Attacks and Vulnerabilities Control device security Critical infrastructure Industrial Cyber Attacks Malware, Phishing & Ransomware News Reports Secure-by-Design Threat Landscape Vulnerabilities Google flags sustained cyber pressure on defense industrial base from Russia, China-linked actors February 11, 2026 New analysis from Google Threat Intelligence Group (GTIG) shows the defense industrial base is facing sustained and multifaceted cyber pressure from state-sponsored actors, criminal groups, and hacktivists, with targeting extending beyond military systems into defense contractors, personnel, and supply chains. GTIG identified several recurring themes, including Russia-nexus activity focused on defense firms supporting battlefield technologies in the Russia-Ukraine War, particularly organizations linked to unmanned aircraft systems, alongside growing exploitation of recruitment processes and employee access across global defense and aerospace firms. Over the past two years, China-nexus groups have remained the most active by volume in espionage intrusions against the sector, increasingly leveraging edge devices and appliances for initial access . At the same time, ransomware and extortion activity affecting the broader manufacturing sector, which includes suppliers of dual-use defense components, has underscored ongoing supply chain risks that could disrupt defense production capacity even when incidents are confined to IT networks. “Consistent effort has been dedicated to targeting defense entities fielding technologies on the battlefield in the Russia-Ukraine War,” GTIG detailed in a Tuesday blog post. “As next-generation capabilities are being operationalized in this environment, Russia-nexus threat actors and hacktivists are seeking to compromise defense contractors alongside military assets and systems, with a focus on organizations involved with unmanned aircraft systems (UAS). This includes targeting defense companies directly, using themes mimicking their products and systems in intrusions against military organizations and personnel.” Across global defense and aerospace firms, direct targeting of employees and exploitation of the hiring process have emerged as key themes. “From the North Korean IT worker threat, to the spoofing of recruitment portals by Iranian espionage actors, to the direct targeting of defense contractors’ personal emails, GTIG continues to observe a multifaceted threat landscape that centers around personnel, and often in a manner that evades traditional enterprise security visibility.” Among state-sponsored cyber espionage intrusions over the last two years analysed by GTIG, threat activity from China-nexus groups continues to represent by volume the most active threat to entities in the defense industrial base. While these intrusions continue to leverage an array of tactics, campaigns from actors such as UNC3886 and UNC5221 highlight how the targeting of edge devices and appliances as a means of initial access has increased as a tactic by China-nexus threat actors, and poses a significant risk to the defense and aerospace sector. In comparison to the Russia-nexus threats observed on the battlefield in Ukraine, these could support more preparatory access or R&D theft missions. The GTIG disclosure comes as the Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA) disclosed that Operation Cyber Guardian, a large-scale, multi-agency cybersecurity operation that was launched to protect Singapore’s telecommunications sector from the advanced persistent threat actor UNC3886. Investigations over recent months found that UNC3886 carried out a deliberate, targeted, and well-planned campaign against the sector, with all four major operators, M1, SIMBA Telecom, Singtel, and StarHub, among those targeted. Lastly, contemporary national security strategy relies heavily on a secure supply chain. Since 2020, manufacturing has been the most represented sector across data leak sites (DLS) that GTIG tracks associated with ransomware and extortive activity. While dedicated defense and aerospace organizations represent a small fraction of similar activity, the broader manufacturing sector includes many companies that provide dual-use components for defense applications, and this statistic highlights the cyber risk the industrial base supply chain is exposed to. The ability to surge defense components in a wartime environment can be impacted, even when these intrusions are limited to IT networks. Additionally, the global resurgence of hacktivism and actors carrying out hack and leak operations, DDoS attacks, or other forms of disruption has impacted the defense industrial base. Russian espionage actors have long targeted Western defense entities, with cyber operations forming part of a broader campaign tied to Moscow’s opposition to Western involvement in Ukraine. Since Russia’s full-scale invasion in February 2022, these efforts have expanded through kine