Already grappling with large-scale invasions by rivals such as China, more bad news has arrived for United States government cyber teams. A new report from cybersecurity firm Hudson Rock finds that infostealer malware is present on “thousands” of systems belonging to the US military and major defense contractors such as Boeing and Lockheed Martin.
While most of the focus lately has been on Chinese spies penetrating government systems, it appears less sophisticated profit-focused criminals are also having concerning rates of success in penetrating what should be secure networks. The researchers found that classified data taken from employees of US military and defense contractors is selling for as little as $10 USD for the contents of one computer, with some organizations having tens of thousands of compromised users over the years.
Profit-seeking criminals finding success in penetrating US military systems with infostealer malware
According to the report, impacted defense contractors include Lockheed Martin, BAE systems, Boeing, Honeywell, L3Harris, and Leidos. Collectively these are among the biggest recipients of annual Defense Department contracts and work on some of the US military’s most advanced warfighting technology.
The researchers say that 472 known third-party defense contractor credentials were filched by infostealer malware in 2024, but that number extends into the tens of thousands if one goes back some years. Honeywell was named as having a total of 18,527 infected users and 398 infected employees total over the lifetime of the research and has seen its internal intranet, an Active Directory Federation Services login, and an Identity and Access Management system all compromised at times.
Criminals are often racking up big numbers just by hitting a single employee with infostealer malware. One of the Honeywell hackers was able to take 56 corporate credentials and 45 third-party credentials just by compromising a single victim. The other defense contractors have seen more modest overall numbers but are generally in the tens of infected employees and hundreds of infected users over the years.
Infostealer malware almost always makes its way into networks via an individual employee either falling for phishing bait (such as a malicious PDF attachment) or installing some sort of unauthorized software, including “cracks” for commercial software to avoid payment.
Defense contractors not alone in falling victim
Unfortunately, it is not just defense contractors that seem to frequently take the bait. Infostealer malware has also been discovered throughout the US military: within US Army, US Navy, FBI, and Government Accountability Office (GAO) systems, and in compromises that the researchers say provide the attackers with the ability to move laterally to other systems. The Army saw the worst of it with over 70 infected employees and 1,300 users total, but the Navy was not far behind with 30 employees and over 550 users. Much smaller numbers were tallied at the FBI and GAO, but still enough to raise serious security concerns.
The report does not make clear who the thieves are, but they tend to use a common collection of popular tools in the criminal underworld. The types of infostealer malware frequently used across all compromised parties include Redline, Lumma, Raccoon and StealC. Potentially compromised materials include email systems, VPNs, procurement portals and classified documents and contracts. Third-party credentials that were exposed include Microsoft, Cisco, and SAP integrations.
Though it was linked to a state-sponsored actor, specifically China’s “Silk Typhoon,” the federal government has had a recent experience with a breach of a contractor leading directly to a breach of an agency. In January it was reported that BeyondTrust, a cybersecurity and access management contractor, had been compromised. That breach, which took place in December, led to unauthorized access of Treasury Department workstations. News of the breach was quickly followed by a public disclosure of a second vulnerability that multiple attackers were attempting to exploit, demonstrating how a successful attack by major state-sponsored players tends to draw attention from all sorts of other disreputable elements.
While infostealer malware presents a considerable threat on its own, a late 2024 study by SpyCloud found that it is also one of the biggest drivers of a surge in ransomware attacks on the year. It is a flexible method as attackers can actively phish targets with it via malicious attachments or installer links, but can also put it out passively in the form of all sorts of executables ranging from video game mods to seemingly legitimate productivity software. Once a system is compromised it provides a convenient way to extract sensitive information before deploying ransomware. The popular tools can strip a system of valuable information in a matter of minutes, but often also linger by installing keyloggers and screenshot grabbers to continue harvesting credentials over time.
Infostealer malware tools also have a low barrier to entry for aspiring criminals, with “licenses” to the most popular tools sold via dark web forums and Telegram for about $100 to $500 per month. Jason Soroko, Senior Fellow at Sectigo, notes that this also should be one of the simpler threats to prepare for despite its seeming ubiquity in the US military: “Infostealer infections in the US military and top defense contractors expose a systemic cybersecurity lapse. Lax endpoint defenses, outdated patching protocols, and human error are enabling cheap breaches—even in high-stakes environments. If organizations with deep pockets and top talent are vulnerable, rank-and-file companies, often under-resourced and less rigorous, face even graver risks. Companies must act now. Tighten security with zero trust architectures, continuous audits, and robust employee training. Update systems regularly, enforce strict access controls, and assume breach as a possibility. Cyber hygiene isn’t optional but should be considered a critical part of our defense in an era where a $10 exploit can topple even the most advanced networks.”
Kent Wilson, Vice President, Global Public Sector at Bugcrowd, adds: “This problem isn’t new, and it’s certainly not ‘just beginning.’ The reality is that when an adversary targets an individual, eventual compromise is inevitable—whether it’s in the defense sector or the private sector. Human behavior remains the weakest link in security, and no amount of investment in classified networks or perimeter security can fully prevent an employee from unknowingly downloading infostealer malware that exposes credentials. The lesson is clear: if you’re online, you’re a target. Every business—whether they serve the DOD or not—has employees who hold sensitive credentials that adversaries can exploit. That said, there’s no reason to make it easy for attackers. Organizations need to stop treating cybersecurity as a one-time project and adopt continuous, proactive security programs. Traditional defenders are in a knife fight every day, and staying ahead of attackers is difficult. Bug bounties, red teaming, penetration testing, and vulnerability disclosure programs (VDPs) all help uncover security gaps before adversaries do. If you’re not actively testing your defenses and your people, attackers will do it for you.”
