Germany has just taken an unprecedented step. On December 12, 2025, the German government formally summoned the Russian ambassador in Berlin after attributing to the APT28 group (also known as Fancy Bear, linked to the Russian GRU) a cyberattack on the air traffic control system in August 2024. At the same time, it accused Moscow of deploying the disinformation campaign “Storm-1516” to destabilize the German federal elections through deepfakes, manipulated videos, and pseudo-journalistic websites. Berlin not only identified Moscow’s footprint but also announced countermeasures and individual sanctions. This episode illustrates a reality that Spain has not publicly acknowledged: hybrid warfare is no longer a future scenario; it is an operational present.
Spain is simultaneously more valuable as a target and more vulnerable than public debate acknowledges. While defense spending is surging, the question is not whether Spain faces threats similar to those faced by Germany, but when they will become visible.
“Spain dreams if it believes that the Guardia Civil’s Huawei equipment does not relay information to China,” warned just two days ago Admiral Rob Bauer, a former NATO military chief, in an interview. His statement was a diagnosis of a vulnerability that Spain has been cultivating for years without realizing it.
“President Pedro Sánchez acknowledged in April that ‘Spain suffers more than 100,000 cyberattacks a year and one in three is considered very serious’.”
The official figures paint an alarming but incomplete picture. The president acknowledged in April that “Spain suffers more than 100,000 cyberattacks a year and one in three is considered very serious.” The Minister for Digital Transformation, Óscar López, added that since 2015 cyberattacks have surged by 300%. However, these raw figures require nuance. Many attacks are simply automated port scans with no real malicious intent. Truly complex and critical cyberattacks against Spanish infrastructure hover around five annually in particularly active years. Yet these numbers conceal a more troubling reality: the attacks Spain fears are not the ones capable of paralyzing it. The real threat is silent, persistent, and could be present in Spain’s critical systems.
The new doctrine of cyberattack
Imagine a thief entering your house but not stealing anything. Instead, they memorize where the keys are, disable alarms without you noticing, and leave the back door slightly ajar. When you return (perhaps years later) they could empty your home in minutes without anyone detecting it. This metaphor precisely describes what groups like Volt Typhoon (linked to Chinese intelligence) are carrying out in Western critical infrastructures.
Volt Typhoon has gone undetected in American systems for more than five years by using living-off-the-land techniques: they exploit legitimate operating system tools (PowerShell, administrative commands) instead of installing detectable malware. For Spain, this tactic is especially lethal: 40% of Spanish port and maritime organizations do not invest sufficiently in advanced behavioral detection, relying solely on traditional antivirus that looks for known malware signatures.
“In a hypothetical scenario of geopolitical escalation, Spain could face the activation of latent accesses in the energy, port, and telecommunications sectors.”
Sandworm (the Russian group responsible for Ukraine’s 2015 blackout) and APT28 (also Russian) operate under the same logic: persistent access without immediate destruction. Their objective is not commercial cyber espionage but to prepare the capacity for sabotage in moments of geopolitical crisis. In a hypothetical escalation scenario, Spain could face the activation of latent accesses in the energy, port, and telecommunications sectors. Although Spain’s critical infrastructures have certified suppliers and countermeasures (many are isolated from the Internet and require human error to enable remote compromise), the risk does not disappear: it simply shifts to the human factor and the supply chain.
Experts from Zerod estimate that there is a probability greater than 60% that a critical Spanish infrastructure will suffer a severe attack with systemic consequences within the next five years. Not if it will happen, but when.
Why Spain cannot stop being a target?
Spain did not choose to be a top target. Its geographic position decided it for itself. The country concentrates three indispensable geostrategic vectors that make it a critical node for Europe.
First, the Strait of Gibraltar: fourteen kilometers separate Europe from Africa, through which flows 20% of world maritime trade, and where submarine telecommunications cables (such as the transatlantic MAREA) and gas pipelines (Medgaz connects Algeria to Spain) pass. A coordinated sabotage (cutting cables plus a cyberattack on ports) would severely degrade Mediterranean connectivity. Although there is land redundancy toward France and Portugal, the resulting congestion and partial isolation of North Africa would cause commercial, logistical, and financial disruptions for weeks.
Second, Spain’s ports—Algeciras, Valencia, and Barcelona—handle 65% of Spanish trade. In 2024, the transport sector endured sixty serious cyberattacks, almost three times higher than in 2023. An attack of the NotPetya type (the ransomware that cost Maersk $300 million in 2017) against these three ports simultaneously would trigger a domino effect across the European supply chain.
Third, Spain hosts 17 of the 46 ports of general interest with critical energy and industrial infrastructure. The Spanish Navy detected 65 Russian warships and submarines in Spanish waters in the last year, as vessels such as the Yantar (equipped with submarines that can cut cables) patrol the Mediterranean without continuous Spanish submarine surveillance.
The NATO launched in January Operation Baltic Sentry to protect submarine cables in the Baltic after detected sabotage (the C-Lion cables Finland-Germany were cut in November). This initiative has managed to deter new attacks. But there is no Mediterranean equivalent, leaving Spain exposed. The recently introduced Spanish naval drone SEAD 23 can cover twelve nautical miles with sonar, which is insufficient for comprehensive Strait surveillance. Moreover, it operates on the surface, unable to detect Russian submarines or ROVs cutting cables at depths of three hundred meters.
Three guardians that stay distant
Spain has three competent authorities for critical infrastructure cybersecurity: CNPIC (Ministry of the Interior), CCN-CERT (Defense/CNI), and INCIBE-CERT (businesses and citizens). In real crises, the three act together: if it is a private infrastructure, INCIBE leads; if it is public, CCN-CERT; if it is a public-private critical (as in the 2025 blackout), all three coordinate simultaneously.
The CCN-CERT managed more than 30,000 incidents classified as critical or very high across its twenty-year history, with a growth of 1,384% in the last decade. INCIBE reported 97,348 incidents in 2024 (an increase of 16.6% compared to 2023). But these figures rely on voluntary notifications when risk is high, resulting in underreporting: successfully contained attacks or those classified as medium risk do not appear in official statistics.
The CNPIC has 150 employees tasked with supervising protection for more than 2,000 critical operators across Spain, although operators themselves possess qualified staff who coordinate with CNPIC. The European NIS2 directive imposes mandatory controls, but Spain lacks the budget and personnel for practical verification. The regulation exists, the capacity to enforce it is a more challenging matter.
José Luis Rojo, EY’s cybersecurity partner, noted in April that “it is estimated that around 40,000 cybersecurity professionals were missing in Spain in 2024.” This talent gap is more serious than any technological shortfall: you can buy advanced tools, but you cannot create experts in six months. Current training programs produce about 1,500 graduates per year, which is insufficient to close the gap within a decade.
The nervous system of Spain
According to Cipher’s x63 Unit, cyberattacks on Spanish infrastructure rose by 43% in 2024, with particular impact on the energy sector, which accounted for roughly 9% of those incidents. However, the real problem is not the quantity; it’s that 60% of industrial control systems (SCADA) that manage power grids, water plants, and refineries operate on technology designed before 2010, when cybersecurity was not a design parameter.
These systems were built to be physically isolated. Now they’re connected to corporate networks for operational efficiency. This raises a critical technical debate: critical infrastructures are required to implement the ENS and pass audits, which in theory guarantees proper segmentation between IT (corporate) and OT (operational) networks. However, the operational reality is nuanced: segmentation exists on paper, but practical implementation varies by operator and by the age of the systems.
Sandworm, the Russian group that took Ukraine offline in 2015, used precisely this vulnerability: they gained access to corporate networks via conventional phishing, then moved into OT networks and directly manipulated electrical substation switches. APT28 and Volt Typhoon replicate this doctrine.
Moreover, it is estimated that 85% of Spanish domestic routers never update their firmware manually, although many manufacturers implement OTA automatic updates. The mass exploitation of routers to create botnets (such as the Mirai malware in the past) remains an active tactic, although remotely exploitable critical vulnerabilities in modern routers are less frequent than a decade ago. Nevertheless, compromising domestic routers to mask malicious traffic remains a documented tactic.
In Spain the three authorities have on-paper protocols and carry out sectoral exercises annually (CyberEx Spain since 2016). But they have never simulated a national crisis with simultaneous cyberattacks across multiple interdependent sectors that would train real coordination among ministries, autonomous communities, security forces, and critical operators under pressure.
The conflict Spain cannot imagine
The danger is not the cyberattack Spain imagines: massive, attributable, equivalent to a declaration of war. The danger is the cyberattack it does not imagine: silent, gradual, without clear attribution, designed to erode public trust without crossing NATO’s Article 5 threshold.
“The true strategic value isn’t in darkening a substation for six hours, but in stealing classified data from ministries, budgets, diplomatic contacts, and strategic plans.” Bauer warned that “Europe must prepare for cyberattacks, sabotage, and other gray-zone activities.” But he would add a critical nuance: the most effective hybrid war is not the cyberattacks on infrastructure (increasingly costly, difficult, and with reduced impact thanks to countermeasures), but rather disruption through information warfare and propaganda. Russia and other actors have attempted interference in Catalan processes, and there is evidence of operations aimed at polarizing and destabilizing through disinformation. Added to this is the use of tools such as Pegasus in the Spain-Morocco environment, which has shown how digital espionage against political leaders, activists, and security officials can rearrange agendas and quietly generate internal distrust. The real strategic value isn’t extinguishing a substation for six hours; it’s stealing classified data from ministries, budgets, diplomatic contacts, and strategic plans that provide lasting informational advantage.
Spain invested 370 million euros in cybersecurity between 2020 and 2024 and announced an additional 1.1 billion in 2025. But compared with adversaries’ offensive budgets (China spends about $2,000 million), it operates with an asymmetric disadvantage. It is defending a medieval castle with higher walls while the threat arrives via military drones.
Spain faces a structural cyber dilemma: it is a valuable geographic target, has defensive capabilities in the process of consolidation (ENS advancing, but with uneven implementation), and operates with interdependencies that require dynamic modeling. There is no partial solution. It demands a complete doctrinal transformation from “protect each installation individually” to “national systemic resilience,” with dynamic modeling of interdependencies, investment in undersea surveillance, a unified cyber command, and multisector simulations.
The window of opportunity is closing. Every month without transformation is a month in which malicious state actors consolidate their capabilities. The guardians keep watching the doors of the Spanish house. The question is to also monitor the interior and timely expel the intruder who has already sat in the living room.
When that moment arrives, Spain will discover that the real threat was never the attack it feared, but the silence it ignored.
