ACCORDING to Google Threat Intelligence Group, the defense industrial base (DIB) has been the focus of sustained, multi‑vector activity by state‑sponsored actors, hacktivist entities, and criminal groups from China, Iran, North Korea and Russia.
The observations describe four core themes: attacks on defence entities using battlefield technologies in the Russia‑Ukraine War, manipulation of hiring processes and recruitment channels by North Korean and Iranian actors, exploitation of edge devices as initial access paths by China‑nexus groups, and supply‑chain risks from breaches in the manufacturing sector.
GTIG notes a broader trend of interest in autonomous vehicles and drones among many state sponsors, with ongoing attempts to evade detection and endpoint security tools. Notable threat actors named as having participated in related activity include APT44 (Sandworm), TEMP[.]Vermin, UNC5125, UNC5792, UNC4221, UNC5976, UNC6096, UNC5114, APT45 (Andariel), APT43 (Kimsuky), UNC2970 (Lazarus Group), UNC1549 (Nimbus Manticore), UNC6446, APT5 (Keyhole Panda), UNC3236 (Volt Typhoon), and UNC6508, among others.
In addition, Google observed China‑nexus groups using operational relay box networks for reconnaissance of defence targets, complicating detection and attribution.