Full Report
A pro-Iran hacking group that has focused on critical infrastructure targets today demanded “about $400 million” from the United States — “the cost of building four F-35 fighters” — in ransom for what they claimed was a tranche of sensitive information swiped from an American aerospace and defense giant. APT IRAN, which is closely linked…
Analysis Summary
# Incident Report: Alleged Data Extortion of Lockheed Martin by APT IRAN
## Executive Summary
In March 2026, the pro-Iran hacking group "APT IRAN" claimed to have breached the American defense giant Lockheed Martin, allegedly exfiltrating 375 terabytes of highly sensitive military and administrative data. The group has demanded a ransom of $400 million, threatening to sell the data to foreign adversaries including Russia and China. This incident part of a broader campaign by Iranian-linked actors targeting U.S. critical infrastructure and high-profile political targets.
## Incident Details
- **Discovery Date:** March 19, 2026 (Initial claim)
- **Incident Date:** Ongoing; key evidence posted March 19–23, 2026
- **Affected Organization:** Lockheed Martin (Alleged); Allied targets include U.S. water manufacturing and political websites.
- **Sector:** Aerospace and Defense / Critical Infrastructure
- **Geography:** United States / International (Jordan)
## Timeline of Events
### Initial Access
- **Date/Time:** Circa early March 2026
- **Vector:** Not explicitly disclosed; likely credential theft or exploitation of internet-facing systems (based on related attacks on Microsoft 365 servers by affiliated groups).
- **Details:** The group claimed access to technical documentation, source codes, and internal email servers.
### Lateral Movement
- **Details:** Based on the group’s claims of accessing "technical drawings" and "high-level personnel information," the attackers likely moved from initial entry points (potentially email or administrative portals) into internal file repositories and research databases.
### Data Exfiltration/Impact
- **Tranche:** 375 Terabytes of data.
- **Content:** Technical drawings for missile defense systems, active military project documentation, confidential contracts, and internal research emails.
- **Extortion:** Potential sale of data to Russia, China, and high-paying domestic political interests.
### Detection & Response
- **Discovery:** Public claims made by APT IRAN on Telegram.
- **Response:** Lockheed Martin acknowledged the claims on March 19 and activated standard cyber threat mitigation policies.
## Attack Methodology
- **Initial Access:** Likely exploitation of O365/web-facing infrastructure (indicated by affiliated "313 Team" tactics).
- **Persistence:** Not disclosed, though the group maintained access long enough to allegedly sync 375TB of data.
- **Privilege Escalation:** Accessed "senior official" inboxes and "high-level" personnel files.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Purported access to senior executive email accounts.
- **Discovery:** Reconnaissance of internal research teams and structural documentation.
- **Lateral Movement:** Transition from administrative/email systems to technical/source code repositories.
- **Collection:** Bulk collection of military and contractual data.
- **Exfiltration:** Standard cloud/external exfiltration.
- **Impact:** Financial extortion ($400M) and strategic damage via intellectual property theft.
## Impact Assessment
- **Financial:** $400 million ransom demand; unknown long-term cost regarding R&D loss.
- **Data Breach:** Compromise of 375TB of sensitive defense data including source code.
- **Operational:** Potential exposure of "future missile defense" architecture, necessitating redesigns.
- **Reputational:** High-profile targeting of the world’s largest defense contractor during an active conflict period.
## Indicators of Compromise
- **Network Indicators:** Telegram channels associated with "APT IRAN," "CyberAv3ngers," and "313 Team."
- **File Indicators:** Purported email samples and videos of internal inbox navigation.
- **Behavioral Indicators:** Sudden large-scale data transfers; unauthorized logins to senior executive O365 accounts.
## Response Actions
- **Containment:** Lockheed Martin reported the implementation of procedures to mitigate the threat.
- **Eradication:** Investigation into the validity of the 375TB claim and identification of compromised accounts.
- **Recovery:** Ongoing monitoring of "dark web" and Telegram channels for leaked data samples.
## Lessons Learned
- **Sensitive Data Volume:** The alleged theft of 375TB suggests that data loss prevention (DLP) triggers and large-scale egress monitoring may need tightening for massive file repositories.
- **Executive Targeting:** High-level officials remain the primary target for Iranian-linked "hack-and-leak" operations intended for geopolitical leverage.
## Recommendations
- **Zero Trust Architecture:** Implement strict segmentation between general administrative networks (email) and technical/R&D repositories containing missile architecture.
- **Enhanced Egress Monitoring:** Deploy automated blocks on massive data transfers to non-standard or unauthorized external IP addresses.
- **Credential Protection:** Mandatory hardware-based MFA for all senior personnel and research teams to prevent inbox takeovers.