(Correct spelling in story identifier for RUSSIA-CYBER/UKRAINE)
By AJ Vicens
Dec 19 (Reuters) – Russian technology companies working on air defense, sensitive electronics and other defense applications have been targeted in recent weeks by a cyber espionage group that uses AI-generated decoy documents, according to a cybersecurity analyst.
The discovery by cybersecurity firm Intezer shows how AI tools can easily be harnessed for high-stakes operations, said senior security researcher Nicole Fishbein, and offers a rare glimpse into hacking campaigns targeting Russian entities.
The campaign, which has not been previously reported, is likely the work of a group known as either “Paper Werewolf” or GOFFEE, said Fishbein, a hacking group active since 2022 that is widely believed to be pro-Ukraine and has focused almost all of its efforts on Russian targets.
The hack also suggests how aggressively Ukraine and its allies are pursuing a military advantage in the war, which has included drone attacks on defense supply chain entities in recent months. And it emerged as delicate negotiations are underway over a potential end to Russia’s war in Ukraine, with Moscow threatening to take more land by force if Kiev and its European allies do not commit to US peace proposals.
The hacking campaign targeted several Russian companies, according to suspected AI-generated decoy documents discovered by Fishbein, who is the lead author of an analysis prepared by Intezer.
The Russian and Ukrainian embassies in Washington did not respond to requests for comment.
HACKING CAMPAIGN USED ACCESSIBLE AI TOOLS
In one case, a document apparently generated by the AI appears to be an invitation, written in Russian, to a concert for high-ranking officials. In another case, a document appears to be sent by the Ministry of Industry and Trade of the Russian Federation, requesting price justification under the government’s pricing regulations, according to the analysis.
Fishbein said the campaign stands out as a rare opportunity to examine attacks on Russian entities. “This is not necessarily because those attacks are rare, but because the visibility in them is limited,” she said.
The use of the AI-generated decoy document group also shows how “accessible AI tools can be repurposed for malicious purposes,” Fishbein said. “(It) shows how emerging technologies can lower the barrier to sophisticated attacks and why misuse, not the technology itself, remains the main problem.”
The targets, all of which are major defense contractors, indicate the attackers’ broad interest in Russia’s military industry, said Oleg Shakirov, a Russian cyber policy researcher, while potential access to the contractors could offer visibility into “the production of everything from scopes to air defense systems, but also into defense supply chains and R&D processes.”
“(There is nothing) unusual about pro-Ukraine hackers trying to spy on Russian defense companies during the war,” Shakirov added, suggesting that Paper Werewolf could have expanded its target beyond government agencies, energy, finance and telecommunications to other sectors.
While Intezer attributed the operation to Paper Werewolf, based on the infrastructure supporting the effort, the particular software vulnerabilities exploited, and how the decoy documents were constructed, Fishbein said it was an open question whether the hackers were working with a specific nation-state or another hacking group.
Others, however, have suggested a link between the group and other known pro-Ukraine hacking efforts. A September 2025 report published by Russian cybersecurity firm Kaspersky said that Paper Werewolf has potential overlap with Cloud Atlas, a pro-Ukraine hacking group that goes back more than a decade. The group is known for targeting pro-Russian entities in Eastern Europe and Central Asia, according to cybersecurity firm Check Point.
(Reporting by AJ Vicens in Detroit; Editing by Edmund Klamann)