Several state-sponsored and criminal cyber groups from China, Iran, North Korea, and Russia have increasingly targeted the defense industrial base (DIB), according to the latest findings from the Google Threat Intelligence Group (GTIG).
GTIG reports that these attacks revolve around four main strategies: targeting defense entities using battlefield technologies during the Russia-Ukraine conflict, exploiting employees and recruitment processes by North Korean and Iranian actors, using edge devices and network appliances as initial access points by China-linked groups, and introducing supply chain risks through manufacturing sector breaches.
“Many major state-sponsored and hacktivist actors show interest in autonomous vehicles and drones, which are increasingly central to modern warfare,” GTIG explained. “Actors also continue to prioritize evading detection, often focusing on individual endpoints or conducting intrusions designed to bypass endpoint detection and response (EDR) tools.”
Key Threat Actors
- APT44 (Sandworm): Targeted encrypted messaging apps Telegram and Signal, using tools like WAVESIGN to decrypt and extract data, potentially after gaining physical access during operations in Ukraine.
- TEMP.Vermin (UAC-0020): Deployed malware such as VERMONSTER, SPECTRUM, and FIRMACHAGENT, using lures around drone tech, anti-drone systems, and surveillance equipment.
- UNC5125 (FlyingYeti / UAC-0149): Focused on frontline drone units, using Google Forms questionnaires for reconnaissance and distributing malware like MESSYFORK via messaging apps. Android malware GREYBATTLE was also used to steal credentials via spoofed AI company websites.
- UNC5792 (UAC-0195) and UNC4221 (UAC-0185): Targeted secure messaging apps, employing tactics like hijacking Signal accounts, deploying Android malware (STALECOOKIE), and using remote management tools like MeshAgent.
- Russian Clusters (UNC5976, UNC6096, UNC5114): Conducted phishing campaigns, malware delivery via WhatsApp, and Android malware distribution, often masquerading as Ukrainian telecom or military software.
- APT45 (Andariel) and APT43 (Kimsuky): Targeted South Korean defense, semiconductor, and automotive sectors using SmallTiger and THINWAVE malware.
- UNC2970 (Lazarus Group) and UNC1549 (Nimbus Manticore): Ran Dream Job-style campaigns targeting aerospace, defense, and energy industries, leveraging AI tools for reconnaissance.
- UNC6446: Iranian-nexus actor distributing malware through resume builder and personality test apps aimed at aerospace and defense personnel.
- APT5 (Keyhole Panda / Mulberry Typhoon): Phishing campaigns targeting current and former aerospace and defense employees.
- UNC3236 (Volt Typhoon) and UNC6508: Conducted reconnaissance against North American military portals and targeted research institutions using malware like INFINITERED.
Additionally, China-linked groups have been observed using operational relay box (ORB) networks to conduct reconnaissance against defense targets, complicating attribution and detection efforts.
Persistent Threats to the Defense Sector
Google highlights that, despite regional differences, the defense industrial base faces continuous, multi-vector cyber threats. Financially motivated cybercriminals also target this sector and the wider manufacturing industry for extortion and monetary gain.
“Operations against defense contractors in Ukraine, exploitation of defense personnel, persistent intrusions by China-linked actors, and manufacturing sector compromises represent some of the most pressing threats to the industry today,” GTIG stated.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
