Pro-Ukrainian Hackers Use AI Tools to Target Russian Defence Firms
A cyber espionage group suspected of being pro-Ukrainian has launched a new wave of attacks on Russian defence and technology companies using AI-generated decoy documents, cybersecurity firm Intezer revealed this week. The campaign, uncovered by senior security researcher Nicole Fishbein, highlights how artificial intelligence is reshaping the landscape of digital warfare by lowering the technical barriers to sophisticated hacking operations.
AI-Generated Lures Target Russian Defence Contractors
The attackers, linked to a group tracked as “Paper Werewolf” or “GOFFEE,” have been active since 2022 and are believed to focus almost exclusively on Russian targets. Fishbein said the operation used fake AI-generated files designed to trick employees at Russian defence and electronics firms into opening malicious attachments.
Among the decoy documents discovered were a counterfeit concert invitation written in Russian and a forged letter purporting to be from the Ministry of Industry and Trade, requesting price justifications under government procurement rules. Once opened, these files likely allowed hackers to access sensitive data or internal networks.
Fishbein noted that the campaign offered a rare glimpse into attacks against Russian entities. “This isn’t necessarily because those attacks are rare, but because visibility into them is limited,” she explained. “The case shows how accessible AI tools can be repurposed for malicious goals — the problem lies in their misuse, not the technology itself.”
Broader Strategic Implications
The hacking campaign appears to target Russia’s defence supply chain, from air defence systems to research and development processes, according to Russia cyber policy expert Oleg Shakirov. “There’s nothing unusual about pro-Ukrainian hackers trying to spy on Russian defence companies during the war,” he said, noting that Paper Werewolf may have expanded its focus beyond traditional targets in government, finance, energy, and telecommunications.
The timing of the cyber operation coincides with ongoing negotiations over a potential settlement to Russia’s war in Ukraine. Analysts suggest the campaign underscores Kyiv’s determination — and that of its allies — to maintain a technological edge amid growing military and diplomatic pressure.
Attribution and Links to Past Campaigns
Intezer attributed the recent attacks to Paper Werewolf based on the hacking infrastructure, exploited software vulnerabilities, and construction of the decoy documents. However, Fishbein said it remains unclear whether the group operates independently or with direct backing from a nation-state.
Other cybersecurity firms have noted potential overlaps with Cloud Atlas, a pro-Ukrainian hacking group that has been active for over a decade. A September 2025 report by Russian cybersecurity company Kaspersky cited shared tactics, techniques, and infrastructure between the two groups. Cloud Atlas has previously targeted pro-Russian entities across Eastern Europe and Central Asia, according to cybersecurity firm Check Point.
The Russian and Ukrainian embassies in Washington did not respond to requests for comment on the findings.
As AI tools become more powerful and accessible, experts warn that their misuse in cyber espionage will only intensify. “Emerging technologies are lowering the barrier for advanced attacks,” Fishbein said. “What we are seeing now is only the beginning.”
with inputs from Reuters