Russian defense firms targeted by hackers using AI, other tactics
(Corrects spelling in story descriptor to RUSSIA-CYBER/UKRAINE)
By AJ Vicens
Dec 19 (Reuters) – Russian technology companies working on air defense, sensitive electronics and other defense applications have been targeted in recent weeks by a cyberespionage group using fake documents created by artificial intelligence, according to a cybersecurity analyst.
Discovery by cybersecurity firm Intezer shows how this happens AI tools It could easily be used for high-risk operations, senior security researcher Nicole Fishbein said, offering a rare glimpse into hacking campaigns targeting Russian assets.
The previously unreported campaign is likely the work of a group that goes by the name “Paper Werewolf,” or GOFFEE, Fishbein said. Fishbein is a hacking group that has been active since 2022, is considered pro-Ukrainian, and focuses almost all of its efforts on Russian targets.
The hack also reveals how aggressively Ukraine and its allies are seeking military advantage in the war; this includes drone attacks on defense supply chain organizations in recent months. And it has come to light at a time when delicate negotiations over a potential end to Russia’s war in Ukraine are ongoing and Moscow is threatening to take more territory by force if Kiev and its European allies do not accept US peace proposals.
The hacking campaign targeted several Russian companies, according to fake documents suspected to have been created by AI, discovered by Fishbein, lead author of an analysis by Intezer.
The Russian and Ukrainian embassies in Washington did not respond to requests for comment.
HACKING CAMPAIGN USING ACCESSIBLE AI TOOLS
In one case, a document apparently generated by artificial intelligence was allegedly an invitation written in Russian to a concert for high-ranking military officers. In another case, according to the analysis, a document was allegedly sent from the Ministry of Industry and Trade of the Russian Federation requesting price justification under government regulations on pricing.
Fishbein said the campaign stood out as a rare opportunity to examine attacks on Russian organizations. “This is not because these attacks are rare, but because visibility is limited,” he said.
The group’s use of fake AI-generated documents also shows “how accessible AI tools can be reused for malicious targets,” Fishbein said. “(This) shows how emerging technologies can lower barriers to sophisticated attacks and why misuse, not the technology itself, remains the key problem.”
Russian cyber policy researcher Oleg Shakirov said the targets, all major defense contractors, show the attackers’ broad interest in Russia’s military industry, while potential access to contractors could provide visibility into “defense supply chains and R&D processes, as well as the production of everything from scopes to air defense systems.”
“There is nothing unusual about pro-Ukrainian hackers trying to spy on Russian defense companies during the war,” Shakirov added, suggesting Paper Werewolf may have expanded its targeting to other sectors beyond government institutions, energy, finance and telecommunications.
While Intezer attributed the operation to the Paper Werewolf based on the infrastructure supporting the effort, the specific software vulnerabilities exploited, and how the forged documents were created, Fishbein said it is an open question whether the hackers were working with a specific nation-state or another hacking group.
But others have suggested a connection between the group and other known pro-Ukrainian hacking efforts. A report published by Russian cybersecurity firm Kaspersky in September 2025 noted that Paper Werewolf had potential overlaps with Cloud Atlas, a pro-Ukrainian hacking group with a history dating back more than a decade. The group is known to target pro-Russian entities in Eastern Europe and Central Asia, according to cybersecurity firm Check Point.
(Reporting by AJ Vicens in Detroit; Editing by Edmund Klamann)
