(Correct spelling in story identifier in Russia-Cyber/Ukraine)
By AJ Vicens
Dec 19 (Reuters) – Russian technology companies working on air defense, sensitive electronics and other defense applications have been targeted in recent weeks by cyber espionage groups using AI-generated decoy documents, according to a cybersecurity analyst.
The discovery by cybersecurity firm Intezer shows how AI tools can be easily used for high-stakes operations, said senior security researcher Nicole Fishbein, and provides a rare look at hacking campaigns targeting Russian organizations.
The campaign, previously unreported, is likely the work of a group tracked as “Paper Werewolf,” or GOFFEE, Fishbein said, a hacking group active since 2022 that is widely considered pro-Ukrainian and focuses almost all of its efforts on Russian targets.
The hack also suggests how aggressively Ukraine and its allies are moving to gain military advantage in the war, including drone attacks on defense supply chain organizations in recent months. And it has come to light that fragile negotiations are playing out over a possible end to Russia’s war in Ukraine, with Moscow threatening to take more land by force if Kiev and its European allies do not engage in US proposals for peace.
The hacking campaign targeted several Russian companies, according to suspicious AI-generated decoy documents discovered by Fishbein, lead author of the analysis prepared by Integer.
The Russian and Ukrainian embassies in Washington did not respond to requests for comment.
A hacking campaign using accessible AI tools
In one case, an apparently AI-generated document purports to be an invitation written in Russian to a concert for high-ranking officials. In another case, according to the analysis, a document was sent from the Ministry of Industry and Trade of the Russian Federation asking for price justification under government regulations surrounding pricing.
Fishbein said the campaign stands as a rare opportunity to examine attacks on Russian institutions. “This is not necessarily because those attacks are rare, but because they have limited visibility,” she said.
The group’s use of AI-generated decoy documents demonstrates how “accessible AI tools can be repurposed for malicious goals,” Fishbein said. “(It) shows how emerging technologies can reduce the barriers to sophisticated attacks and why abuse, not the technology itself, remains the main problem.”
The targets, all of which are major defense contractors, indicate the attackers’ widespread interest in Russia’s military industry, said Oleg Shakirov, a Russia cyber policy researcher, while the contractors’ potential access “could provide visibility into the production of everything from scopes to air defense systems, but also into the defense supply chain and R&D processes.”
“(There is) nothing unusual about pro-Ukrainian hackers trying to spy on Russian defense companies during the war,” Shakirov added, adding that the paper werewolf may have expanded its targets beyond government agencies, energy, finance and telecommunications to other sectors.
While Intezer attributed the operation to Paper Werewolf, based on the infrastructure supporting the effort, the exploitation of specific software vulnerabilities, and how the decoy documents were produced, Fishbein said it was an open question whether the hackers were working with a specific nation-state or other hacking group.
Others, however, have suggested links between the group and other known pro-Ukrainian hacking efforts. A September 2025 report published by Russian cybersecurity firm Kaspersky said Paper Werewolf had potential overlap with Cloud Atlas, a Ukrainian pro-hacking group more than a decade old. According to cybersecurity firm Check Point, the group is known to target pro-Russian organizations in Eastern Europe and Central Asia.
(Reporting by AJ Vicens in Detroit; Editing by Edmund Claman)
