Google GTIG Warns of Intensifying Nation-State Targeting of the Defense Industrial Base
Google’s Threat Intelligence Group (GTIG) reported sustained and expanding cyber operations against the defense industrial base (DIB) by state-linked and aligned actors from China, Iran, North Korea, and Russia, driven by battlefield technology demands and geopolitical conflict. Reported themes include targeting defense organizations supporting the Russia–Ukraine war, social engineering and recruitment/hiring-process abuse aimed at employees (notably attributed to North Korean and Iranian activity), increased reliance on edge devices and appliances for initial access by China-nexus groups, and heightened supply-chain exposure tied to compromises in adjacent manufacturing ecosystems.
The reporting highlights specific tactics and actor activity, including Russia-linked APT44 (Sandworm) efforts to access data from Telegram and Signal, including use of a Windows batch script (WAVESIGN) to decrypt and exfiltrate data from Signal Desktop after likely obtaining physical access to devices in Ukraine. Additional activity described includes Ukraine-focused campaigns using defense-themed lures (e.g., drones and counter-drone systems) and broader nation-state use of zero-day exploitation in edge devices to establish footholds in defense contractors’ networks, reinforcing GTIG’s assessment that “pre-positioning” and continuous access-building are now baseline expectations for DIB organizations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
China-linked actors target contractors via phishing, portals, and edge exploits
China-nexus groups were reported phishing defense contractor personnel, probing contractor portals, exploiting edge infrastructure, and abusing REDCap to implant persistent malware. Researchers also noted use of ORB networks to hinder detection and attribution.
Iran-linked campaigns use fake job materials to deliver malware
Iran-aligned operators were reported targeting aerospace and defense personnel in the U.S. and Middle East with resume- and personality-test-themed lures carrying custom malware. The campaigns also included tailored phishing and job-portal abuse aimed at defense workers.
North Korean actors abuse defense hiring and IT worker channels
Researchers reported North Korea-linked campaigns targeting defense and aerospace organizations through fraudulent recruitment, direct employee outreach, and IT worker schemes. Some activity also involved credential theft, backdooring attempts, and AI-assisted reconnaissance.
Russia-linked clusters target Ukrainian military communications and Android users
GTIG highlighted Russia-aligned activity focused on battlefield-relevant access, including attacks on Ukrainian military communications and Android devices. The operations included abuse of Signal features and Android malware disguised as Ukrainian military tools.
Attackers shift to edge-device exploitation for covert pre-positioning
Researchers described a growing tactic of exploiting internet-facing edge devices such as VPN appliances and security gateways to gain initial access and maintain long-term footholds in strategically important networks. This approach emphasizes persistent pre-positioning and evasion over noisier endpoint-focused intrusion methods.
State-backed groups intensify targeting of the defense industrial base
Google Threat Intelligence Group and other researchers reported sustained cyber operations against defense industrial base organizations by actors linked to China, Russia, Iran, and North Korea. The activity spans espionage, access-building, credential theft, phishing, and supply-chain targeting across multiple regions.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
State-Sponsored Cyber Espionage Targeting Defense and Critical Infrastructure
Google Threat Intelligence Group (GTIG) reported that the **defense industrial base (DIB)** is under sustained, multi-vector pressure from state-backed and aligned actors seeking to steal sensitive military technology, disrupt supply chains, and undermine national security. The report highlights Russian-linked activity focused on **unmanned aircraft systems (UAS)** and other emerging technologies, including **TEMP.Vermin** using drone-themed lures to deliver malware and **APT44 (Sandworm/GRU)** targeting military personnel devices with tooling such as **INFAMOUSCHISEL** to harvest data from battlefield-related applications; it also notes some Russian operators are using **LLMs** to improve reconnaissance and social-engineering effectiveness. GTIG also describes North Korea’s continued use of **IT-worker/insider** placement to generate revenue and access within Western organizations. Separately, reporting on **Transparent Tribe (APT36)** describes ongoing espionage campaigns against Indian government and defense targets across Windows and Linux, including spear-phishing that deploys **Geta RAT** and execution chains abusing legitimate Windows components (e.g., `mshta.exe`) and **XAML deserialization** for evasion, alongside a shift toward more mature Linux tooling and persistence. A third report (Picus Labs’ *Red Report*) is broader trend research rather than a specific incident, claiming ransomware encryption is declining while “**sleeperware**”/dormant extortion tradecraft is rising based on ATT&CK technique prevalence across large-scale simulation and telemetry; it does not materially add to the defense-sector espionage narrative beyond general attacker TTP trends.
Mar 21, 2026
Google Warns of Escalating State-Backed Cyber-Espionage Targeting Europe’s Defense Industrial Base
Google’s Threat Intelligence Group reported an intensifying, state-backed cyber-espionage campaign against **Western defense companies**—particularly across Europe—describing a “constant, multi-vector siege” aimed at stealing sensitive R&D, disrupting production, and gaining insight into next-generation battlefield systems. The report highlights **drone manufacturers and advanced weapons developers** as priority targets, with **Russia-linked activity** emphasized in the context of the war in Ukraine and a focus on unmanned aircraft technologies and their suppliers. Google attributed one phishing campaign to **UNC5976**, which used **malicious Remote Desktop Protocol (RDP) files** and **spoofed domains** impersonating defense firms across multiple countries. Google assessed that multiple state actors—**Russia, Iran, China, and North Korea**—are leveraging a broad set of access paths, including exploitation of **hiring processes**, **personal accounts**, and **remote work** environments, while smaller manufacturers and adjacent suppliers are also seeing **extortion attempts**, indicating widening supply-chain pressure. Separate reporting also described leaked documents indicating China has used a training platform (*Expedition Cloud*, developed by CyberPeace) to rehearse critical-infrastructure intrusions against neighboring countries by building network “templates” of targets and running reconnaissance-to-attack drills, underscoring the operational maturity and preparation that can translate into real-world campaigns against high-value sectors such as defense and critical infrastructure.
Mar 21, 2026
Reports Highlight China-Led Expansion of Offensive Cyber Operations and Targeting of Defense and Critical Infrastructure
Multiple reports and leaked documents indicate **China-linked cyber operations** are expanding in scale and sophistication, with a strong emphasis on targeting government, telecommunications, and other strategic sectors. A Forescout *Vedere Labs* analysis cited by Cybernews reported China as the top origin of threat operations last year (210), with Russia and Iran also major contributors; the reporting also highlighted suspected China-linked activity tied to a multi-year compromise of South Korea’s **Onnara System**, including theft of civil servants’ **GPKI certificates and credentials**, and noted Taiwan’s National Security Bureau reporting an average of **2.63 million attacks per day** last year. Separately, leaked technical materials reviewed by Recorded Future News describe a purported Chinese internal training environment—part of an integrated system called **“Expedition Cloud”**—used to rehearse offensive cyberattacks against replicas of neighboring countries’ real-world networks, including **power/energy transmission, transportation, and smart home infrastructure**. In parallel, a Google Threat Intelligence Group report warned of a “relentless barrage” of nation-state activity against the **U.S. defense industrial base**, describing a shift beyond classic espionage into **supply-chain attacks, workforce infiltration, and battlefield-adjacent operations**; Google attributed much of the activity to **Chinese, Russian, Iranian, and North Korean** actors and noted continued Russian targeting of organizations supporting Ukraine, including phishing, malware aimed at mobile battlefield-management apps, and attempts to access encrypted messaging platforms.
Mar 21, 2026