Russian defense firms targeted by hackers using AI, other tactics
· Yahoo News(Corrects spelling in story identifier to RUSSIA-CYBER/UKRAINE)
By AJ Vicens
Dec 19 (Reuters) - Russian technology companies working on air defense, sensitive electronics and other defense applications were targeted in recent weeks by a cyber espionage group using AI-generated decoy documents, according to a cybersecurity analyst.
The discovery by cybersecurity firm Intezer shows how AI tools can be easily harnessed for high-stakes operations, senior security researcher Nicole Fishbein said, and offers a rare look at hacking campaigns targeting Russian entities.
Advertisement
Advertisement
Advertisement
Advertisement
The campaign, not previously reported, is likely the work of a group tracked as either "Paper Werewolf" or GOFFEE, Fishbein said, a hacking group active since 2022 that is widely thought to be pro-Ukrainian and has focused nearly all of its efforts on Russian targets.
The hack also suggests just how aggressively Ukraine and its allies are pursuing a military advantage in the war, which has included drone attacks on defense supply chain entities in recent months. And it has come to light as delicate negotiations play out over a potential end to Russia's war in Ukraine, with Moscow threatening to take more land by force if Kyiv and its European allies do not engage with U.S. proposals for peace.
The hacking campaign targeted several Russian companies, according to suspected AI-generated decoy documents discovered by Fishbein, who is the lead author of an analysis prepared by Intezer.
The Russian and Ukrainian embassies in Washington did not respond to requests for comment.
Advertisement
Advertisement
Advertisement
Advertisement
HACKING CAMPAIGN MADE USE OF ACCESSIBLE AI TOOLS
In one case, an apparently AI-generated document purports to be an invitation, written in Russian, to a concert for high-ranking officers. In another case, a document purports to be sent from the Ministry of Industry and Trade of the Russian Federation, asking for price justification under government regulations around pricing, according to the analysis.
Fishbein said the campaign stands out as a rare opportunity to examine attacks on Russian entities. "This isn't necessarily because those attacks are rare, but because visibility into them is limited," she said.
The group's use of AI-generated decoy documents also demonstrates how "accessible AI tools can be repurposed for malicious goals," Fishbein said. "(It) shows how emerging technologies can lower the barrier for sophisticated attacks and why misuse, not the technology itself, remains the core problem."
Advertisement
Advertisement
Advertisement
Advertisement
The targets, which are all major defense contractors, indicate the attackers' broad interest in Russia's military industry, said Oleg Shakirov, a Russia cyber policy researcher, while potential access to the contractors could offer visibility into "the production of everything from scopes to air defense systems, but also into defense supply chains and R&D processes.
"(There's) nothing unusual about pro-Ukrainian hackers trying to spy on Russian defense companies during the war," Shakirov added, while suggesting that Paper Werewolf may have expanded its targeting beyond government agencies, energy, finance and telecoms to other sectors.
While Intezer attributed the operation to Paper Werewolf, based on the infrastructure supporting the effort, the particular software vulnerabilities exploited, and how the decoy documents were constructed, Fishbein said it was an open question whether the hackers were working with a specific nation-state or other hacking group.
Others, however, have suggested a link between the group and other known pro-Ukrainian hacking efforts. A September 2025 report published by Russian cybersecurity firm Kaspersky said Paper Werewolf has potential overlaps with Cloud Atlas, a pro-Ukrainian hacking group dating back more than a decade. The group is known for targeting pro-Russian entities in Eastern Europe and Central Asia, according to cybersecurity firm Check Point.
(Reporting by AJ Vicens in Detroit; Editing by Edmund Klamann)