According to findings by the Google Threat Intelligence Group (GTIG), a number of state-sponsored actors, hacktivist entities and criminal groups from China, Iran, North Korea and Russia have set their sights on the Defense Industrial Base (DIB) sector.
The tech giant’s threat intelligence division said the sector’s adversarial targeting focuses on four key themes: striking defense units deploying technologies on the battlefield in the Russia-Ukraine war, directly contacting employees and exploitation of the recruitment process by North Korean and Iranian actors, the use of edge devices and equipment as an initial access route for China-nexus groups, and supply chain risks posed by manufacturing sector breaches.
“Many of the main state-sponsors of cyber espionage and hacktivist actors have shown interest in autonomous vehicles and drones, as these platforms play an increasing role in modern warfare,” GTIG said. “In addition, the tendency to ‘avoid detection’ […] “Continuing, as actors focus on single endpoints and individuals, or execute intrusions in a way that tries to avoid endpoint detection and response (EDR) tools altogether.”
Some notable threat actors taking part in the activity include –
- APT44 (aka Sandworm) Attempts have been made to possibly exfiltrate information from the Telegram and Signal encrypted messaging applications, after gaining physical access to equipment obtained during on-ground operations in Ukraine. This involves using a Windows batch script called WAVESIGN to decrypt and exfiltrate data from Signal’s desktop app.
- TEMP.VERMIN (aka UAC-0020) Malware such as VERMONSTER, SPECTRUM (aka SPECTR), and FIRMACHAGENT have been exploited using content revolving around drone production and development, anti-drone defense systems, and video surveillance security systems.
- UNC5125 (aka FlyingYati and UAC-0149) has launched highly targeted operations focusing on frontline drone units. It used a questionnaire hosted on Google Forms to conduct reconnaissance against potential drone operators, and distributed malware through messaging apps like Messyfork (aka Cookbox) to an unmanned aerial vehicle (UAV) operator based in Ukraine.
- UNC5125 It is also said to have leveraged an Android malware called GreyBattle, which is a special version of the Hydra banking trojan, to steal credentials and data by distributing it through a website that spoofed a Ukrainian military artificial intelligence company.
- UNC5792 (aka UAC-0195) Secure messaging apps have been used to target the Ukrainian military and government entities, as well as individuals and organizations in Moldova, Georgia, France, and the US. The threat actor is notable for weaponizing Signal’s device linking feature to hijack victim accounts.
- UNC4221 (aka UAC-0185) Using similar tactics to UNC5792, secure messaging apps used by Ukrainian military personnel have also been targeted. The threat actor also leveraged an Android malware called STALECOOKIE that mimics Ukraine’s battlefield management platform DELTA to steal browser cookies. Another tactic employed by the group is the use of ClickFix to distribute the TINYWHALE downloader, which, in turn, removes the MeshAgent remote management software.
- UNC5976A Russian espionage group that has conducted a phishing campaign to distribute malicious RDP connection files configured to communicate with actor-controlled domains mimicking a Ukrainian telecommunications company.
- UNC6096A Russian espionage cluster that conducted a malware delivery operation through WhatsApp used DELTA-related themes to distribute a malicious LNK shortcut within an archive file that downloads a secondary payload. Malware called GALLGRAB has been found to be distributed in attacks targeted at Android devices that collect locally stored files, contact information, and potentially encrypted user data from particular battlefield applications.
- UNC5114A suspected Russian espionage group that has distributed a version of an off-the-shelf Android malware called CrackRAT has presented it as an update to Kropyvka, the battle control system used in Ukraine.
- APT45 (aka Andarial) South Korean defense, semiconductor and automotive manufacturing entities have been targeted with SmallTiger malware.
- APT43 (aka Kimsuki) It is likely to leverage infrastructure that mimics that of German and American defense-related entities to deploy a backdoor called ThinWave.
- UNC2970 (aka Lazarus Group) Apart from relying on artificial intelligence (AI) tools to conduct reconnaissance on its targets, it has launched Operation Dream Job campaigns to target the aerospace, defense and energy sectors.
- UNC1549 (aka Nimbus Manticore) Has targeted the aerospace, aviation and defense industries in the Middle East with malware families such as MINIBIKE, TWOSTROKE, DEEPROOT and CRASHPAD. The group is known for running Lazarus Group-style dream job campaigns to trick users into executing malware or giving up credentials under the guise of legitimate employment opportunities.
- UNC6446An Iranian-Nexus threat actor that used resume builder and personality testing applications to distribute custom malware to targets in the aerospace and defense sector throughout the US and the Middle East.
- APT5 (aka Keyhole Panda and Mulberry Typhoon) has targeted current and former employees of major aerospace and defense contractors with specific phishing lures.
- UNC3236 (aka Volt Typhoon) has conducted reconnaissance activity against publicly hosted login portals of North American military and defense contractors, while using the ARCMAZE obfuscation framework to conceal their origin.
- UNC6508A China-Nexus threat cluster that targeted a US-based research institute in late 2023 took advantage of a REDCap exploit to unleash a custom malware called INFINITERED, which is capable of persistent remote access and credential theft after disrupting an application’s software upgrade process.
Additionally, Google said it has also observed China-Nexus threat groups using Operational Relay Box (ORB) networks to conduct reconnaissance against defense industrial targets, complicating detection and attribution efforts.
ORBs provide threat actors with several benefits, allowing them to route their traffic through home or commercial networks, mix with regular network traffic, bypass geofencing security controls, and position themselves within the target’s perimeter before a cyberattack can occur. ORBs are also resilient to takedown attempts, as attackers managing them can scale these networks to add more devices, even if some nodes are discovered and blocked.
“While specific risks vary by geographic footprint and sub-sector specialization, the broader trend is clear: the defense industrial base is under constant, multi-vector siege,” Google said. “Financially motivated actors conduct extortion against this sector and the broader manufacturing base, like many other verticals they target for monetary gain.”
“The campaign against defense contractors in Ukraine, threats or exploitation of defense personnel, continued volume of intrusions by China-collusive actors, and hacks, leaks and disruptions to the manufacturing base are some of the major threats to this industry today.”
