Iranian threat actor APT Iran is claiming the exfiltration of 375 terabytes of aerospace, defence, and security data from Lockheed Martin, with the cache now advertised for sale on the dark web marketplace "Threat Market" alongside a reported $400 million ransom demand. The claims, first amplified in early March 2026 by threat intelligence accounts DailyDarkWeb and H4ckmanac, are part of a broader cycle of Iranian cyber operations tied to the ongoing Iran-Israel conflict, with downstream implications now being assessed by Indian strategic researchers at CLAWS for the Atmanirbhar Bharat indigenous defence program.

What Happened

In early March 2026, the pro-Iranian group tracked as APT Iran publicly claimed to have compromised Lockheed Martin and exfiltrated a 375 TB dataset spanning the contractor's aerospace, defence, and security business lines. Screenshots of the alleged dump and ransom terms surfaced first on X via DailyDarkWeb and H4ckmanac, after which the data was listed for sale on a Tor-hosted marketplace identified as "Threat Market." CLAWS researchers report having independently located the corresponding onion link.

The Lockheed Martin intrusion sits inside a wider Iranian operational tempo. The hacktivist persona Handala, assessed as linked to Iran's Ministry of Intelligence and Security (MOIS), has separately claimed responsibility for a cyberattack on medical technology firm Stryker, the compromise of Kash Patel's personal email, and the exposure of personal details of 28 senior Lockheed Martin engineers. SOCRadar has documented the broader attack-and-response cycle involving APT Iran, Handala, and Israeli counter-operations attributed to Unit 8200.

What Was Taken

According to the actor's own claims and the marketplace listing, the dataset includes:

• 375 TB of aerospace, defence, and security records from Lockheed Martin business units
• Proprietary engineering and program data tied to U.S. defence contracting
• Previously exposed personal details of 28 senior Lockheed Martin engineers (attributed to Handala)
• A separate Handala-linked dump from Stryker and the compromised personal mailbox of Kash Patel

The volume claim of 375 TB has not been independently corroborated and should be treated as actor-asserted. The $400 million price tag indicates the seller is positioning the cache as state-grade rather than commodity stolen data.

Why It Matters

For the U.S. defence industrial base, a credible exfiltration on this scale would mean foreign intelligence access to design, supply chain, and program management data across multiple Lockheed Martin lines of business. For India, the CLAWS analysis frames the breach as a forward-looking warning: as Atmanirbhar Bharat drives indigenous defence development, Indian primes and DRDO-linked entities will inherit the same threat profile that Lockheed Martin carries today. Iranian and aligned actors that monetise stolen IP on the dark web do not need to breach Indian systems directly to harm Indian programs; downstream buyers of Lockheed data can include adversaries operating in India's neighbourhood.

The incident also illustrates how grey-zone cyber operations during a regional conflict (Iran-Israel) generate spillover effects against third-country defence ecosystems through shared suppliers, common platforms, and resold data.

The Attack Technique

Neither APT Iran nor Handala has published a verified intrusion chain for the Lockheed Martin compromise, and Lockheed Martin has not publicly confirmed the breach. Based on prior tradecraft attributed to these clusters in the SOCRadar reporting and adjacent Iranian operations, plausible vectors include:

• Spear-phishing of engineering and program staff, consistent with the prior leak of 28 senior engineers' personal details by Handala
• Exploitation of internet-facing enterprise applications and VPN appliances
• Supply chain and third-party contractor access abuse to reach segmented program environments
• Credential reuse harvested from prior MOIS-aligned intrusions

The dual-track pattern of Handala (psychological operations, defacement, doxxing) and APT Iran (espionage, exfiltration, monetisation) suggests coordinated targeting where personnel-level exposure precedes or accompanies bulk data theft.

What Organizations Should Do

1. Treat any Lockheed Martin program data, BOMs, or engineering artefacts in your supply chain as potentially exposed, and review what your organisation legitimately holds.
2. Hunt for Iranian APT tradecraft (MOIS-linked clusters, Handala, APT Iran) in identity logs, VPN telemetry, and outbound transfer patterns over the last 12 months.
3. Harden the engineer and program manager attack surface: enforce phishing-resistant MFA, isolate personal accounts from corporate identity, and monitor for doxxing-style reconnaissance against senior technical staff.
4. Indian defence primes, DRDO partners, and Atmanirbhar Bharat program suppliers should assume their indigenous IP is a priority intelligence target and segment design networks from corporate IT accordingly.
5. Monitor dark web marketplaces, including "Threat Market" and Tor-hosted forums amplified by DailyDarkWeb and H4ckmanac, for follow-on listings referencing your own organisation or partners.
6. Pre-stage an incident response playbook for actor-claimed breaches, including legal, communications, and customer-notification tracks, before a claim names your organisation.

Sources: Cyber Breaches and Battlefield Consequences: Assessing the implications of the Lockheed Martin data leak on Indian Defence Ecosystem – CLAWS