A pro-Iran threat actor tracked as APT Iran claims to have breached Lockheed Martin, the world's largest defense contractor, exfiltrating 375 terabytes of data including alleged blueprints of the F-35 fighter jet. The group is demanding over $400 million to withhold the data from U.S. adversaries. Lockheed Martin has acknowledged the claims without confirming a breach. Intelligence on the incident has been independently corroborated by Flashpoint, Check Point Software, and Halcyon.

What Happened

APT Iran surfaced on Telegram, the preferred broadcast channel for hacktivist threat actors, claiming to have conducted a major intrusion into Lockheed Martin's systems and extracted 375 terabytes of sensitive defense data. The group posted what it describes as evidence of the breach alongside an extortion demand exceeding $400 million, framed not as a ransomware payment but as the price of keeping the stolen data off the dark web and out of the hands of U.S. adversaries; a direct national security leverage play.

Multiple threat intelligence firms, including Flashpoint and Check Point Software, tracked and reported on APT Iran's claims. Halcyon separately reported on the $400 million demand. Cybersecurity Dive contacted Lockheed Martin, which acknowledged awareness of the reports but stopped short of confirming any breach, stating confidence in its "robust, multilayered information systems and data security."

The breach has not been independently verified at the technical level. No data samples have been publicly confirmed as authentic by government agencies or Lockheed Martin. However, the scale of the claim, the specific nature of the alleged data, and the identity of the demanding actor elevate this beyond routine hacktivist noise.

What Was Taken

APT Iran claims the following was exfiltrated:

• 375 terabytes of data: an extraordinarily large volume if confirmed
• F-35 fighter jet blueprints: technical schematics for the United States' most advanced stealth multirole combat aircraft
• Additional corporate information: unspecified but described as wide-ranging defense and aerospace data

The authenticity of the claimed data has not been publicly verified. Lockheed Martin has not confirmed what, if any, data was accessed. The F-35 program involves classified and controlled unclassified information (CUI) distributed across Lockheed Martin systems and those of subcontractors and government partners; the full exposure surface, if any breach occurred, could extend well beyond Lockheed's own network perimeter.

Why It Matters

Even as an unverified claim, this incident carries weight that demands serious assessment.

The $400 million demand reframes the threat model. This is not a ransomware gang seeking operational leverage to recover encrypted files. APT Iran is explicitly threatening to sell stolen defense IP to U.S. adversaries (China, Russia, North Korea) as a geopolitical weapon. The extortion model here is nation-state intelligence monetization, not criminal cash extraction. That distinction matters enormously for how defenders and policymakers should respond.

F-35 data at risk is a generational intelligence failure scenario. The F-35 represents decades of development and hundreds of billions in investment. Its stealth geometry, sensor fusion architecture, and electronic warfare systems are among the most sensitive technical secrets in U.S. defense. If authentic F-35 blueprints have been exfiltrated, the implications extend to every country operating or planning to acquire the aircraft, and to adversaries actively developing countermeasures against it.

APT Iran is an escalating actor. Previously linked to attacks against critical infrastructure in Jordan, the group is expanding its targeting ambition. A claimed attack against the world's largest defense contractor, whether technically successful or not, signals an intent to operate at the highest-value tier of targets.

The Telegram playbook is now the norm for hacktivist APTs. Public pressure via Telegram creates a disclosure dynamic that bypasses corporate communications controls. Whether the breach is real or partially fabricated, the public claim itself creates reputational, market, and government relations pressure on the victim; an effect that costs the attacker nothing to generate.

The Attack Technique

No technical details of the intrusion method have been disclosed by APT Iran or confirmed by Lockheed Martin. The initial access vector, persistence mechanism, and exfiltration pathway are unknown at this stage.

Given APT Iran's prior operations targeting critical infrastructure and the scale of the claimed exfiltration, likely candidate techniques include spearphishing against cleared personnel, exploitation of internet-facing VPN or remote access infrastructure, or supply chain compromise via a Lockheed subcontractor. The 375TB volume, if real, implies either prolonged dwell time with slow exfiltration or access to an exceptionally high-bandwidth internal network path.

The investigation is ongoing. Attribution confidence in the "APT Iran" label is based on Telegram posting patterns and prior targeting signatures, not confirmed technical indicators.

What Organizations Should Do

1. Defense contractors: audit your subcontractor data sharing surface immediately. The F-35 program involves thousands of subcontractors with varying levels of access to controlled unclassified information. If Lockheed's perimeter held, the breach may have entered through a smaller supplier. Map every third party with access to CUI and confirm their CMMC compliance posture.

2. Treat Telegram-posted breach claims as actionable intelligence, not noise. The hacktivist Telegram model (post claim, post "evidence," demand payment) is now a structured extortion operation, not random vandalism. Threat intelligence teams should monitor and triage these claims systematically, even when corporate policy is to deny or minimize.

3. Implement and verify data volume anomaly detection on egress. 375TB is not extracted in a single burst. Exfiltration at that scale requires sustained outbound data movement that should trigger DLP and network traffic analysis alerts. Verify that your egress monitoring would catch multi-terabyte transfers over days or weeks.

4. Classify and segment F-35 and other program-specific data at the technical level. Sensitive program data should live in air-gapped or rigorously segmented environments with hardware-enforced access controls; not on general corporate networks accessible via a compromised credential. Review whether current data architecture matches the sensitivity classification of the content.

5. Brief executive and legal teams on the adversarial sale extortion model. The $400M "don't sell to our enemies" demand is a new public variant of a threat model that requires a different response playbook than standard ransomware. Legal, government affairs, and security teams need joint protocols for engaging with national security implications of a theft-and-sell threat.

6. Report nation-state hacktivist claims to CISA and DoD immediately. Defense contractors with potential exposure to this type of incident have mandatory reporting obligations. Even unverified claims involving classified-adjacent data should be escalated to the appropriate government channels; not managed solely as a corporate communications problem.

Sources

• Lockheed Martin targeted in alleged breach by pro-Iran hacktivist; Cybersecurity Dive