Ukrainian hackers use AI to target Russian defense.

The US cybersecurity firm Intezer has reported a cyberattack targeting Russian companies operating in the fields of air defense, sensitive electronics, and other defense applications, using AI-generated forged documents. The campaign is believed to have been carried out by a pro-Ukrainian hacking group called Paper Werewolf (also known as GOFFEE).

According to Intezer, the incident demonstrates how easily accessible artificial intelligence tools can be exploited for high-risk activities, and provides a rare glimpse into cyberattack campaigns targeting entities linked to the Russian defense industry amid the Russia-Ukraine conflict.

Overview of Operation Paper Werewolf targeting Russian defense

Intezer's senior security researcher Nicole Fishbein said the cyberattack campaign targeting several Russian defense companies was most likely carried out by Paper Werewolf. This group, believed to have been active since 2022, has pro-Ukrainian leanings and focuses almost entirely its efforts on targets in Russia.

Information about the operation emerged amid ongoing negotiations on a possible end to the war between Russia and Ukraine. Russia has threatened to seize more territory by force if Ukraine and its European allies do not participate in U.S. peace proposals. The Russian and Ukrainian embassies in Washington did not respond to requests for comment.

Nicole Fishbein is the lead author of the analysis conducted by Intezer. She emphasizes that this is one of the few cases that allows for a relatively detailed study of a cyberattack campaign targeting Russian entities in the defense sector.

How to exploit AI in attack campaigns.

Fake documents created by AI.

According to Intezer, Paper Werewolf uses AI-generated documents as bait. These documents are drafted in Russian and formatted as invitations or official correspondence to increase credibility with the recipient.

In one instance, forged documents invited high-ranking Russian officers to attend a concert. In another, the documents were presented as correspondence from the Russian Ministry of Industry and Trade, requesting an explanation of prices in accordance with government regulations on pricing.

Nicole Fishbein argues that the noteworthy aspect is the group's use of AI-generated forged documents, demonstrating how easily accessible AI tools can be misused for malicious purposes. She suggests that emerging technologies can lower the barriers to sophisticated attacks, and that the core issue lies in the misuse of technology, not the technology itself.

Limited tracking and analysis capabilities.

Fishbein noted that this campaign was notable not because attacks on Russian entities are rare, but because the ability to track them is limited. Intezer's ability to observe and analyze the campaign allows the cybersecurity community to better understand how pro-Ukrainian groups are employing AI in wartime cyberattacks.

The target of the attack and its significance for the Russian defense industry.

According to cybersecurity policy researcher Oleg Shakirov (Russia), the targets of the campaign were all major defense contractors. This indicates widespread interest from hackers in the Russian military industry.

Oleg Shakirov argues that access to defense contractors can provide insight into the production of a wide range of equipment, "from sights to air defense systems," as well as the defense supply chain and research and development processes. This type of information is of great military value, especially in the context of a protracted conflict.

He assessed that it was not unusual for pro-Ukrainian hackers to attempt to spy on Russian defense companies during wartime. According to him, Paper Werewolf may have expanded its targets beyond traditional sectors such as government agencies, energy, finance, and telecommunications to other areas of industry.

Debate on the origins and affiliations of Paper Werewolf

Intezer attributes this cyberattack campaign to Paper Werewolf based on the infrastructure supporting the campaign. However, from the specific software vulnerabilities exploited and the way the decoy documents were created, it remains unclear whether Paper Werewolf is collaborating with a specific country or with other hacker groups.

Some other opinions suggest that Paper Werewolf is linked to previously known cyberattack campaigns by pro-Ukrainian hacker groups. A September 2025 report by the Russian cybersecurity company Kaspersky stated that Paper Werewolf shares many similarities and is potentially linked to Cloud Atlas – a pro-Ukrainian hacker group that has been active for over 10 years.

According to Israeli cybersecurity firm Check Point, Cloud Atlas is known for targeting pro-Russian organizations in Eastern Europe and Central Asia. These assessments suggest that Paper Werewolf may be part of a broader ecosystem of pro-Ukrainian hacking groups, although the specific extent of the connection remains unclear.

The role of Intezer and AI technology in cybersecurity defense.

Intezer is a cybersecurity company specializing in automated security technology, using AI to help organizations detect and respond to cyber threats. Founded in 2015, the company is headquartered in New York City (USA) with offices in Israel, serving many large businesses, including Fortune 500 corporations.

The Fortune 500 is a list of the top 500 companies by revenue in the United States, including corporations in technology, energy, retail, finance, and automotive. Intezer aims to address the shortage of cybersecurity personnel by building automated systems that help security teams detect and analyze alerts faster, automatically handle minor threats, and only forward critical cases to human intervention.

According to Intezer, this model helps security teams focus on truly serious threats instead of being overwhelmed by thousands of alerts every day. In a context where hacker groups can easily leverage AI tools to scale up and increase the sophistication of their attacks, applying AI in defense is seen as a way to balance the balance in cyberspace.