Under Siege: GTIG Report Exposes North Korean Spies & Russian Drone Hacks in Defense Sector
Ddos 
A new report from Google Threat Intelligence Group (GTIG) paints a stark picture of the modern battlefield, where the front lines have shifted from trenches to server rooms. The defense industrial base (DIB)—the network of manufacturers and contractors that build the world’s military technology—is now under a “state of constant, multi-vector siege” by state-sponsored actors and criminal syndicates alike.
From Russian intelligence units hunting for drone secrets in Ukraine to North Korean IT workers infiltrating US companies, the report details a multifaceted assault designed to steal secrets, disrupt supply chains, and undermine national security.
Russia’s invasion of Ukraine has been accompanied by a parallel cyber war, one that extends far beyond the immediate conflict zone. Russian espionage actors are aggressively targeting Western defense entities, viewing the war as “an extension of a broader campaign against Western encroachment”.
A key focus has been on “emerging technologies,” particularly unmanned aircraft systems (UAS).
- TEMP.Vermin, a group linked to the so-called Luhansk People’s Republic, has been caught using lures themed around “drone production and development” and “anti-drone defense systems” to deploy malware.
- APT44 (Sandworm), the notorious unit within Russia’s GRU, continues to target the personal devices of military personnel, using malware like INFAMOUSCHISEL to steal data from battlefield management apps.
The report also highlights a “less sophisticated” Russian group using Large Language Models (LLMs) to overcome technical limitations, using AI to “conduct reconnaissance, create lures for social engineering, and seek answers to basic technical questions”.
Perhaps the most insidious threat comes from North Korea (DPRK), which has industrialized the practice of planting “insider threats” within Western companies. Driven by a need for revenue and intelligence, North Korean IT workers are infiltrating defense contractors by posing as remote employees.
In one striking example, a US facilitator helped a North Korean IT worker land a remote software development job at a Virginia-based company working on a government defense contract. The worker used the facilitator’s identity to log in, ultimately sending their earnings back to the regime .
“GTIG continues to observe a multifaceted threat landscape that centers around personnel, and often in a manner that evades traditional enterprise security visibility,” the report warns.
While Russia focuses on the battlefield, China-nexus groups remain the “most active threat to entities in the defense industrial base” by volume. Their strategy has shifted toward exploiting “edge devices”—VPNs, firewalls, and routers that often lack advanced security monitoring.
Since 2020, Chinese groups have exploited “more than two dozen zero-day (0-day) vulnerabilities in edge devices”. Groups like UNC5221 prioritize these devices to bypass traditional defenses, establishing long-term access to “central nodes” in the global technology supply chain.
The report also notes a surge in “geopolitically motivated hacktivist activity,” particularly from pro-Russia and pro-Iran groups. These actors have moved beyond simple website defacements to “hack-and-leak” operations designed to intimidate and disrupt.
- Pro-Iran groups like Cyber Toufan have targeted the Israeli defense sector, leaking sensitive schematics and personnel data to “erode public trust”.
- Pro-Russia groups like NoName057(16) have launched DDoS attacks against European defense manufacturers, while others have “doxxed” Ukrainian defense contractors to expose their employees.
“To maintain a competitive advantage, organizations must move beyond reactive postures,” GTIG concludes. In a world where a job applicant could be a North Korean spy and a firewall could be a Chinese backdoor, the defense sector must defend its networks as vigorously as it defends the nation.
Related Posts:
- The $339 Trillion Glitch: Ubisoft Loses Control of Rainbow Six Siege in Massive Breach
- Zero-Day Outlook Exploit: Fighting Ursa Targets NATO and Critical Infrastructure
- Free Software Foundation Under Siege: Ongoing DDoS & Relentless AI Web Crawler Attacks Since 2024
- Google: Zero-Day Exploits Shift from Browsers to Enterprise Security Tools in 2024
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
