Employees at major U.S. defense contractors such as Lockheed Martin, Boeing, and Honeywell were attacked by infostealers, stealing sensitive data for as little as $10-per-computer.
A Feb. 17 blog post by HudsonRock reported that the log-in details of U.S. Army and Navy personnel were stolen, exposing VPN access, email systems, and classified procurement portals.
The researchers said even the FBI and Government Accountability Office (GAO) have active infections that exposed investigative and cybersecurity personnel.
Unlike traditional hacking, the researchers said the attackers don’t brute force their way in. Rather, they wait for the employees to slip up, downloading a game mod or an infected PDF — then they strike.
“Each one of these infected employees is a real person,” wrote the researchers. “It could be an engineer working on military AI systems, a procurement officer managing classified contracts, or a defense analyst with access to mission-critical intelligence.”
Jason Soroko, senior fellow at Sectigo, said these infostealer infections in the U.S. military and top defense contractors expose a systemic cybersecurity lapse. He said lax endpoint defenses, outdated patching protocols, and human error are enabling cheap breaches — even in high-stakes environments.
“If organizations with deep pockets and top talent are vulnerable, rank-and-file companies, often under-resourced and less rigorous, face even graver risks,” said Soroko. “Companies must act now: Tighten security with zero-trust architectures, continuous audits, and robust employee training. Update systems regularly, enforce strict access controls, and assume breach as a possibility. Cyber hygiene isn’t optional but should be considered a critical part of our defense in an era where a $10 exploit can topple even the most advanced networks.”
When defense contractors like Lockheed Martin and Boeing are struggling to secure their infrastructure, smaller businesses are at an even greater risk, as they often rely on cloud services, software-as-a-server (SaaS) applications, and outsourced IT support since the increased attack surface makes them more vulnerable to supply chain threats via APIs, said Ted Miracco, chief executive officer at Approov.
“Businesses must assume that attackers will eventually breach their perimeter defenses,” said Miracco. “Implementing zero-trust architecture — where no device or user is automatically trusted — should be a standard practice, regardless of company size.”
Thomas Richards, principal consultant, network and red team practice director at Black Duck, said the latest report from HudsonRock is incredibly concerning given the nature of the data and the individuals targeted. Richards said the data stolen could allow an adversary into critical networks and take steps to compromise additional people and systems.
“While the most common vector for this type of attack would presumably be some sort of phishing attack, without having more details provided by the affected companies and agencies, this would be speculation,” said Richards. “Affected users should have their passwords rotated immediately and a forensic investigation launched to determine how they were compromised and if attackers accessed information they shouldn’t have. This is a risk to U.S. national security.”
