The companies and contractors involved in the defence industry are receiving increasing attention from state actors, hackers and criminal gangs, and this is not an isolated phenomenon: this is documented by the Google threat intelligence team in a recent report. The pressure is simultaneous from several fronts, with objectives ranging from technologies deployed on the battlefield to industrial supply chains apparently non-conflict.
One of the most concerned lines of attack is the targeting of autonomous platforms and unmanned aircraft. As drones and self-employed vehicles become essential in modern conflicts, they become valuable targets for espionage and sabotage. Google GTIG notes that several groups have focused their curiosity on these systems, seeking information on design, control and deployment, and sometimes trying to appropriate the credentials and operational data used by their operators. You can read the full Google analysis on your threat blog: Threats to the defense industrial base.
In addition to the obsession with combat technology, there is another recurring strategy: attacking people who build, maintain or operate these systems. Different groups have exploited false recruitment processes and job offers to gain the confidence of technicians and specialists, send them malicious software or get access to their personal devices. These "dream employment" or malicious recruitment campaigns not only seek credentials but also resort to highly tuned social engineering, with documents and portals that imitate real companies.
The entry paths chosen by the attackers are varied and in many cases creative. Groups linked to China have shown a preference to take advantage of edge devices - such as connecting doors, applications and industrial IoT equipment - to open a first gap without directly touching corporate servers. The use of operational relay networks (ORB) to mask the source of traffic and complicate detection is an example of how these tactics make attribution difficult: a technical analysis of the use of ORB in telecommunications networks explores this pattern and its implications, and is available in the blog of Team Cymru.
The exposure of the manufacturing supply chain is another major concern. When a provider of parts, software or services is compromised, the extent of the damage can be multiplied: infected components, manipulated updates or persistent access inserted into production processes. Google and other observers have documented incidents in which the alteration of updating processes or holdings on research management platforms have served to deploy backdoors capable of stealing credentials and maintaining long-term access.
The catalogue of actors and tools involved is extensive and shows different tactics according to origin and objectives. Some groups have sought to extract data from secure messaging applications after obtaining physical access to devices in combat areas; others have used online forms like decoys to recognize targets and distribute malware designed for UAV control stations. There are campaigns that have abused legitimate features of secure applications to kidnap accounts, or that have replaced control software updates with malicious installers. On another front, actors who use mobile malware families to collect files, contacts and data from field-specific apps have been observed.
In certain cases, malware and very specific techniques have been identified: from binaries that exfilter data from encrypted messaging desktop versions to Android Trojan camouflaged as combat control tools. The use of legitimate remote managers, deployed through discards, has also been identified to facilitate the covert management of compromised environments. For those following threats like these, there are published reports and technical analyses that help identify patterns and signs of commitment: for example, research into campaigns that affected aerospace and defence sectors can be compared with reports of security firms and specialized media.
This threat map is not static: groups evolve to draw defenses. A common feature is the deliberate search to avoid endpoints protection solutions, using intrusions directed towards specific devices or vectors that are not covered by the usual detection. That forces you to think security beyond the classic perimeter. and to look at controls at the less valued points, from field employee laptops to firmware updates from external suppliers.
For sector organizations, the response is to combine technical measures with changes in processes and culture. To review and strengthen the recruitment and validation protocols of personnel, to rigorously segment industrial networks, to monitor the integrity of software supply and update routes, and to deploy detection capabilities including network telemetry and behaviour analysis are necessary actions. In addition, sharing threat intelligence with agencies and peers facilitates an early and coordinated response to targeted campaigns. In the public sphere, resources and guides on security in the supply chain are available on the website of the CISA.
If there is a clear lesson, it is that the defence industry cannot afford complacency: the combination of state motivation, sophisticated technical capabilities and high-value objectives makes this sector a priority and resilient objective. Effective protection requires visibility, cooperation and continuous adaptation and both private organizations and government agencies must keep the guard high to anticipate and mitigate threats that can affect from first-line systems to components that are apparently only part of the industrial periphery.
To deepen the specific findings and technical examples to which this picture refers, Google's GTIG analysis offers a detailed and accessible starting point: Threats to the defense industrial base (Google GTIG). Other specialized analyses, such as the technical links mentioned in the text, make it possible to contrast tactics and procedures and serve as a reference for technicians and security officials who should prioritize mitigation in their organizations.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...