Google Threat Intelligence Group (GTIG) has identified coordinated cyber operations by state-sponsored and criminal groups from China, Iran, Russia, and North Korea targeting the defense industrial base (DIB) sector. These adversaries focus on four main themes: targeting defense technologies deployed in the Russia-Ukraine conflict, exploiting defense personnel through social engineering and hiring process infiltration, leveraging edge devices for initial access, and exploiting supply chain vulnerabilities in manufacturing. Notable threat actors include APT44 (Sandworm), TEMP.Vermin, UNC5125 (FlyingYeti), UNC5792, UNC4221, and multiple Russian espionage clusters such as UNC5976 and UNC6096. Techniques include malware deployment (e.g., VERMONSTER, MESSYFORK, GREYBATTLE), phishing with tailored lures, exploitation of secure messaging apps (Signal, Telegram), and use of Android malware variants targeting battlefield applications. Attackers also use operational relay box (ORB) networks to obfuscate traffic and evade geofencing and detection. The campaigns are characterized by evasion of endpoint detection and response (EDR) tools, targeted reconnaissance using AI, and supply chain compromises. The threat actors aim to exfiltrate sensitive military and defense contractor data, disrupt operations, and gain persistent access. The campaigns extend beyond Ukraine to include European countries such as France, Moldova, and Georgia, highlighting a broad geographic scope. Financially motivated actors also target the manufacturing sector for extortion. The persistent, multi-vector nature of these campaigns underscores the ongoing siege on the DIB sector by sophisticated adversaries.

European organizations in the defense sector face significant risks including espionage, theft of sensitive military and technological data, disruption of defense manufacturing supply chains, and compromise of personnel credentials. The targeting of secure communications and battlefield management platforms threatens operational security and confidentiality. Supply chain breaches can introduce persistent backdoors or malware into critical defense systems, potentially degrading integrity and availability. The use of advanced evasion techniques and AI-driven reconnaissance complicates detection and response, increasing the likelihood of successful intrusions. The impact extends to allied support functions and defense contractors across Europe, potentially undermining national security and defense readiness. Additionally, the targeting of personnel through social engineering and hiring process exploitation increases insider threat risks. The multi-national scope and use of sophisticated malware and phishing campaigns elevate the threat level for European defense entities, especially those involved in drone technology, autonomous vehicles, and battlefield communications.

European defense organizations should implement advanced threat detection capabilities focusing on behavioral analytics to identify evasive malware and reconnaissance activities. Enhance supply chain security by conducting rigorous security assessments of suppliers and integrating continuous monitoring for anomalous activity. Employ multi-factor authentication (MFA) and strict access controls, especially for personnel involved in sensitive projects and communications. Conduct targeted security awareness training addressing spear-phishing, social engineering, and hiring process exploitation tactics. Monitor and restrict use of edge devices and IoT appliances that could serve as initial access points. Deploy network segmentation to isolate critical defense systems and battlefield management platforms from general IT infrastructure. Utilize threat intelligence sharing platforms to stay informed about emerging tactics and indicators of compromise related to these threat actors. Implement endpoint detection and response (EDR) tools with capabilities to detect stealthy intrusions and lateral movement. Regularly audit and update secure messaging app configurations and educate users on risks of device linking features. Finally, develop incident response plans tailored to multi-vector, persistent threats targeting defense sectors.