known cases of APTs targeting Europe, the difference between discourse and consequences is striking, despite the now clear context of hybrid warfare.

One reason for this discrepancy is the lack of documentation. Without knowledge of who initiated an intrusion or cyberattack and why, choosing an appropriate response is challenging. Attributions can occur months, if not years, after initial attacks. 

In 2019, the EU established a sanctions framework to respond to cyberattacks perceived as external threats to EU member states and institutions. It imposed the first sanctions in July 2020 against those responsible for WannaCry and NotPetya. It also ramped up sanctions from  2024, targeting actors from Iran and China. 

While indicative of some progress, the European sanctions are fairly new and lag behind more proactive US actions against APTs. The US has been busy indicting individuals for computer-related crimes since at least 2017, and recently pushed to increase cyber-offensive activity against both state actors and criminal groups. APT28 (Russia-based, responsible for hacks on political, governmental, and military entities) and APT3 (China-based, responsible for intelligence gathering in governmental and critical sectors), for example, have been met with not just sanctions, but also indictments and arrest warrants. 

In Europe, the only visible response was public attributions. 

Turla, for example, has for now escaped direct consequences – the official response has been limited to national recommendations on how to mitigate risks stemming from its attacks. A member of Silk Typhoon was arrested in July 2025 in Italy – at the request of the US – for computer intrusions into American universities during the Covid-19 pandemic. US and EU sanctions against Lazarus and its sub-groups, alongside UN sanctions against the DPRK, remain some of the only obvious actions taken against APTs at the European level.

Bridging response gaps and simplifying takedowns

A proportionate response to the evolution of APT threats and their convergence with cybercrime requires changes at the policy and structural levels beyond debates on hack-backs and offensive cyber.

European states should establish an effective response mechanism at the EU and state level that makes action against APTs quicker and more visible. This would include responses that encompass both the cybercrime and political aspects of the threat.

Another step is to encourage more civil takedowns of cybercrime infrastructure – a quick reaction option for cybercriminal and APT activities. Google and Microsoft have conducted several such takedowns, but the US court authorisation process takes several months, and most infrastructure providers do not have the same means as those two tech giants. This is particularly true in Europe, where legislation is stricter on action outside digital providers’ own networks, even while Russian APTs are using them to target European countries from within.

Authorities should also respond – politically and judicially – to patterns, rather than addressing each incident separately. Prosecuting cybercrime, online fraud, and similar offences is of course necessary, but it often fails to address the broader intention of APTs’ cyber activities. For example, the political and state-backed dimension of cybercriminal activities should be integrated systematically into the work of the EU’s Joint Cybercrime Action Taskforce (J-CAT).

Additionally, and as a deterrent, the EU should show clearly that cyberattacks on critical sectors, such as those outlined in NIS2, will be handled as threats to national security rather than just criminal matters. This could include clarifying thresholds of harm that, once crossed, no matter if by a state or organised crime group, would trigger a coordinated reaction by EU member states. For example, sanctions such as asset freezes and travel bans could be the default,  instead of requiring council-wide unanimity on every occasion.

Cross-sector coordination must improve – information and capability sharing across law enforcement, military, intelligence, and private infrastructure services is essential. In Europe, this could mean enhancing structures like the EU Cybercrime Task Force, and expanding it to include national cybersecurity agencies with an overview of political threats. At the international level, the Budapest Convention and UN Cybercrime Convention both exist to enhance cooperation against cybercrime and could be used more effectively. 

And this is all without acknowledging that both state-affiliated and cybercriminal groups are now automating attacks and increasing their sophistication using AI. As these developments make the threats of hybrid warfare and convergence even more acute, Europe’s need for ever quicker and more effective responses will likewise increase.