The campaign may be the work of a pro-Ukrainian hacking group active since 2022, known as “Paper Werewolf” or GOFFEE.PHOTO: REUTERS

Russian defence firms targeted by hackers using AI, other tactics

· The Straits Times

Summary

  • A pro-Ukrainian hacking group, "Paper Werewolf" or GOFFEE, targeted Russian defence firms using AI-generated decoy documents to gather sensitive information.
  • The campaign highlights Ukraine's aggressive pursuit of military advantage and the misuse of accessible AI tools for sophisticated cyber espionage.
  • Intezer's analysis reveals the attackers' interest in Russia's military industry, potentially accessing details on production, supply chains, and R&D.

MOSCOW - Russian technology companies working on air defence, sensitive electronics and other defence applications were targeted in recent weeks by a cyber espionage group using AI-generated decoy documents, according to a cybersecurity analyst.

The discovery by cybersecurity firm Intezer shows how AI tools can be easily harnessed for high-stakes operations, ‍senior security ​researcher Nicole Fishbein said, and offers a rare look at hacking campaigns targeting Russian entities.

The campaign, not ‍previously reported, is likely the work of a group tracked as either “Paper Werewolf” or GOFFEE, Ms Fishbein said, a hacking group active since 2022 that is widely thought to be pro-Ukrainian and has ​focused nearly all ​of its efforts on Russian targets.

The hack also suggests just how aggressively Ukraine and its allies are pursuing a military advantage in the war, which has included drone attacks on defence supply chain entities in recent months.

And it has come to light as delicate negotiations play out over a potential end to Russia’s ‍war in Ukraine, with Moscow threatening to take more land by force if Kyiv and its European allies do not engage with US proposals for peace.

The hacking campaign ​targeted several Russian companies, according to suspected AI-generated decoy documents discovered by ⁠Ms Fishbein, who is the lead author of an analysis prepared by Intezer.

The Russian and Ukrainian embassies in Washington did not respond to requests for comment.

Hacking campaign made use of accessible AI tools

In one case, an apparently AI-generated document purports to be an invitation, written in Russian, to a concert for high-ranking officers.

In another case, a document purports to be sent from the Ministry of ​Industry and Trade of the Russian Federation, asking for price justification under government regulations around pricing, according to the analysis.

Ms Fishbein said the campaign stands out as a rare opportunity to examine attacks on ‌Russian entities.

“This isn’t necessarily because those attacks are rare, but because visibility ​into them is limited,” she said.

The group’s use of AI-generated decoy documents also demonstrates how “accessible AI tools can be repurposed for malicious goals,” Ms Fishbein said. “(It) shows how emerging technologies can lower the barrier for sophisticated attacks and why misuse, not the technology itself, remains the core problem.”

The targets, which are all major defence contractors, indicate the attackers’ broad interest in Russia’s military industry, said Mr Oleg Shakirov, a Russia cyber policy researcher, while potential access to the contractors could offer visibility into “the production of everything from scopes to air defence systems, but also into defence supply chains and R&D processes.

“(There’s) nothing unusual about pro-Ukrainian hackers trying to spy on Russian defence companies during the war,” Mr Shakirov added, while suggesting that ‍Paper Werewolf may have expanded its targeting beyond government agencies, energy, finance and telecoms to other sectors.

While Intezer attributed the operation to Paper Werewolf, based on ​the infrastructure supporting the effort, the particular software vulnerabilities exploited, and how the decoy documents were constructed, Ms Fishbein said it was an open question whether the hackers were working with a specific ​nation-state or other hacking group.

Others, however, have suggested a link between the group and other known pro-Ukrainian hacking efforts.

A ‌September 2025 report published by Russian cybersecurity firm Kaspersky said Paper Werewolf has potential overlaps with Cloud Atlas, a pro-Ukrainian hacking group dating back more than a decade.

The group is known for targeting pro-Russian entities in Eastern Europe and Central ‌Asia, according to cybersecurity firm Check Point. REUTERS

More on this topic

No drop in military aid to Kyiv since US policy shift, NATO official saysUS President Donald Trump has stopped direct donations to Ukraine. Read more at straitstimes.com. Read more at straitstimes.com.19 Dec 2025Ukraine hits Russian 'shadow fleet' tanker in MediterraneanLONDON, Dec 19 - Ukraine struck a Russian \"shadow fleet\" oil tanker in the Mediterranean Sea with aerial drones for the first time, an official said on Friday, reflecting the growing intensity of Kyiv's attacks on Russian oil shipping. Read more at straitstimes.com. Read more at straitstimes.com.19 Dec 2025