Pro-Iranian hacking group APT IRAN has claimed responsibility for a massive breach of Lockheed Martin, alleging exfiltration of 375 terabytes of sensitive defense data — including technical drawings, source code, missile defense architecture documents, and senior personnel information. The group demanded $400 million in ransom, explicitly framing the figure as "the cost of building four F-35 fighters," while simultaneously claiming the stolen data has already been shared with Iran's Islamic Revolutionary Guard Corps (IRGC). The group also issued direct personal threats against 28 named Lockheed Martin engineers working in Israel, threatening to expose their home addresses. Lockheed Martin acknowledged awareness of the claim and expressed confidence in its security posture without confirming or denying a breach.
What Happened
APT IRAN made the claim public via Telegram, posting what it described as proof of access including a video showing access to a senior Lockheed Martin official's alleged email inbox and a purported email from a senior company official. The group claims to possess "technical drawings and source codes," "architectural documents for future missile defense systems," internal research team emails, and other sensitive material across 375TB of exfiltrated data.
The ransom demand of "about $400 million" — specifically framed as the cost of four F-35 fighter aircraft — is a deliberate psychological and political provocation, not a standard criminal extortion figure. The group posted its ransom statement simultaneously in English, Chinese, and Russian, explicitly noting it was "receiving numerous requests from China, Russia, and Arab countries to buy this information." It claimed some parties were already paying for data samples.
The simultaneous IRGC disclosure is the most operationally significant element: by claiming the data is already in IRGC hands, APT IRAN removes the primary incentive for Lockheed to pay — the data cannot be "un-shared." This positions the ransom demand as a political statement rather than a functional criminal negotiation.
The personal targeting of 28 named Lockheed engineers working in Israel represents a direct escalation into physical threat territory. The group stated it would expose their home addresses — a doxing-to-kinetic threat that has been used by Iranian-linked actors previously to facilitate harassment, surveillance, and physical targeting operations.
APT IRAN is closely linked to CyberAv3ngers, a group with documented history targeting operational technology. The group has previously claimed attacks on Jordanian agricultural sector control systems (in an alleged attempt to destroy a strategic wheat stockpile), Jordan's Bank al Etihad, and solar management systems in the Aqaba Special Economic Zone.
Lockheed Martin's response: "We are aware of the claim. We have policies and procedures in place to mitigate cyber threats to our business" and the company "remains confident in the integrity of our robust, multilayered information systems." No breach confirmation or denial.
What Was Taken
APT IRAN claims the 375TB dataset includes:
- Technical drawings and source code — for unspecified active defense programs
- Architectural documents for future missile defense systems — the highest-sensitivity category, potentially covering programs including Aegis, THAAD, PAC-3, or next-generation interceptor systems
- Confidential contracts — likely including classified program agreements, subcontractor arrangements, and government procurement documents
- High-level personnel information — names, titles, contact details, and potentially security clearance-adjacent data for senior staff
- Sensitive administrative emails — internal research team communications, executive correspondence
- F-35 program materials — implied by the specific ransom framing, though not explicitly confirmed in the claim
No independent verification of the 375TB claim has been published. The video and email evidence provided to Telegram constitutes unverified proof. Lockheed has neither confirmed nor denied data loss. The dataset, if real, would constitute one of the largest defense sector breaches in history.
Why It Matters
This incident — confirmed or not — operates on multiple simultaneous threat dimensions that make it categorically different from a standard ransomware event.
The IRGC transfer claim transforms the threat model. If even a fraction of the claimed technical data has reached Iranian state intelligence, the implication is not a data breach problem — it is a weapons program compromise problem. Technical documentation for missile defense systems in IRGC hands has direct implications for Iranian and proxy force countermeasure development, regardless of whether Lockheed pays the ransom.
The engineer doxing threat is a physical safety emergency. Twenty-eight named individuals have been told their home addresses will be published. Iranian-linked actors have a documented operational history of using doxed Western defense personnel for targeting. This is not a theoretical risk — it requires immediate personal security protocols for the named individuals and their families.
The multilingual ransom post to China and Russia is an influence operation. Publishing in Chinese and Russian while claiming both governments are offering to buy the data serves multiple purposes: it pressures the US government and Lockheed into a response, it legitimizes APT IRAN's claimed capability to foreign intelligence buyers, and it creates a geopolitical signal independent of whether any transaction occurs.
This is the second Lockheed-adjacent Iranian operation in the current news cycle. The Handala group — also Iran-linked — simultaneously claimed the breach of FBI Director Kash Patel's personal email. The coordinated tempo of Iranian cyber operations against US defense, law enforcement, and government targets suggests a deliberate escalation campaign rather than opportunistic targeting.
Defense sector supply chain risk. Lockheed Martin is the prime contractor for the F-35 program, THAAD, Aegis, and numerous other active programs. A confirmed breach at this scale would require security reviews across every subcontractor and partner with shared technical access — a process affecting hundreds of organizations.
The Attack Technique
APT IRAN has not disclosed the initial access method. The group's documented history and this incident's profile suggest:
- Spear-phishing targeting cleared personnel — defense contractor employees with security clearances are among the most heavily targeted demographics for credential-based initial access; APT IRAN's links to CyberAv3ngers suggest familiarity with targeting individuals in operational roles
- OT/IT boundary exploitation — CyberAv3ngers has focused on operational technology networks; if the breach involved engineering systems (CAD files, source code repositories, design databases), initial access via OT-connected networks or engineering workstations is plausible
- Compromised third-party or subcontractor access — the F-35 program involves hundreds of subcontractors globally; a breach at a smaller, less-defended supply chain partner with access to shared technical documentation is a lower-effort path to Lockheed data than a direct breach of the prime contractor
- Insider threat or credential compromise via prior campaign — APT IRAN's multilateral targeting pattern suggests sustained access rather than a single opportunistic intrusion; persistent credential access obtained through previous operations may have been leveraged here
The 375TB claim, if credible, implies extended dwell time — bulk exfiltration of that scale from a defense contractor's secure environment typically requires weeks to months of undetected access.
What Organizations Should Do
- Defense contractors must implement data loss prevention (DLP) tuned for technical documentation — engineering files, CAD drawings, source code, and contract documents should be monitored for bulk transfer, unusual access patterns, and access from non-standard endpoints; 375TB cannot be moved without detectable signals if DLP and network monitoring are properly configured
- Immediately assess and harden all subcontractor and third-party access to shared program data — the weakest link in a prime contractor's security posture is often a smaller supply chain partner; audit every entity with access to sensitive program data, enforce MFA and least-privilege access, and revoke dormant credentials
- Activate personal security protocols for named or at-risk personnel — any organization receiving a credible threat involving named employees' home addresses should immediately engage corporate security, brief affected individuals, coordinate with law enforcement, and consider personal security measures; the threat to Lockheed engineers in Israel is an active personal safety matter, not a cyber incident
- Segment technical documentation repositories from corporate IT networks — classified and sensitive program data should be stored in air-gapped or strictly segmented environments with no pathway to internet-accessible systems; if technical drawings can reach an attacker via a compromised email account, the architecture has failed
- Treat ransom non-payment claims about IRGC data transfer as an intelligence event, not just a PR crisis — if an actor claims government-level adversary receipt of your defense data, the appropriate response involves classified channels, CISA, DoD, and FBI notification regardless of whether the breach is confirmed; the government needs to assess whether its own program security is affected
- Audit all privileged email accounts for evidence of unauthorized access — APT IRAN provided what it claims is an email inbox video as proof of access; email accounts belonging to senior officials at defense contractors should undergo immediate forensic review of access logs, forwarding rules, and OAuth application authorizations