Executive Summary

Google’s Threat Analysis Group (TAG) and Mandiant have recently attributed a series of highly coordinated cyber operations targeting the global defense sector to state-sponsored actors from China, Iran, Russia, and North Korea. These campaigns are characterized by advanced, persistent, and multi-vector attacks leveraging sophisticated tactics, techniques, and procedures (TTPs) to compromise defense contractors, supply chain partners, and critical battlefield technologies. The operations are not isolated; rather, they demonstrate a convergence of strategic objectives, technical innovation, and operational tradecraft across these adversarial states. The primary goals are espionage, intellectual property theft, credential harvesting, and disruption of defense sector operations, with a particular focus on exploiting edge devices, supply chain vulnerabilities, and human targets within the defense industrial base (DIB).

Threat Actor Profile

The threat landscape is dominated by several advanced persistent threat (APT) groups, each with distinct but occasionally overlapping objectives and methodologies. APT44 (Sandworm), TEMP.Vermin (UAC-0020), UNC5125 (FlyingYeti/UAC-0149), UNC5792 (UAC-0195), UNC4221 (UAC-0185), UNC5976, UNC6096, and UNC5114 are Russian clusters focusing on battlefield technology, secure communications, and direct attacks on Ukrainian and allied defense assets. APT45 (Andariel), APT43 (Kimsuky), and UNC2970 (Lazarus Group) from North Korea are leveraging social engineering, “Dream Job” campaigns, and custom malware to infiltrate South Korean, US, and European defense and semiconductor sectors. UNC1549 (Nimbus Manticore) and UNC6446 from Iran are exploiting hiring processes and resume apps to deliver malware to aerospace and defense targets in the Middle East and the US. APT5 (Keyhole Panda/Mulberry Typhoon), UNC3236 (Volt Typhoon), and UNC6508 from China are exploiting edge devices, supply chain partners, and research institutions, often using advanced obfuscation and operational relay box (ORB) networks to evade detection and maintain persistence.

Technical Analysis of Malware/TTPs

The technical arsenal deployed by these actors is both diverse and highly adaptive. Russian groups have utilized WAVESIGN (a Windows batch script) to decrypt and exfiltrate Signal and Telegram data from battlefield devices, and have weaponized VERMONSTER, SPECTRUM, and FIRMACHAGENT for surveillance and drone/anti-drone operations. MESSYFORK (COOKBOX) and GREYBATTLE (a Hydra variant) are used for reconnaissance and malware delivery, often via spoofed AI company websites and Google Forms. STALECOOKIE, TINYWHALE, and MeshAgent target Android devices, mimicking legitimate battlefield management platforms like DELTA and Kropyva to steal cookies and enable remote management. GALLGRAB and CraxsRAT are distributed via WhatsApp and fake updates, respectively.

North Korean actors employ SmallTiger and THINWAVE backdoors, leveraging infrastructure mimicry and AI-driven reconnaissance. The “Dream Job” campaigns use custom malware embedded in fake job offers and AI tools to harvest credentials and conduct deep reconnaissance. Iranian groups deploy MINIBIKE, TWOSTROKE, DEEPROOT, and CRASHPAD in Dream Job-style campaigns, often using resume and personality test apps as delivery vectors. Chinese actors are notable for their use of INFINITERED (custom malware), ARCMAZE obfuscation, and exploitation of REDCap at US research institutions. Operational Relay Box (ORB) networks are a hallmark of Chinese TTPs, blending malicious and legitimate traffic to evade geofencing and detection.

Common TTPs across these campaigns include spearphishing, supply chain compromise, drive-by downloads, malicious RDP and LNK files, credential dumping, obfuscated payloads, and encrypted command and control (C2) channels. The use of AI and large language models (LLMs) for reconnaissance and targeting is an emerging trend, further complicating detection and response.

Exploitation in the Wild

These campaigns have been observed in active exploitation across multiple theaters. In Ukraine, Russian APTs have targeted military, government, and battlefield technology platforms, including direct attacks on secure messaging and battlefield management systems. North Korean groups have infiltrated South Korean defense and semiconductor industries, as well as US and European aerospace and energy sectors. Iranian actors have targeted Middle Eastern and US aerospace and defense organizations through social engineering and supply chain attacks. Chinese APTs have compromised North American defense contractors, research institutions, and supply chain partners, often using edge device exploits and persistent access techniques. The exploitation of AI and LLMs for reconnaissance and targeting is increasingly prevalent, with actors leveraging these tools to automate and scale their operations.

Victimology and Targeting

The primary victims are organizations within the defense industrial base, including aerospace, automotive, semiconductor, energy, manufacturing, telecom, and research institutions. Geographically, the campaigns have targeted Ukraine, South Korea, the United States, Germany, France, Moldova, Georgia, and the broader Middle East and North America. Human targets include defense sector employees, researchers, and supply chain partners, with a particular focus on those involved in battlefield technology, secure communications, and critical infrastructure. The exploitation of hiring processes, job offers, and resume apps is a common vector for initial access, especially by North Korean and Iranian actors. Edge devices, battlefield management platforms, and secure messaging apps are frequent technical targets, with attackers leveraging both technical exploits and social engineering to achieve their objectives.

Mitigation and Countermeasures

Organizations in the defense sector should implement a multi-layered defense strategy to mitigate these threats. Continuous monitoring for the listed malware families and TTPs is essential, with a focus on endpoint detection and response (EDR) solutions capable of identifying obfuscated and novel payloads. Access to edge devices and supply chain partners should be tightly audited and restricted, with robust authentication and network segmentation. The authenticity of job offers, hiring communications, and resume apps should be rigorously validated, particularly for employees in sensitive roles. Monitoring for suspicious use of Google Forms, WhatsApp, Telegram, and other communication platforms is recommended, as these are frequently used for reconnaissance and malware delivery. Any anomalous device linking or account hijacking attempts in secure messaging platforms should be promptly investigated. Regular threat hunting, employee awareness training, and incident response exercises are critical to maintaining a resilient security posture.

References

The Hacker News: Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber OperationsVulners: Google Threat Intelligence ReportCSO Online: Google fears massive attempt to clone Gemini AI through model extractionMITRE ATT&CK FrameworkNVD - National Vulnerability Database

About Rescana

Rescana delivers advanced third-party risk management (TPRM) solutions, empowering organizations to proactively identify, assess, and mitigate cyber risks across their extended supply chain. Our platform leverages real-time threat intelligence, automated risk scoring, and deep analytics to provide actionable insights and enhance your organization’s cyber resilience. For further details, threat hunting queries, or custom threat intelligence, we are happy to answer questions at ops@rescana.com.