Threat Research

Threats to the Defense Industrial Base | Google Cloud Blog

GoogleCloudIntel
Threats to the Defense Industrial Base | Google Cloud Blog

The defense industrial base faces sustained, multi-vector cyber threats from state-sponsored groups and hacktivists targeting personnel, supply chains, edge devices, and battlefield technologies such as UAS and secure messaging apps. Notable tactics include phishing and job-themed lures, exploitation of edge device zero-days, mobile malware, supply-chain compromises, and hack-and-leak or DDoS operations by pro-Russia and pro-Iran hacktivists. #UNC5221 #CANFAIL

Keypoints

  • State-sponsored actors (Russia-, China-, Iran-, and DPRK-nexus) and ideologically motivated hacktivists have actively targeted the defense industrial base (DIB), with China-nexus groups representing the highest volume of intrusions over the last two years.
  • Adversaries increasingly target individuals and HR/hiring processes (spoofed job portals, fake recruiters, resume-builder apps) to bypass perimeter defenses and gain initial access or credentials.
  • Exploitation of edge devices and appliances via zero-day vulnerabilities is a common China-nexus tactic to bypass EDR visibility and obtain long-term access to defense and supply-chain environments.
  • Russian-aligned actors and hacktivists have focused operations against battlefield technologies in Ukraine, including UAS and secure messaging apps, using tailored lures, malware, and device-linking techniques to steal communications and data.
  • Supply chain and manufacturing firms that produce dual-use components are frequently impacted by extortion, hack-and-leak, and disruption operations, which can degrade wartime surge capacity even when intrusions are limited to IT networks.
  • Attackers use a broad toolset—PowerShell droppers, malicious LNK and RDP files, Android malware variants, trojanized software updates, and credential harvesting pages—to achieve persistence and exfiltration while seeking to evade detection.

MITRE Techniques

  • [T1566 ] Phishing – Use of spearphishing, WhatsApp phishing pages, fake Signal group invites, and job-themed lures to harvest credentials and deliver malware (‘sent its targets altered “group invite” pages that redirected to malicious URLs crafted to link an actor-controlled device to the victim’s Signal accounts’).
  • [T1190 ] Exploit Public-Facing Application – Exploitation of zero-day vulnerabilities in edge devices and appliances (VPNs, routers, security appliances) to gain initial access and evade EDR (‘exploited more than two dozen zero-day (0-day) vulnerabilities in edge devices…’).
  • [T1059.001 ] PowerShell – Execution of obfuscated JavaScript that runs PowerShell to download additional stages, including memory-only droppers (‘obfuscated JavaScript which executes a PowerShell script to download and execute an additional stage, most commonly a memory-only PowerShell dropper’).
  • [T1021.001 ] Remote Desktop Protocol – Delivery and use of malicious RDP connection files configured to call back to actor-controlled infrastructure (‘phishing campaign delivering malicious RDP connection files… configured to communicate with actor-controlled domains’).
  • [T1204 ] User Execution – Social engineering lures, malicious documents, and ClickFix-style instructions to get targets to run commands or open files (e.g., lure documents and instructions to copy/run PowerShell commands) (‘lured the target into copying and running malicious PowerShell commands via instructions referencing a Ukrainian defense manufacturer’).
  • [T1041 ] Exfiltration Over C2 Channel – Decrypting and exfiltrating messaging app data and other sensitive files back to actor infrastructure using malware and scripts (e.g., WAVESIGN decrypting Signal Desktop data) (‘WAVESIGN, a Windows Batch script responsible for decrypting and exfiltrating data from Signal Desktop’).
  • [T1078 ] Valid Accounts – Use of compromised or actor-linked accounts and device-linking features to gain ongoing access to victim accounts and view communications in real time (‘link an actor-controlled device to the victim’s Signal accounts allowing the threat actor to see victims’ message in real time’).
  • [T1498 ] Network Denial of Service – DDoS campaigns conducted by hacktivist groups against government and private defense-related organizations (‘DDoS Attacks: Multiple pro-Russia hacktivist groups have claimed distributed denial-of-service (DDoS) attacks targeting government and private organizations involved in defense’).
  • [T1195 ] Supply Chain Compromise – Trojanzing legitimate software and abusing third-party suppliers to pivot into defense targets (e.g., trojanized REDCap and compromised third-party accounts used to access customers) (‘trojanized version of a legitimate REDCap system file’ and ‘leverages compromised third-party accounts to exploit legitimate access pathways’).
  • [T1562 ] Impair Defenses – Evasion of detection and operations designed to avoid endpoint detection and response (EDR) tools and focus on single endpoints or individual targets to minimize detection (‘seek to avoid endpoint detection and response (EDR) tools altogether’).

Indicators of Compromise

  • [Malware / File names ] malware families and malicious components referenced in campaigns – CANFAIL, WAVESIGN, INFAMOUSCHISEL, and many others (e.g., VERMONSTER, MESSYFORK/COOKBOX, GREYBATTLE, GALLGRAB, STALECOOKIE, TINYWHALE, BRICKSTORM, INFINITERED).
  • [Domains ] actor infrastructure and spoofed domains used for credential harvesting and lures – domains masquerading as Telegram, domains spoofing defense contractors and an Indian aerospace company, and hundreds of additional domains spoofing aerospace/defense firms.
  • [File names / Extensions ] malicious delivery artifacts and loaders – examples include malicious .rdp connection files used in phishing, archive files with a ‘.pdf.js’ double extension, and malicious .lnk shortcut files leading to secondary payloads.
  • [Android apps / Mobile payloads ] mobile malware and trojanized applications used to steal data from devices – examples include GALLGRAB (modified Android Gallery Stealer) and GREYBATTLE (Android variant designed to extract credentials and data).
  • [Document lures / Forms ] social-engineering artifacts used for reconnaissance and credential collection – Google Forms questionnaires impersonating a drone training academy and lure documents mimicking installation or operational guides for UAV/battlefield systems.

Read more: https://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base/