Key Findings:

• Several state-sponsored actors, hacktivist entities, and criminal groups from China, Iran, North Korea, and Russia have targeted the defense industrial base (DIB) sector.

• The adversarial targeting is centered around four key themes: striking defense entities in the Russia-Ukraine War, approaching employees and exploiting the hiring process, using edge devices/appliances for initial access, and supply chain risk from manufacturing breaches.

• Notable threat actors involved include APT44 (Sandworm), TEMP.Vermin, UNC5125 (FlyingYeti), UNC5792, UNC4221, UNC5976, UNC6096, UNC5114, APT45 (Andariel), APT43 (Kimsuky), UNC2970 (Lazarus Group), and UNC1549 (Nimbus Manticore).

Background

The report from Google Threat Intelligence Group (GTIG) suggests that many of the chief state-sponsors of cyber espionage and hacktivist actors have shown an increased interest in autonomous vehicles and drones, as these platforms play an expanding role in modern warfare. Additionally, the "evasion of detection" trend continues, as actors focus on single endpoints and individuals, or carry out intrusions in a manner that seeks to avoid endpoint detection and response (EDR) tools.

Striking Defense Entities in the Russia-Ukraine War

• APT44 (Sandworm) has attempted to exfiltrate information from Telegram and Signal encrypted messaging applications, likely after securing physical access to devices obtained during on-ground operations in Ukraine.

• TEMP.Vermin has used malware like VERMONSTER, SPECTRUM, and FIRMACHAGENT to target drone production, anti-drone defense systems, and video surveillance security systems.

• UNC5125 (FlyingYeti) has conducted highly targeted campaigns against frontline drone units, using a questionnaire hosted on Google Forms for reconnaissance and distributing malware like MESSYFORK and GREYBATTLE.

Exploiting the Hiring Process

• UNC5792 has exploited secure messaging apps to target Ukrainian military and government entities, as well as individuals and organizations in Moldova, Georgia, France, and the U.S., by weaponizing Signal's device linking feature to hijack victim accounts.

• UNC4221 has also targeted secure messaging apps used by Ukrainian military personnel, using tactics similar to UNC5792, and has leveraged the STALECOOKIE malware that mimics Ukraine's DELTA battlefield management platform.

Leveraging Edge Devices and Appliances

• UNC5976, a Russian espionage cluster, has conducted a phishing campaign delivering malicious RDP connection files that communicate with actor-controlled domains mimicking a Ukrainian telecommunications company.

• UNC6096, another Russian espionage cluster, has delivered malware via WhatsApp using DELTA-related themes to download a secondary payload.

• Attacks on Android devices have delivered malware like GALLGRAB that collects locally stored files, contact information, and potentially encrypted user data from specialized battlefield applications.

Supply Chain Risks from Manufacturing Breaches

• APT45 (Andariel) has targeted South Korean defense, semiconductor, and automotive manufacturing entities with SmallTiger malware.

• APT43 (Kimsuky) has likely leveraged infrastructure mimicking German and U.S. defense-related entities to deploy a backdoor called THINWAVE.

• UNC2970 (Lazarus Group) has conducted the Operation Dream Job campaign to target aerospace, defense, and energy sectors, in addition to using AI tools for reconnaissance.

• UNC1549 (Nimbus Manticore) has targeted aerospace, aviation, and defense industries in the Middle East with malware families like MINIBIKE, TWOSTROKE, DEEPROOT, and CRASHPAD, and has orchestrated Lazarus Group-style Dream Job campaigns.

Sources

• https://thehackernews.com/2026/02/google-links-china-iran-russia-north.html

• https://x.com/TheCyberSecHub/status/2022363039677452550

• https://www.cypro.se/2026/02/13/google-links-china-iran-russia-north-korea-to-coordinated-defense-sector-cyber-operations/

• https://www.news4hackers.com/google-uncovers-global-cyber-threat-china-iran-russia-and-north-korea-linked-to-coordinated-defense-sector-hacking-operations/

• https://www.reddit.com/r/SecOpsDaily/comments/1r3wakq/google_links_china_iran_russia_north_korea_to/