AI-Driven Cyber Espionage Targets Russian Defense Firms

Russian technology companies that develop air defense systems, sensitive electronics, and other military technologies recently faced a cyber espionage campaign that used AI-generated decoy documents, cybersecurity researchers say.

Cybersecurity firm Intezer uncovered the activity and showed how attackers can adapt artificial intelligence tools for complex and high-risk cyber operations. Senior security researcher Nicole Fishbein said the findings offer rare visibility into hacking campaigns that directly target Russian organizations.

ALSO READ : Taiwan suspends RedNote for one year

Pro-Ukrainian Group Linked to the Campaign

Researchers believe the previously undisclosed campaign connects to a hacking group known as “Paper Werewolf,” also called GOFFEE. The group has operated since 2022 and is widely regarded as pro-Ukrainian. It has focused almost entirely on Russian targets.

The operation reflects broader efforts by Ukraine and its allies to gain a military advantage in the ongoing war. These efforts have included attacks on defense supply chains. The disclosure comes at a sensitive time, as peace discussions continue and Russia warns it could seize more territory if talks collapse.

Hackers Used AI-Generated Decoy Documents

Intezer’s analysis shows that the attackers targeted several Russian companies with documents likely generated by artificial intelligence. One decoy appeared as an invitation to a concert for senior military officers and was written in Russian. Another document impersonated Russia’s Ministry of Industry and Trade and requested pricing justifications under government rules.

Fishbein said attacks on Russian entities likely occur more often than reports suggest. Limited visibility makes these operations hard to detect and analyze.

AI Tools Make Cyberattacks Easier

The campaign shows how attackers can repurpose widely available AI tools for malicious purposes. Fishbein stressed that misuse, not the technology itself, creates the main risk. These tools lower the technical barrier and allow attackers to launch sophisticated operations with less effort.

Interest in Russia’s Military Industry and Supply Chains

Cyber policy researcher Oleg Shakirov said the attackers deliberately chose major defense contractors. Their access could reveal details about military production, including air defense systems. It could also expose research, development, and supply chain operations.

Shakirov noted that pro-Ukrainian hackers spying on Russian defense firms is not unusual during wartime. However, he said Paper Werewolf appears to have expanded its focus beyond government, energy, finance, and telecommunications sectors.

Unclear Ties to Nation-States

Intezer linked the campaign to Paper Werewolf based on technical evidence, including infrastructure, exploited vulnerabilities, and document design. However, Fishbein said researchers still do not know whether the group works alone or coordinates with a nation-state or other hackers.

Some analysts see possible links to earlier pro-Ukrainian cyber groups. A September 2025 report by Russian cybersecurity firm Kaspersky suggested overlaps between Paper Werewolf and Cloud Atlas. Cloud Atlas has targeted pro-Russian entities across Eastern Europe and Central Asia for more than a decade.