Nation-State Siege: Google Exposes Coordinated China, Iran, Russia, and North Korea Attacks on Defense Industrial Base

Google Threat Intelligence Group reveals multi-nation APT coordination targeting autonomous vehicles, drones, and defense contractors—with techniques ranging from battlefield device theft to supply chain infiltration.

Executive Summary

The defense industrial base is under a coordinated, multi-vector siege from the world's most sophisticated state-sponsored threat actors. In a sweeping new report published February 13, 2026, Google's Threat Intelligence Group (GTIG) has revealed the extent of collaboration and parallel targeting between adversarial nations—including China, Iran, Russia, and North Korea—against organizations developing technologies critical to modern warfare.

The findings paint a sobering picture: nation-state actors from four different countries have independently converged on similar targets, techniques, and objectives, creating what amounts to a continuous, synchronized assault on the defense sector. From drone developers to semiconductor manufacturers, from encrypted messaging apps used by Ukrainian soldiers to aerospace contractors in the United States, no corner of the defense industrial base appears immune.

Key findings from the GTIG report:

• 15+ distinct threat actors identified targeting the defense sector
• Four primary attack vectors: battlefield device compromise, personnel targeting, edge device exploitation, and supply chain attacks
• Special focus on autonomous systems: drones and unmanned vehicles are priority targets
• EDR evasion is paramount: attackers focus on single endpoints to avoid detection
• Operational relay box networks complicate attribution of China-nexus attacks

For CISOs and security leaders in the defense sector, this report represents a call to arms—literally.

The New Axis of Cyber Operations

What makes this GTIG report particularly alarming isn't just the number of threat actors involved—it's the convergence of their targeting priorities. Despite operating from different nations with different political systems and strategic objectives, Chinese, Russian, Iranian, and North Korean threat groups have all zeroed in on remarkably similar targets.

The Four Pillars of Attack

According to GTIG, adversarial targeting of the defense sector centers on four key themes:

1. Battlefield Technology Targeting: Striking entities deploying technologies in the Russia-Ukraine war
2. Personnel Exploitation: Directly approaching employees and exploiting hiring processes
3. Edge Device Compromise: Using network appliances as initial access pathways
4. Supply Chain Infiltration: Breaching the manufacturing sector to compromise downstream targets

"Many of the chief state-sponsors of cyber espionage and hacktivist actors have shown an interest in autonomous vehicles and drones, as these platforms play an increasing role in modern warfare," GTIG stated. "Further, the 'evasion of detection' trend continues, as actors focus on single endpoints and individuals, or carry out intrusions in a manner that seeks to avoid endpoint detection and response (EDR) tools altogether."

Why Drones and Autonomous Vehicles?

The emphasis on autonomous systems reflects the changing nature of modern warfare. Drones have become decisive weapons in the Ukraine conflict, transforming everything from reconnaissance to logistics to direct combat operations. Nations that can steal, compromise, or disrupt these technologies gain significant military advantages.

But it's not just about stealing drone designs. Threat actors are targeting:

• Drone development and production facilities
• Anti-drone defense systems
• Video surveillance security systems
• Battlefield management platforms
• Combat control systems
• Unmanned aerial vehicle (UAV) operators directly

Russia-Nexus Threat Activity: Targeting the Frontlines

Russian threat actors have focused heavily on Ukraine-related targets, with a particular emphasis on compromising encrypted communications and battlefield systems used by Ukrainian military personnel.

APT44 (Sandworm): Physical to Digital Operations

Perhaps most alarmingly, GTIG reports that APT44—the notorious Sandworm group linked to Russia's GRU military intelligence—has attempted to exfiltrate information from Telegram and Signal encrypted messaging applications. The method? Physical access to devices obtained during on-ground operations in Ukraine.

This represents a chilling evolution in cyber operations: battlefield intelligence units capturing devices from fallen or captured soldiers, then deploying specialized tools to decrypt and exfiltrate their contents. APT44 uses a Windows batch script called WAVESIGN to decrypt and exfiltrate data from Signal's desktop application.

TEMP.Vermin (UAC-0020): Drone-Focused Campaigns

This Russian threat cluster has deployed malware families including VERMONSTER, SPECTRUM (also known as SPECTR), and FIRMACHAGENT, using lure content specifically designed to appeal to targets in the drone ecosystem:

• Drone production and development
• Anti-drone defense systems
• Video surveillance security systems

UNC5125 (FlyingYeti/UAC-0149): Reconnaissance Through Surveys

In a particularly sophisticated operation, UNC5125 has used Google Forms questionnaires to conduct reconnaissance against prospective drone operators before targeting them. The group distributed malware called MESSYFORK (also known as COOKBOX) to UAV operators in Ukraine via messaging apps.

Even more concerning, UNC5125 has deployed an Android malware called GREYBATTLE—a customized version of the Hydra banking trojan—to steal credentials by distributing it through a website spoofing a Ukrainian military AI company.

Signal Exploitation: UNC5792 and UNC4221

Two Russian threat clusters have specifically targeted Signal's device linking feature to hijack victim accounts:

UNC5792 (UAC-0195) has exploited secure messaging apps to target:

• Ukrainian military and government entities
• Individuals and organizations in Moldova, Georgia, France, and the United States

UNC4221 (UAC-0185) has employed similar tactics, also deploying:

• STALECOOKIE: Android malware mimicking Ukraine's DELTA battlefield management platform to steal browser cookies
• ClickFix: A social engineering technique to deliver the TINYWHALE downloader, which drops MeshAgent remote management software

Additional Russian Operations

UNC5976: Conducted phishing campaigns delivering malicious RDP connection files configured to communicate with domains mimicking Ukrainian telecommunications companies.

UNC6096: Operated malware delivery campaigns via WhatsApp using DELTA-related themes, delivering malicious LNK shortcuts. Their Android malware, GALLGRAB, collects locally stored files, contact information, and potentially encrypted user data from specialized battlefield applications.

UNC5114: Delivered a variant of the Android malware CraxsRAT by disguising it as an update for Kropyva, a combat control system used by Ukrainian forces.

North Korea-Nexus Threats: Following the Money and Technology

North Korean threat actors have maintained their focus on generating revenue while also collecting intelligence from defense and technology sectors.

APT45 (Andariel): Targeting South Korean Industry

APT45 has targeted South Korean defense, semiconductor, and automotive manufacturing entities with SmallTiger malware—a backdoor that enables persistent access and data exfiltration.

APT43 (Kimsuky): German and U.S. Defense Mimicry

APT43 has likely leveraged infrastructure mimicking German and U.S. defense-related entities to deploy a backdoor called THINWAVE, demonstrating the group's expanding target set beyond traditional Korean peninsula focus.

UNC2970 (Lazarus Group): AI-Enhanced Dream Job Operations

The Lazarus Group continues its infamous Operation Dream Job campaign, targeting:

• Aerospace sector
• Defense sector
• Energy sector

Notably, GTIG reports that Lazarus Group is now relying on artificial intelligence tools to conduct reconnaissance on targets—a significant evolution in their operational capabilities.

Iran-Nexus Operations: Dream Jobs and Data Theft

Iranian threat actors have adapted North Korean-style recruitment scams while developing their own sophisticated targeting approaches.

UNC1549 (Nimbus Manticore): Middle East Focus

This Iranian group has targeted aerospace, aviation, and defense industries in the Middle East with an arsenal of malware families:

• MINIBIKE
• TWOSTROKE
• DEEPROOT
• CRASHPAD

UNC1549 is known for orchestrating Lazarus Group-style Dream Job campaigns, tricking users into executing malware or surrendering credentials under the guise of legitimate employment opportunities.

UNC6446: Resume Builders as Weapons

In a novel approach, this Iranian threat actor has used resume builder and personality test applications to distribute custom malware to targets in the aerospace and defense vertical across the United States and the Middle East.

China-Nexus Threats: The Persistent Challenge

Chinese threat actors represent perhaps the most persistent and sophisticated challenge facing the defense industrial base, with multiple groups employing advanced techniques to evade attribution.

APT5 (Keyhole Panda/Mulberry Typhoon): Targeted Phishing

APT5 has targeted current and former employees of major aerospace and defense contractors with tailored phishing lures, demonstrating detailed reconnaissance of their targets.

UNC3236 (Volt Typhoon): Stealthy Reconnaissance

The Volt Typhoon group has conducted reconnaissance activity against publicly hosted login portals of North American military and defense contractors while using the ARCMAZE obfuscation framework to conceal its origin.

UNC6508: Supply Chain Compromise

In late 2023, this China-nexus cluster targeted a U.S.-based research institution by leveraging a REDCap exploit to deploy custom malware named INFINITERED. This malware is capable of persistent remote access and credential theft after intercepting the application's software upgrade process—a classic supply chain attack.

Operational Relay Box Networks

Google notes that China-nexus threat groups are increasingly utilizing operational relay box (ORB) networks for reconnaissance against defense industrial targets. These networks, which route attack traffic through multiple compromised systems, significantly complicate detection and attribution efforts.

The Supply Chain Under Fire

Beyond direct targeting of defense contractors, the manufacturing supply chain supporting the defense sector faces constant pressure from both nation-state actors and financially motivated criminals.

The Downstream Effect

GTIG emphasizes that breaches of the manufacturing sector create cascading supply chain risks. When attackers compromise a supplier, they gain:

• Access to product specifications and designs
• Visibility into production schedules and logistics
• Potential to insert malicious components
• Leverage for further attacks on downstream customers

Financial Motivation Compounds the Problem

"Financially motivated actors carry out extortion against this sector and the broader manufacturing base, like many of the other verticals they target for monetary gain," Google noted. This means defense contractors face threats from both nation-state espionage and criminal ransomware operations—often simultaneously.

Implications for Defense Sector Security

The GTIG report has significant implications for organizations in the defense industrial base and their security teams.

The Multi-Vector Challenge

Traditional security approaches that focus on a single attack vector are inadequate against the multi-pronged assault described in this report. Organizations must simultaneously defend against:

• Nation-state espionage
• Supply chain compromise
• Insider threats (unwitting employees targeted through recruitment scams)
• Physical security threats (device theft)
• Ransomware and extortion

EDR Evasion Is the New Normal

The report's emphasis on EDR evasion should concern every security team. Threat actors are specifically designing operations to avoid triggering endpoint detection tools, focusing on:

• Single endpoint targets
• Living-off-the-land techniques
• Custom malware that evades signature-based detection
• Compromising edge devices that may lack EDR coverage

Personnel Are Targets

The Dream Job and fake recruitment campaigns employed by North Korean, Iranian, and other actors highlight the human element of these attacks. Security awareness training must specifically address:

• Recruitment scams
• Unsolicited job offers
• Resume builder and personality test applications
• Social engineering via messaging apps

Encrypted Communications Aren't Safe

The targeting of Signal and Telegram—applications many consider secure—demonstrates that even encrypted communications can be compromised. Organizations should:

• Implement additional controls beyond encryption
• Assume messaging apps can be compromised
• Develop alternative secure communication methods
• Consider device theft as a realistic threat vector

Recommended Security Measures

Based on the GTIG findings, organizations in the defense sector should consider the following measures:

1. Supply Chain Security

• Conduct thorough security assessments of all suppliers
• Implement supply chain risk management (SCRM) programs
• Monitor for compromises of supplier systems
• Require security certifications from critical suppliers

2. Edge Device Hardening

• Inventory all edge devices and network appliances
• Implement rigorous patch management for edge systems
• Monitor edge devices for anomalous behavior
• Consider zero-trust network architectures

3. Personnel Security

• Enhanced background checks for employees with access to sensitive systems
• Security awareness training focused on recruitment scams
• Monitoring for employees engaging with suspicious job offers
• Exit interviews and access revocation procedures

4. Messaging Security

• Evaluate and harden approved messaging platforms
• Consider device management for mobile devices accessing sensitive communications
• Implement additional authentication for sensitive communications
• Train personnel on social engineering via messaging apps

5. Detection and Response

• Deploy behavioral analytics beyond signature-based detection
• Implement network traffic analysis for lateral movement detection
• Consider managed detection and response (MDR) services
• Develop incident response playbooks for nation-state attacks

The Bigger Picture: A State of Constant Siege

Google's assessment is stark: "The broader trend is clear: the defense industrial base is under a state of constant, multi-vector siege."

This isn't hyperbole. The convergence of threat actors from multiple nations, the sophistication of their techniques, and the persistence of their operations represents a fundamental challenge to the security of the defense sector.

For security leaders, the message is clear: traditional security approaches are insufficient. The defense industrial base requires a security posture that assumes it is under active attack at all times—because it is.

Conclusion

The GTIG report reveals a coordinated, multi-nation assault on the defense industrial base that shows no signs of abating. From Russian groups stealing data from battlefield devices to Chinese actors using ORB networks to mask their reconnaissance, from North Korean Dream Job campaigns to Iranian recruitment scams, the threats are diverse, sophisticated, and persistent.

Organizations in the defense sector must respond with equally sophisticated defenses. This means going beyond traditional perimeter security to implement comprehensive security programs that address supply chain risks, personnel threats, and the evolving techniques used by the world's most capable adversaries.

The defense industrial base is critical to national security. Protecting it requires a collective effort from government, industry, and the security community. Google's report is a valuable contribution to that effort—now it's up to the industry to act on its findings.

This article is based on research published by Google Threat Intelligence Group on February 13, 2026. For the full technical report, visit the Google Cloud Security Blog.