{
	"id": "cc68ae64-5c00-4de6-9667-9e2378e68705",
	"created_at": "2026-04-06T00:09:17.068309Z",
	"updated_at": "2026-04-10T03:25:25.503041Z",
	"deleted_at": null,
	"sha1_hash": "9c800f653b5f71978f023fb475b21aa99394debf",
	"title": "Cyber Attack on U.S. Armed Forces \u0026 Defense Industry",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2754549,
	"plain_text": "Cyber Attack on U.S. Armed Forces \u0026 Defense Industry\r\nBy cybleinc\r\nPublished: 2022-02-25 · Archived: 2026-04-05 21:31:55 UTC\r\nU.S. Armed Forces/Defense Industrial Base Under Cyber Attack\r\nU.S. Armed Forces/Defense Industrial Base Under Cyber Attack\r\nCyble Research Lab identified a pro-Russian Threat Actor launching a campaign against the US Army and\r\nDefense Industrial Base companies.\r\nIntroduction\r\nThe threat of Russian Advanced Persistence Threat (APT) cyber activities are more imminent and pose a greater\r\ndanger to the United States (US) as Russian President Putin decided to launch a full-scale attack on Ukraine. As\r\nreported by the White House, Russian APT highly likely launched cyber-attacks against Ukraine’s Ministry of\r\nDefense and bank sector a few days before the open military confrontation with Ukraine. Therefore, it is highly\r\nlikely that Russian APT cyber-attacks would also extend to Ukraine’s allies, such as the US.\r\nThe US Intelligence Community (IC) is aware of the Russian APT cyber threat to the Homeland. On February 16,\r\nthe Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released an\r\nalert on Russian state-sponsored APT cyber activities against cleared Defense contractor networks to obtain\r\nsensitive US Defense information and technology. Furthermore, on February 20, the Federal Bureau of\r\nInvestigation (FBI) released a report to inform the private sector about the threat of Russian state-sponsored APT\r\ncyber activities.\r\nConsequently, the Cyble Research Lab (the Lab) identified a pro-Russian Threat Actor (TA) launching a campaign\r\nagainst the US Army and Defense Industrial Base companies, such as Lockheed Martin Corporation. This blog\r\nwould reveal some details about the TA and the campaign itself. \r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://cyble.com/blog/u-s-armed-forces-and-defense-industrial-base-under-cyber-attack/\r\nPage 1 of 13\n\nTA Profile\r\nDuring our Deepweb search in various forums, security researchers at the Lab identified a prolific TA going by the\r\nname NetSec aka ScarFace_TheOne aka Scarfac33 and targeting the U.S. infrastructure. Our research indicated\r\nthat the TA has been active on the forum for over two years, taking part in various cyberattacks with diverse\r\ngeographical and dynamic industry footprints. The TA’s malicious cyber activities have helped earn an aggressive\r\nreputation, besides resulting in the TA being widely endorsed and acclaimed by other notable malicious actors\r\nsuch as Pompompurin, Holistic-K1ller, and IPegFemBoys.\r\nWe found several instances wherein the TA has revealed details of malicious cyberattacks targeting the U.S.\r\nDepartment of Defense. For example, on August 12, 2021, the TA published a thread named ‘Raiding the Army’\r\nin which it claimed to have administrator access to some websites of the U.S. Army, as shown in Figure 1, Figure\r\n2, and Figure 3.\r\nFigure 1: TA claims administrator access to the U.S. website (Part 1)\r\nhttps://cyble.com/blog/u-s-armed-forces-and-defense-industrial-base-under-cyber-attack/\r\nPage 2 of 13\n\nFigure 2: TA claims administrator access to the U.S. website (Part 2)\r\nFigure 3: TA claims administrator access to the U.S. website (Part 3)\r\nOur analysis revealed that the TA has also initiated various training threads related to hacking email IDs with an\r\nexample of fbi.gov example showing attacks like Golden Ticket Attack (a form of Active Directory attack),\r\nRemote Code Execution (RCE), SQL injection, etc. Figure 4 shows the training threads.\r\nhttps://cyble.com/blog/u-s-armed-forces-and-defense-industrial-base-under-cyber-attack/\r\nPage 3 of 13\n\nFigure 4: Hacking thread posted by the TA\r\n#RaidAgainstTheUS Campaign\r\nRecently, the TA has been involved in large-scale attacks on the U.S. Department of Defense (DoD), U.S. Army\r\nwebsites, and U.S. Defense manufacturers – such as Lockheed Martin Corporation. The TA has been conducting\r\nthese attacks under the #RaidAgainstTheUS hashtag.\r\nThese attacks most likely lean on the one from August 2021. The TA claims that they coordinated with Russian\r\nTAs for over six months and found a 0-day vulnerability in a U.S. enterprise platform deriving from Program\r\nExecutive Office Enterprise Information Systems (e.g., PEO EIS, eis.army.mil, etc.) to obtain the source codes of\r\nthe platform. Figure 5 shows the TA’s claim.\r\nFigure 5: TA’s claim finding a Zero-day vulnerability\r\nProgram Executive Office Enterprise Information Systems is a critical information systems provider that\r\nmodernizes and manages the network and enterprise business systems of the U.S. Army. The TA claims to have\r\ntargeted one of the developers of this enterprise platform in 2021. We suspect that these attacks could have been\r\nBeta tests to exploit the U.S. army websites, seemingly paving way for the final attack earlier this week.  \r\nTimeline of the #RaidAgainstTheUS Attacks\r\nhttps://cyble.com/blog/u-s-armed-forces-and-defense-industrial-base-under-cyber-attack/\r\nPage 4 of 13\n\nFigure 6: Timeline of the #RaidAgainstTheUS attacks by the TA\r\nOn February 22, 2022, the TA posted about a data leak from the Defense Technical Information Center (DTIC),\r\nas shown in Figure 7.\r\nFigure 7: TA’s leak from dtic.mil\r\nThe data leak consists of emails and hashed passwords belonging to DTIC, Army, and Navy personnel, as shown\r\nin Figure 8.\r\nhttps://cyble.com/blog/u-s-armed-forces-and-defense-industrial-base-under-cyber-attack/\r\nPage 5 of 13\n\nFigure 8: Exposed Emails and Hashed Passwords of the DTIC, Army, and Navy\r\nIn its second leak of the day, the TA leaked data from the U.S. Army Special Operations Command (USASOC), as\r\nshown in Figure 9.\r\nFigure 9: TA’ leak from soc.mil\r\nAs per our research, the leaked data contains emails and hashed passwords of members of the USASOC, as shown\r\nin Figure 10.\r\nhttps://cyble.com/blog/u-s-armed-forces-and-defense-industrial-base-under-cyber-attack/\r\nPage 6 of 13\n\nFigure 10: TA’ exposed USASOC emails and hashed passwords\r\nOn February 23, 2022, the TA released two more leaks. First from the U.S. Strategic Command (STRATCOM),\r\nand the second from the U.S. Central Command (CENTCOM). Figures 11 and 12 show the TA’s post exposing the\r\nSTRATCOM members’ emails and hashed passwords.\r\nFigure 11: TA’ leak from stratcom.mil\r\nhttps://cyble.com/blog/u-s-armed-forces-and-defense-industrial-base-under-cyber-attack/\r\nPage 7 of 13\n\nFigure 12: TA exposed STRATCOM emails and hashed passwords\r\nFigures 13 and 14 show the TA’s post exposing the CENTCOM members’ emails and hashed passwords.\r\nhttps://cyble.com/blog/u-s-armed-forces-and-defense-industrial-base-under-cyber-attack/\r\nPage 8 of 13\n\nFigure 13: TA’ leak from centcom.mil\r\nFigure 14: TA exposed CENTCOM emails and hashed passwords\r\nOn February 24, 2022, the TA released two leaks from the United States Special Operations Command\r\n(USSOCOM) and Lockheed Martin Corporation. Figures 15 and 16 show the TA’s post exposing the USSOCOM\r\nhttps://cyble.com/blog/u-s-armed-forces-and-defense-industrial-base-under-cyber-attack/\r\nPage 9 of 13\n\nmembers’ exposed emails and hashed passwords.\r\nFigure 15: TA’ leak from socom.mil\r\nhttps://cyble.com/blog/u-s-armed-forces-and-defense-industrial-base-under-cyber-attack/\r\nPage 10 of 13\n\nFigure 16: TA exposed USSOCOM emails and hashed password\r\nLastly, Figures 17 and 18 show the TA’s post exposing the exposed emails and hashed passwords of employees of\r\nLockheed Martin Corporation.\r\nFigure 17: TA’s leak from lockheedmartin.com\r\nhttps://cyble.com/blog/u-s-armed-forces-and-defense-industrial-base-under-cyber-attack/\r\nPage 11 of 13\n\nFigure 18: TA exposed the Lockheed Martin Corporation emails and hashed passwords\r\nConclusion\r\nOur research suspects that the TA only leaks email IDs and passwords in the cybercrime forums, while a\r\nsignificant part of the leaked data is sold to Russia. The chatter history of the TA indicates that it already possesses\r\ndata from exposed websites. There is also a likelihood that the TA launched a frontal attack on the websites\r\nmentioned above, with Russian APTs launching deeper penetration attacks to exploit the data.\r\nFurthermore, based on the TA’s claims, we can suspect that the TA’s intrusion tactics are still underway despite\r\neis.army.mil (PEO EIS) being pulled down by the U.S. IC. As a result, we suspect that the TA is likely to exploit\r\nmore U.S. Armed Forces and private contractors’ websites to gain information about U.S. actions and potential\r\nplans for retaliation in the case of a protracted Russian full-scale war over Ukraine.\r\nRecommendations\r\nKeep the operating system and installed software in the system and server updated\r\nConduct regular backup practices and maintain backups offline or in a separate network.\r\nUse security solutions available for Linux and IoT devices\r\nRefrain from opening untrusted links and email attachments without verifying their authenticity.\r\nCreate and save your passwords with password managers.\r\nChange all internet-connected devices’ default passwords.\r\nhttps://cyble.com/blog/u-s-armed-forces-and-defense-industrial-base-under-cyber-attack/\r\nPage 12 of 13\n\nSource: https://cyble.com/blog/u-s-armed-forces-and-defense-industrial-base-under-cyber-attack/\r\nhttps://cyble.com/blog/u-s-armed-forces-and-defense-industrial-base-under-cyber-attack/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://cyble.com/blog/u-s-armed-forces-and-defense-industrial-base-under-cyber-attack/"
	],
	"report_names": [
		"u-s-armed-forces-and-defense-industrial-base-under-cyber-attack"
	],
	"threat_actors": [
		{
			"id": "80edca9f-dcd6-491e-92f3-87ad1f575631",
			"created_at": "2023-10-14T02:03:14.694988Z",
			"updated_at": "2026-04-10T02:00:05.021046Z",
			"deleted_at": null,
			"main_name": "NetSec",
			"aliases": [
				"NetSec",
				"Operation Data Breach",
				"ScarFace_TheOne",
				"USDoD"
			],
			"source_name": "ETDA:NetSec",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434157,
	"ts_updated_at": 1775791525,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9c800f653b5f71978f023fb475b21aa99394debf.pdf",
		"text": "https://archive.orkl.eu/9c800f653b5f71978f023fb475b21aa99394debf.txt",
		"img": "https://archive.orkl.eu/9c800f653b5f71978f023fb475b21aa99394debf.jpg"
	}
}