The Growing Threat of Cyberattacks in Germany: A New Report Highlights Alarming Trends
In an insightful analysis of the current cybersecurity landscape, experts from Darktrace have drawn attention to alarming trends within Germany and the broader EMEA (Europe, the Middle East, and Africa) region. Their recently published Threat Report 2026 reveals that both state-sponsored and private actors are increasingly targeting German enterprises, underscoring a significant shift in the nature of cyber threats.
Cloud and Email Accounts: The Primary Entry Points
According to the report, cloud and email accounts have emerged as the most susceptible points of entry for cyberattacks in Europe. Last year, approximately 58% of all attacks commenced with compromised credentials from these platforms. In stark contrast, traditional network-based intrusions accounted for 42% of attacks. This development is notably concerning, as organizations become more reliant on cloud services and hybrid work models, which has blurred traditional security boundaries.
As Nathaniel Jones, Vice President of Security and AI Strategy at Darktrace, explains, “The threat landscape has fundamentally changed. Attackers can log into systems using valid accounts and leverage regular administrative tools. This significantly complicates detection efforts, as malicious behavior embeds itself within legitimate processes.” This insight elucidates why organizations must adopt more proactive security measures to combat this evolving threat.
Vulnerability of Critical Sectors
The report highlights that a considerable portion of registered incidents in Europe are concentrated in the EMEA region, with Germany identified as the most frequently targeted country. The manufacturing sector, in particular, suffers heavily from these attacks due to its reliance on cloud services and sensitive information handling. Darktrace points out that 33% of phishing emails in the healthcare sector targeted privileged users, followed closely by 30% in the financial sector and 20% in the energy sector.
Furthermore, Darktrace has documented that compromised Software as a Service (SaaS) accounts have become launching pads for additional activities in operational environments. The report indicates a prevalent risk as state-sponsored and hybrid actors strategically position themselves to exploit vulnerabilities in crucial sectors, especially telecommunications and energy.
Among the notable groups implicated in these attacks are the Lazarus Group from North Korea and China’s ShadowPad. Darktrace has also raised alarms about ransomware-as-a-service specialists, particularly those from the Akira group, who are increasingly focusing on the manufacturing sector.
Compromise of Cloud and SaaS Environments
Another crucial insight from the report relates to the growing dependence on identity and access management mechanisms. As businesses transition critical processes to cloud and SaaS environments, compromised accounts serve as launching points for lateral movements within complex networks. Darktrace’s Honeypot data indicates that 43.5% of observed malware samples targeted Microsoft Azure, 33.2% affected Google Cloud Platform, and 23.2% impacted Amazon Web Services (AWS). Furthermore, Docker environments were the target of over half of the recorded attack attempts.
Exploiting Existing Vulnerabilities
Darktrace underscores that in addition to targeted attacks on email and cloud accounts, criminals are increasingly taking advantage of existing technical vulnerabilities. The report highlights a staggering increase in registered Common Vulnerabilities and Exposures (CVEs), rising by 20.6% from the previous year, with a total of 48,185 registered instances in 2025. Notably, security researchers observed alarming patterns of exploitation occurring days to weeks prior to the official disclosure of vulnerabilities, particularly in systems such as SAP NetWeaver and Ivanti.
A Call to Action for Organizations
In conclusion, Darktrace’s findings present a sobering picture of the current cybersecurity climate, particularly for organizations that solely rely on perimeter controls or known signatures to combat threats. The experts recommend that organizations implement continuous monitoring of privileged accounts, as anomalies in admin logins can serve as a strong warning signal. Such vigilance is essential, especially in the context of external Virtual Private Network (VPN) logins to data centers, which should be treated as potential harbingers of severe security incidents.
Alongside continuous monitoring, Darktrace recommends integrating measures such as multi-factor authentication (MFA) and device baselines to fortify defenses against the rising tide of cyber threats. As cybercriminals become increasingly sophisticated, the proactive measures organizations take today will be instrumental in determining their security posture in the future.