Phishing campaign seeks to siphon Ukraine war intelligence from defense contractors

A large-scale phishing campaign has been targeting defense, aerospace and IT companies that support Ukraine’s military in its war against Russia, likely seeking to harvest credentials and sensitive intelligence about the nation’s war effort, according to findings made public Tuesday.

The analysis from DomainTools Investigations — which tracks online website infrastructure to identify cyber threats — said the digital infrastructure of one U.S.-based technology firm and several defense and aerospace firms in the UK, France, South Korea, Turkey, Italy and Ukraine had been spoofed in the campaign.

Many of the sham websites were registered through Spaceship, a web domain hosting site, and first observed between late December and early March. The investigation identified a total of 878 spoofed domains with naming conventions that slightly modified the actual targeted contractors’ website addresses.

Phishing scams are a common but powerful cyber-espionage tactic that can leverage combinations of malware and social engineering to exploit vulnerabilities in computer systems or trick unwitting people into handing over personal information about themselves, including login credentials needed to access sensitive data.

A DomainTools spokesperson declined to provide the specific names of companies targeted for security and privacy reasons, although the report noted that a likely phishing page tied to Ukroboronprom, Ukraine’s major state-owned defense industry conglomerate, was identified in December. The spokesperson also declined to say if DomainTools alerted the targeted contractors, or whether it notified the Office of the Director of National Intelligence, FBI or National Security Agency of the activities.

“There is insufficient evidence to attribute this activity to a known actor; however, the activity likely has a cyber espionage motivation,” the report said, adding that the assessment is made with “moderate confidence based on the tactics, techniques and procedures (TTPs) and the heavy focus on the defense and aerospace sectors.”

Global defense and aerospace companies have been instrumental in backing Ukraine’s defense capabilities. Industry players like Shield AI, BAE Systems, Thales, MBDA and Helsing, among others, have contributed critical technologies and weaponry. Access to sensitive intelligence from inside such firms could help Russia enhance its military capabilities, counter Western defense strategies or develop countermeasures against weapons systems.

Many, if not all, of these firms work with Western governments, raising risks that successful phishing attempts from this campaign could also give hackers pathways to access prime intelligence held by foreign allies supporting Ukraine.

The DomainTools findings underscore that, even as President Donald Trump seeks to appease Moscow and bring it to the negotiating table to end its war in Ukraine, the cyber operations aspects of the war do not appear to have calmed, at least from cyber groups interested in stealing military intelligence.

The U.S. has halted certain efforts to counter Russian sabotage efforts, including those in the cyber domain, Reuters reported last week. A U.S. official confirmed to Nextgov/FCW earlier this month that U.S. Cyber Command was asked to stand down on certain cyber and information operations planning against Russia after The Record first reported the order.

A March 6 classified intelligence report provided to the Trump administration suggested that Russian President Vladimir Putin continues to pursue his broad objective of dominating Kyiv, the Washington Post reported earlier this month. Last week, Putin agreed to temporarily suspend attacks on Ukraine’s energy grid but refused to back a 30-day truce Trump hoped would pave the way for a broader peace deal.

Top intelligence officials are expected to discuss Russia and Ukraine in a Tuesday Senate Intelligence Committee hearing on worldwide threats facing the United States.