Google report: Foreign cyber groups target U.S. defense industrial base

• A Feb. 10 report by Google Threat Intelligence warns that the U.S. defense industrial base is facing sustained cyberattacks from China, Russia and North Korea, with China-linked actors posing the most active threat.
• Chinese cyber-espionage groups have targeted more defense and aerospace organizations over the past two years than any other state-backed actors, often exploiting network edge devices and using ORB networks to evade detection.
• A China-linked group known as UNC2970 has impersonated corporate recruiters and used Gemini to gather open-source intelligence and profile high-value defense targets.
• Russian-linked hackers have focused on defense contractors supporting drone and unmanned aircraft systems tied to the war in Ukraine, while North Korean operatives have infiltrated firms by posing as IT workers, in some cases stealing sensitive AI-related data.
• Experts warn the defense sector is under “constant siege,” urging organizations to shift from reactive cybersecurity to proactive threat hunting and resilient network architecture to safeguard emerging military technologies.

A new analysis warns that the U.S. defense industrial base has faced sustained cyberattacks in recent months from state-linked groups and criminal organizations connected to China, Russia and North Korea.

The report, issued Feb. 10 by Google Threat Intelligence, examined activity targeting the vast network of public and private entities responsible for developing and maintaining U.S. military weapons systems. Researchers found that China-linked actors remain the most active threat by volume.

According to the findings, China-linked cyber espionage operations have directly targeted more defense and aerospace organizations over the past two years than any other state-sponsored actors. These groups have used a broad range of tactics, but researchers said a recurring pattern has been the exploitation of edge devices, hardware components positioned at the outer boundaries of networks, to gain initial access.

Google also reported observing China-affiliated groups leveraging ORB networks to conduct reconnaissance against defense industrial targets, a technique that can complicate detection and attribution efforts.

One Chinese-linked organization identified as UNC2970 has frequently targeted defense companies by impersonating corporate recruiters as part of its hacking campaigns. In some cases, the group used Google’s own artificial intelligence tool, Gemini, to conduct open-source intelligence gathering. The report revealed that the tool was used to profile high-value targets and search for relevant information on defense and cybersecurity firms to support campaign planning.

Russian-linked threat actors have also focused on the defense sector, particularly companies supporting technologies used in the ongoing war in Ukraine. Researchers found that Russia-associated groups and hacktivists have sought to compromise defense contractors involved in unmanned aircraft systems or drones, as next-generation capabilities are deployed on the battlefield.

Meanwhile, North Korea’s cyber operations have evolved since 2019, with regime-linked actors increasingly posing as IT professionals to obtain employment at defense-related organizations. By securing remote work positions, they have sought to access sensitive systems and data.

In one case cited by Google, North Korea-linked actors stole sensitive data from a California defense company involved in artificial intelligence development. In a separate incident, a Maryland-based individual, Minh Phuong Ngoc Vong, was sentenced to 15 months in prison for facilitating a North Korea-linked scheme. Prosecutors said Vong coordinated with an alleged regime IT worker and was hired by a Virginia-based company to perform software development for a defense contractor.

Google warns defense sector faces “constant siege”

According to BrightU.AI‘s Enoch, the U.S. federal agencies have faced significant hacking threats from China, Russia and North Korea, with China being particularly aggressive in compromising thousands of internet-connected devices in the United States.

These attacks are part of a broader strategy by the Chinese government to gather intelligence, steal intellectual property and exert influence over the U.S. and other nations.

“Given global efforts to increase defense investment and develop new technologies the security of the defense sector is more important to national security than ever. Actors supporting nation state objectives have interest in the production of new and emerging defense technologies, their capabilities, the end customers purchasing them and potential methods for countering these systems. Financially motivated actors carry out extortion against this sector and the broader manufacturing base like many of the other verticals they target for monetary gain,” Google Threat Intelligence concluded.

Hence, security experts say maintaining a competitive edge will require organizations to move beyond reactive cybersecurity strategies. By incorporating intelligence-driven insights into proactive threat hunting and building resilient network architectures, defense firms can better ensure that the technologies designed to protect national interests are not compromised before they are ever deployed.

Watch Tiffany Meier put in her two cents on the leaked document revealing China’s state-backed hacking efforts.

This video is from the Pool Pharmacy channel on Brighteon.com.

Sources include:

TheEpochTimes.com

Cloud.Google.com

BrightU.ai

Brighteon.com