The Future of Warfare is Cyber

A new Google threat intelligence report stacks evidence on top of evidence that modern warfare is increasingly cyber.

Google has put out a number of these reports. If you're in this industry, save this blog to your RSS reader and consider it a must-read.

The main thing is that the individual is one of the main targets now. It's not just about hacking into the power grid, which they're doing at scale. They're also going after the individual contractors alongside those military assets and systems.

This is bigger than China hacking into companies and government entities to do espionage. The activity in the report is an actual part of a larger conflict. 

Let’s look at a live conflict that is happening now in order to learn what modern warfare could look like, as the other great powers stare down the barrels of the gun at each other, specifically China and Russia and the West when it comes to things like Taiwan, or China hacking into a lot of US or EU critical infrastructure and just sitting there and using it.

The other thing that Google is talking about is the North Korean playbook that we've talked about regarding the hiring pipelines and how North Korea is cooking both sides of the job market.

It turns out other governments are following suit.

Secure Messaging Isn’t the Weak Point, Endpoints Are

One of the dominant patterns in the report is targeting secure messaging platforms like Signal and WhatsApp.

Russian actors are physically capturing mobile devices in Ukraine and exfiltrating Signal communications directly from the device. If you control one end of an encrypted conversation, you don’t need to break encryption.

Other groups are abusing device-linking features. They send altered Signal group invites that redirect to malicious domains. Victims scan a QR code thinking they’re joining a group, but they’re actually linking an attacker-controlled device to their account.

If you’re running Signal Desktop on Windows, then the Windows machine becomes one of the “ends” in end-to-end encryption. Windows environments are generally more exposed than hardened mobile platforms. If malware lands there, secure messaging stops being secure.

In critical infrastructure environments, that means operational conversations about coordination, logistics and deployment decisions can be exposed without ever breaking cryptography.

The lure economy: AI-assisted targeting of the defense ecosystem

The second theme is highly tailored, operationally relevant lures such as drone manuals, anti-drone documentation, battlefield management platforms, and Fake DJI job descriptions, altered Signal invites and remote desktop configuration files spoofing Ukrainian telecom entities.

LLMs are accelerating this. Threat actors are using AI to research realistic salary bands, draft convincing job descriptions, build credible phishing personas and profile high-value targets.

North Korea is operating on both sides of the employment pipeline. They infiltrate Western companies using laptop farms in the U.S., where corporate laptops are shipped to residential addresses and remotely accessed by foreign operators. At the same time, they run fake job campaigns targeting crypto and defense-adjacent developers.

In interviews, they push malicious Zoom updates or VS Code extensions. The malware lands. Crypto wallets get drained. Access expands.

Iran is running similar operations focused more on espionage than revenue generation — spoof job portals, malicious resume builders, defense-sector lures.

If you’re part of the defense supply chain, even indirectly, you’re in scope.

Edge Implants, Manufacturing, and the Invisible Front Line

China-linked actors are exploiting edge devices like firewalls, VPNs, and network appliances using zero days and custom malware like Brickstorm.

These appliances often can’t run enterprise monitoring toolsm creating long dwell times: in some cases, over a year. That means persistent access to environments connected to critical infrastructure, sitting quietly.

Then there’s manufacturing, now the #1 industry impacted by ransomware.

Manufacturing feeds aerospace and defense. A ransomware hit on an automotive manufacturer can ripple into military vehicle production and impact thousands of downstream organizations.

The Jaguar Land Rover incident reportedly disrupted over 5,000 organizations through supply chain effects.

Statistically, they may not be labeled “defense.” Operationally, they absolutely are.

And the targeting is widening further: personal emails, alumni networks, volunteer organizations like the Boy Scouts. If an employee touches critical infrastructure, the personal environment becomes a viable entry point.

The report concludes: “The defense industrial base is under a state of constant multi-vector siege.”

If you’re anywhere near critical infrastructure, directly or indirectly, you are operating inside that pressure zone whether you realize it or not.