An analysis released by Google this month shows that the U.S. defense industrial base—a network of public and private entities used to develop or maintain military weapons systems—has sustained cyberattacks from groups and criminal organizations from China, Russia, and North Korea in recent months.
The report, released on Feb. 10 by Google Threat Intelligence, found that the Chinese regime and associated groups continue “to represent by volume the most active threat to entities in the defense industrial base,” which it said can pose “significant risk to the defense and aerospace sector.”
Google’s report added that it “has observed more China-nexus cyberespionage missions directly targeting defense and aerospace industry than from any other state-sponsored actors over the last two years,” as such groups have “used a broad range of tactics in operations.”
“But the hallmark of many operations has been their exploitation of edge devices to gain initial access,” it said, referring to hardware components positioned at the edge of a network.
“We have also observed China-nexus threat groups leverage ORB networks for reconnaissance against defense industrial targets, which complicates detection and attribution.”
Late in 2025, Canadian and U.S. officials warned that Chinese state-backed hacking groups had targeted U.S. government entities and private companies, gaining long-term access to their systems.
In July 2025, Microsoft also warned that it had observed two China-based hacking groups, Linen Typhoon and Violet Typhoon, using vulnerabilities in SharePoint, Microsoft’s collaboration software.
As for Russia, Google said in its report that groups associated with Moscow have focused on defense companies that support technologies used in the Russia–Ukraine war, namely companies linked to drones.
“As next-generation capabilities are being operationalized in this environment, Russia-nexus threat actors and hacktivists are seeking to compromise defense contractors alongside military assets and systems, with a focus on organizations involved with unmanned aircraft systems (UAS),” the tech giant stated.
“This includes targeting defense companies directly, using themes mimicking their products and systems in intrusions against military organizations and personnel.”
State-sponsored hackers, meanwhile, have leveraged Google’s own artificial intelligence tool, Gemini, during cyberattacks, it found.
One Chinese-linked organization known as “UNC2970” has frequently targeted defense companies and impersonated corporate recruiters in hacking campaigns, Google said.
They’ve used Gemini to conduct open-source intelligence to “profile high-value targets to support campaign planning and reconnaissance,” including searches for relevant information on defense and cybersecurity companies, it said.
The threat posed by North Korea has grown since 2019 as officials in the regime have attempted to pose as IT workers to apply for jobs at defense-related organizations, Google said.
In July 2025, the Department of Justice announced it had disrupted an operation that included searches of 29 locations in more than a dozen states suspected of being connected to laptops used, in part, to obtain remote jobs at more than 100 U.S. companies.
In one instance, North Korea-linked actors stole sensitive data from a California defense company that was involved in artificial intelligence development, according to Google.
In a separate incident, a person in Maryland was sentenced to 15 months in prison for facilitating a North Korea-linked scheme and coordinating with an alleged regime information technology worker. The person, Minh Phuong Ngoc Vong, was hired by a Virginia-based company to perform software development for a defense contractor, it stated.
