Anatomy of an Attack

Executive Summary

The final weeks of 2025 witnessed a surge in specialized cyber operations targeting European critical infrastructure and supply chains. These incidents demonstrate how modern adversaries now prioritize the weaponization of legitimate administrative tools and the use of traffic mimicry to evade traditional defenses. Recent observations identify three significant trends currently influencing the modern threat landscape:

• Weaponization of Administrative Tools: Attackers increasingly use Living off the Land (LOTL) tactics to turn legitimate system features like BitLocker against their owners.
• Sophisticated Application-Layer DDoS: State-sponsored groups use advanced mimicry tools to blend malicious traffic with legitimate holiday shopping patterns.
• Double-Extortion Supply Chain Attacks: Ransomware groups target single vendors to compromise data for millions of citizens simultaneously.

We can analyze these trends through the lens of recent high-impact breaches in Romania, France, and the United Kingdom.

Romanian National Water Agency - Romania

A ransomware operation disabled approximately 1,000 IT systems at Romania’s national water authority, Administrația Națională Apele Române, on December 20, 2025. The attack impacted 10 of the country’s 11 regional basin administrations.

Operational Fallback and Resilience

While the breach disabled GIS application servers, databases, and internal email, operational technology (OT) systems managing dam control and flood distribution remained secure. To maintain continuity, the agency reverted to voice coordination and analog radio systems for water management oversight. This incident demonstrates an evolution in ransomware tactics where actors leverage built-in Windows security tools rather than custom malware to lock critical infrastructure.

La Poste and Banque Postale - France

A distributed denial-of-service (DDoS) attack rendered France’s national postal and banking services inaccessible on December 22, 2025. The disruption lasted over 12 hours and impacted online services, mobile apps, and the Digiposte digital identity platform.

Attribution and Mimicry

The pro-Russian hacktivist group NoName057(16) claimed responsibility for the operation as part of a campaign targeting NATO infrastructure. The group utilized the DDoSia Project tool to perform Traffic Mimicry, a technique that makes bot-driven floods appear as legitimate user requests. Core banking transactions remained functional through a fallback SMS-based authentication system that bypassed the saturated digital gateways.

DXS International Supply Chain - United Kingdom

The threat group DevMan breached DXS International plc on December 14, 2025. As a critical supplier of referral management software to 2,000 GP practices overseeing 17 million patients, the company represents a vital link in the UK healthcare supply chain. This attack functions as a Double-Extortion Supply Chain Attack because the threat actor exfiltrated NHS-related data and threatened its public release.

Data Exfiltration and Extortion

The threat actor DevMan claimed responsibility and listed the company on its dark web leak site. The group exfiltrated 300GB of sensitive data, including patient treatment logs and NHS numbers. The attack primarily impacted internal office servers, while clinical cloud environments remained operational. By publicizing the NHS partnership, the group leveraged the reputation of the UK’s critical infrastructure to apply maximum pressure on the private vendor.

How Modern NDR Detects These Attacks

Comprehensive Decryption and Protocol Fluency

ExtraHop eliminates blind spots by decrypting and analyzing traffic at wire speed. The platform decrypts encrypted traffic at speeds up to 100 Gbps and decodes over 90+ network protocols to uncover malicious activity hidden within standard communications. This protocol fluency allows RevealX to expose critical adversarial maneuvers, such as administrative credential abuse and lateral movement, that traditional flow-level analysis cannot see. This visibility is important for identifying initial access points and understanding the scope of compromised supply chain partners.

AI-Driven Behavioral Detection

Leveraging advanced, patented machine learning and cloud-scale AI, ExtraHop establishes a dynamic behavioral baseline for every device on the network. This approach enables the platform to immediately flag subtle deviations indicative of distinct attack phases, such as unauthorized scanning, unusual protocol use, or abnormal exfiltration. By identifying anomalies in an action's velocity, timing, and sequence, the platform can catch evasive threats, including system information gathering (T1082) and scheduled persistence mechanisms (T1053.005), early in the lifecycle, before mass data encryption can begin.

Rapid and Confident Response

ExtraHop enhances security operations efficiency by consolidating NDR, network performance monitoring (NPM), and forensics into a single interface. The platform provides detailed forensic data, including packet-level visibility and identity-based attack investigation. This unified context empowers incident responders to quickly pinpoint the origin and scope of an attack, accurately assess the blast radius, and confidently ensure the network is clean to prevent re-infection and boost long-term resilience.

ExtraHop identifies these subtle deviations from normal traffic, giving security teams the technical context and confidence required to act before threats escalate into full-scale breaches.

Learn More About ExtraHop

The network provides a strong vantage point for stopping modern ransomware. ExtraHop NDR provides the comprehensive security intelligence that legacy tools often miss, offering the clarity and context required to surface threats hidden in east-west traffic.

Ready to see how ExtraHop NDR gives your security team the critical advantage against threats?

• Request a Personalized Demo: See how ExtraHop detects hundreds of TTPs used by a wide mix of threat actors.
• Run a Security Assessment: Challenge the visibility of your current security stack with an NDR assessment.

Click HERE to schedule time with us to help secure your environment against ransomware.