The defense industry is facing an intense, multi-front cyber onslaught as espionage, personnel targeting, and supply chain attacks converge into a persistent, strategic risk to national security.
Recent analysis from Google’s Threat Intelligence Group (GTIG) shows that state-backed actors and cybercriminals are increasingly focusing on the defense industrial base (DIB), exploiting everything from frontline battlefield systems to global manufacturing networks that quietly power modern militaries.
Campaigns include compromising secure messaging apps, abusing device-linking features in tools like Signal and WhatsApp, and weaponizing drone‑themed documents to harvest credentials from frontline units.
These intrusions increasingly bypass traditional enterprise monitoring by going after individual soldiers’ and contractors’ devices, where data from encrypted messengers and tactical apps can be quietly exfiltrated.
GTIG reports that Russia‑aligned actors and hacktivists are heavily targeting organizations connected to the Russia‑Ukraine war, with a particular focus on unmanned aircraft systems and battlefield management platforms such as Delta and Kropyva.
UNC5976 included hundreds of domains spoofing defense contractors including companies headquartered in the UK, the US, Germany, France, Sweden, Norway, Ukraine, Turkey, and South Korea.
GTIG notes multiple Russian clusters using custom Android malware and malicious PowerShell chains to maintain access, underscoring how personal devices have become an extension of the modern battlefield.
Personnel and hiring pipelines
Beyond the front line, attackers are systematically exploiting the human layer of the defense ecosystem, including hiring pipelines, professional networks, and personal email accounts.
Related infrastructure was also used by HANGMAN.V2, a backdoor used by APT43 and suspected APT43 clusters.
North Korean operators, for example, are running long‑term IT worker schemes to infiltrate Western firms, with documented cases of insiders helping DPRK workers gain remote roles on sensitive defense programs and exfiltrate intellectual property.
Iranian groups are running industrialized, job‑themed phishing campaigns that spoof aerospace and UAV manufacturers, recruiting portals, and even personality‑test and resume‑builder apps to deliver custom malware.
China‑nexus actors such as APT5 have targeted personal email accounts of current and former employees of major defense and aerospace firms using highly tailored lures tied to local events, professional conferences, and even community or family activities.
GTIG assesses that China‑nexus cyber espionage actors represent the highest-volume threat to the defense industrial base over the last two years, distinguished by a strategic focus on edge devices and zero‑day exploitation.
Since 2020, Chinese groups have exploited more than two dozen zero‑day vulnerabilities in VPNs, routers, firewalls, and other perimeter appliances from at least ten vendors, often in environments where endpoint detection tools have limited visibility.
Highly capable clusters such as UNC3886 and UNC5221 have combined this access with extensive obfuscation and long dwell times, including a BRICKSTORM campaign with an average presence of 393 days inside victim networks that included aerospace and defense organizations.
Other China‑linked groups have leveraged compromised research platforms and mail systems to filter and forward email containing hundreds of defense‑related terms, particularly those tied to drones and counter‑UAS systems.
Supply Chain Vulnerabilities
GTIG warns that even when direct defense contractors are not the primary victims, the wider manufacturing sector that supplies dual‑use components is absorbing heavy damage from extortion operations.
USDoD further indicated that they had a personal vendetta and were not motivated by politics. In October 2024, Brazilian authorities arrested an individual accused of being USDoD.
Since 2020, manufacturing has consistently been the most represented sector on ransomware data leak sites tracked by GTIG, with a 2025 incident at a UK automotive manufacturer that also produces military vehicles disrupting production for weeks and affecting more than 5,000 other organizations.
Hack‑and‑leak campaigns and illicit data markets are amplifying this risk, with actors openly advertising access to unnamed defense contractors and leaking or selling purportedly sensitive defense documentation.
Pro‑Russia personas have also escalated from DDoS toward supply chain compromises, doxxing campaigns, and coordinated leaks aimed at eroding trust in defense institutions and exposing military‑industrial relationships.
GTIG’s overarching conclusion is that the defense sector is now under constant, multi‑vector siege, with campaigns spanning Russian battlefield espionage, North Korean and Iranian personnel targeting, persistent Chinese edge‑device exploitation, and the systemic exposure of the manufacturing supply chain.
The report urges defense organizations and their suppliers to move beyond reactive security and embed threat intelligence into proactive hunting, architectural hardening of edge infrastructure, and closer scrutiny of human‑centric processes like hiring and vendor onboarding.
Without this shift, GTIG warns that defense technologies risk being compromised long before they reach operational theaters, undermining national security at the design, development, and procurement stages rather than solely on the battlefield.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
