Hacktivists, state-sponsored threat actors, and profit-driven cybercrime groups have been targeting the defense industrial base (DIB) sector, according to an analysis published on Wednesday by Google Threat Intelligence Group (GTIG).
Google warns of escalating, multifaceted cyber threats targeting the global DIB, including contractors, suppliers, and personnel supporting military capabilities.
The analysis highlights a “relentless barrage” of cyber operations from state-sponsored actors linked to China, Russia, Iran, and North Korea; pro-Russia and pro-Iran hacktivists; and cybercriminals, particularly groups launching ransomware attacks on manufacturing.
China-nexus cyberespionage dominates in volume, often exploiting edge devices and zero-days for long-dwell intrusions into aerospace and defense entities. Groups conducting such operations include UNC4841, UNC3886 (blamed for the recent Singapore telecom attacks), and UNC5221.
Russian actors such as APT44 (Sandworm), UNC5125, and UNC5792 have targeted Ukraine and other countries, focusing on battlefield-adjacent technologies such as drones.
GTIG has highlighted that one threat group linked to Russia’s intelligence services has been using LLMs to overcome certain technical limitations.
“Through prompting, they conduct reconnaissance, create lures for social engineering, and seek answers to basic technical questions for post-compromise activity and C2 infrastructure setup,” GTIG explained in its report.
North Korea-linked groups blend espionage with revenue generation through IT worker infiltration schemes at defense firms.
Google has described attacks conducted by APT45 against defense, automotive manufacturing, and semiconductor companies in South Korea; APT43 attacks impersonating defense entities in the US and Germany; and UNC2970 campaigns leveraging the Gemini chatbot for OSINT and campaign planning.
Operations attributed to Iran, including activity clusters tracked as UNC1549 and UNC6446, have leveraged spoofed recruitment portals and job offers to deploy malware.
“GTIG has identified fake job descriptions, portals, and survey lures hosted on UNC1549 infrastructure masquerading as aerospace, technology, and thermal imaging companies, including drone manufacturing entities, to likely target personnel interested in major defense contractors,” GTIG said.
As for hacktivists, pro-Russia and pro-Iran groups have been observed conducting DDoS attacks, doxxing, and hack-and-leak campaigns.
The GTIG report also covers ransomware attacks, which disrupt manufacturing supply chains and amplify broader defense vulnerabilities. For several years manufacturing has been the most targeted sector in ransomware attacks.
The report stresses that threats increasingly target soft vectors such as hiring processes, personal emails and devices, and unmanaged edge appliances, often using methods that enable the attackers to evade detection by traditional security systems.
Google recommends proactive integration of threat intelligence into hunting, resilient architecture design, and expanded visibility across personnel, suppliers, and perimeter systems to counter these multi-vector attacks.
Related: Pentagon Outlines Cybersecurity Strategy for Defense Industrial Base
Related: Iranian Hackers Targeting US Defense Industrial Base Entities With New Backdoor
Related: CMMC Live: Pentagon Demands Verified Cybersecurity From Contractors
