Author: AJ Vicens
Dec 19 (Reuters) – Russian technology companies working in air defense, sensitive electronics and other defense applications have been targeted in recent weeks by cyber espionage groups using artificial intelligence-generated decoy documents, a cybersecurity analyst said.
Senior security researcher Nicole Fishbein said the findings from cybersecurity firm Intezer show how easily artificial intelligence tools can be leveraged for high-risk operations and provide a rare view of hacking activity targeting Russian entities.
Fishbein said the activity was likely the work of a group tracked as “Paper Werewolf,” or GOFFEE, which has been active since 2022 and is widely considered pro-Ukrainian with almost all of its efforts focused on Russian targets.
The hack also illustrates how aggressively Ukraine and its allies are pursuing military advantage in the war, which has included drone attacks on defense supply chain entities in recent months. As delicate Russian talks on a possible end to the war in Ukraine emerge, Moscow threatens to seize more land by force if Kyiv and its European allies do not accept U.S. peace overtures.
According to suspected artificial intelligence-generated decoy files discovered by Fishbein, the hacking campaign targeted several Russian companies. Fishbein is the lead author of the analysis prepared by Intezer.
The Russian and Ukrainian embassies in Washington did not respond to requests for comment.
Hacking campaigns take advantage of available artificial intelligence tools
In one case, a document apparently generated by artificial intelligence purported to be a concert invitation for a senior military officer written in Russian. In another case, a document purportedly issued by the Ministry of Industry and Trade of the Russian Federation requested price justification in accordance with government regulations on pricing, the analysis said.
Fishbein said the event was a unique opportunity to review attacks against Russian entities. “This is not necessarily because these attacks are rare, but because knowledge about them is limited,” she said.
The group’s use of AI-generated decoy documents also demonstrates “how accessible AI tools can be repurposed for malicious targets,” Fishbein said. “(It) shows how emerging technologies are lowering the barriers to sophisticated attacks and why abuse, rather than the technology itself, remains the core issue.”
Oleg Shakirov, a Russian cyber policy researcher, said the targets were all major defense contractors, indicating the attackers’ broad interest in the Russian military industry, and that potential access to contractors could provide visibility into “the production of everything from sights to air defense systems, as well as the defense supply chain and research and development processes.”
“There’s nothing unusual about pro-Ukrainian hackers trying to spy on Russian defense companies during the war,” Shakilov added, while suggesting Paper Werewolf may have expanded its targets beyond government agencies, energy, finance and telecommunications.
While Intezer attributed the operation to Paper Werewolf based on the infrastructure supporting the operation, the specific software vulnerabilities exploited and the way the decoy files were constructed, Fishbein said it was an open question whether the hackers were working with a specific nation-state or other hacking groups.
However, others have suggested links between the group and other known pro-Ukrainian hacking campaigns. A September 2025 report by Russian cybersecurity firm Kaspersky said there was potential overlap between Paper Werewolf and Cloud Atlas, a pro-Ukraine hacking group that originated more than a decade ago. The group is known for targeting pro-Russian entities in Eastern Europe and Central Asia, according to cybersecurity firm Check Point.
(Reporting by AJ Vicens in Detroit; Editing by Edmund Klamann)
