As Unmanned Aerial Vehicles (UAVs or “drones”) and Unmanned Aerial Systems (UAS) are increasingly deployed as part of military operations, there has also been an upsurge in counter-UAV (C-UAV) and counter-UAS technologies designed to detect and neutralize the threats they pose. Unsurprisingly, there has been an uptick in cyberespionage groups and cybercriminals attempting to acquire information about the technologies. But there also appears to be an uptick in attempts to acquire information not only about the vendors of the technologies and their supply chains, but also about those buying the technologies.
“Cybercriminal groups and foreign nation-state actors express a significant interest in these technologies,” Los Angeles -based Resecurity states in a new report, adding:
The increase in malicious cyber activity targeting drones was especially notable during periods of local conflicts, including the escalation of the Russia-Ukraine war and the Israel-Hamas confrontation. The trend of malicious targeting in the drone manufacturing segment increased during Q3-Q4 2024 and continued into Q1 2025.
Resecurity notes they have spotted multiple postings on the dark web by actors looking to acquire sensitive military and intellectual property documents related to drones. And while those actors may appear to be cybercriminals, they may be espionage groups or state-supported actors. “Such tactics enable foreign actors to optimize their efforts and blur attribution, operating under the guise of cybercriminals,” Resecurity notes.
Significantly, Resecurity reports that in several of the incidents they have investigated, actors were more interested in the buyers of UAV/UAS and counter-UAV/UAS technologies than in the specifics of any technology involved. Resecurity hypothesizes that the actors in those situations were conducting reconnaissance for future cyberattacks against buyers of these technologies.
The report identifies some of the key threats posed by the rise of UAVs and C-UAVs and C-UAS: surveillance and intelligence gathering; weaponization of drones; cyber vulnerabilities that leave UAVs susceptible to attacks that can compromise control systems, manipulate flight paths, or disable them entirely; swarming tactics that can overwhelm defense systems; counter-UAV systems targeting; and supply-chain or component security compromises that could allow unauthorized access or takeover of UAVs.
Those are not merely theoretical concerns. Resecurity provides specific examples of some recent incidents related to cyberwar involving drones. In one investigation, they discovered multiple actors presumably linked to one or more foreign states targeting DELTA. DELTA is a system developed by the Center for Innovation and Development of Defense Technologies of the Ministry of Defense of Ukraine to provide Ukrainian defense with up-to-date verified data about Russia and the coordination of defense forces.
“Threat actors intend to gain unauthorized access to such systems and compromise operators to obtain sensitive military intelligence,” Resecurity reports, revealing screenshots obtained by actors referred to as the ‘Special (Cyber) Operations Service,’ which targets the Ukrainian military.
In light of Resecurity’s observations of increased interest in purchasers of UAS and C-UAS technology, it seems likely that there has also been an upsurge in data breaches involving not only manufacturers or vendors of technologies or their suppliers, but data breaches involving those who purchase the technologies. Whether those breaches are being publicly disclosed is unknown to DataBreaches.
Recent Example: Fortem Technologies
In 2024, Resecurity was able to obtain a large amount of emails and other internal documents from Fortem Technologies Inc., a Pleasant Grove, Utah based company.
Fortem describes itself as is the leader in airspace awareness, security, and defense for detecting and defeating dangerous drones. Fortem’s anti-drone technologies include the SkyDome radar system and DroneHunter. Fortem provides C-UAV technology to Ukraine and was sanctioned by Russia last year because of its assistance to Ukraine. As reported in The Defense Post, Fortem recently announced its intent to supply advanced C-UAS solutions to Saudi Arabia.
Involvement With Ukraine Makes Fortem a Target
Because Fortem provides technology to Ukraine, there are likely multiple state actors and other groups attempting to acquire Fortem’s information to determine means to disrupt operations of its C-UAV/C-UAS technology. A breach of Fortem’s security could have serious implications for Ukraine’s defenses in the war with Russia. It could also impact any other clients if their technology was compromised or fell into the wrong hands.
One of the espionage groups tracked by Resecurity and believed to involved in spying on drone makers supporting the Ukrainian military obtained a large amount of emails and other internal documents from Fortem. Resecurity was able to acquire about 1 GB of compressed files from that group and on July 19, 2024, they sent an email to Fortem and law enforcement to alert them that Fortem’s data was in the hands of a foreign state actor or cybercriminal group, based on sensitive HUMINT.
DataBreaches was provided with a partial copy of the July 19, 2024 email. In that email, Resecurity provided Fortem with a few of the files they obtained from the adversary/threat actors and assured the firm that their sole goal was to ensure that the firm was aware of the malicious activity targeting them. But Fortem reportedly never responded to Resecurity’s email at all. They never asked for any additional files and never asked any questions as to exactly how or where Resecurity obtained the data.
When Bloomberg News recently asked Fortem about this incident, Warren Brown, Chief Marketing Officer for Fortem, confirmed the data were real but asserted that there had been no breach. As reported in a Bloomberg newsletter, Brown stated:
There was no breach. The files in question were attached to emails that had been shared outside of our network.
That sounds like an attempt to avoid calling a breach a breach.
When a Breach By Any Other Name is Still a Breach
If the data wound up outside their network in the hands of an espionage-group or cybercriminals when it was not supposed to be in the hands of an espionage group or cybercriminals, then it seems reasonable to think that there was a breach or a leak that resulted in a breach. How did the files with email attachments get shared outside their network? Was there a rogue employee who sold them to a third party? Did an employee misconfigure a storage device and upload the files to what became an unintended publicly available server? Did someone take work home with them and have their home computer hacked? Did someone have their login credentials to work stolen by an infostealer that compromised their home computer? Did someone login to work using hotel wifi? There are many ways that a breach could have occurred. For the firm to claim that there was no breach when it appears that there was one requires more transparency on their part.
DataBreaches emailed Fortem to ask them to clarify why they said there was no breach and to clarify what happened.
They have not replied to either of two emails sent to them last week.
What Type of Information Leaked?
Bloomberg reported that the leaked documents shared with them by Resecurity included emails from Fortem’s IT and security staff, as well as files related to fundraising, strategy and the progress of work with customers including the US Department of Defense and the Ukrainian government. Some files matching those descriptions were also shared with DataBreaches. None of the files provided to DataBreaches were stamped “Top Secret,” “Secret,” or “Confidential,” but some appeared to involve proprietary information. The few emails provided to this site included a request from a part-time employee who wanted to disable Sophos software from his computer and other emails about increasing employee awareness of cybersecurity. Another file was a letter from Administration of the State Border Guard Service of Ukraine to John M. Austerman of the United States Defense Security Cooperation Agency.
Emphasizing that it was purely speculation, a spokesperson for Resecurity commented that the actor possibly provided the information to a government for free but decided to also sell it to make more money. It would not necessarily be a Russian group or Russia who was behind the acquisition of data, they noted, as there are multiple countries involved in the Ukrainian war who would also be motivated to acquire information from Fortem, including North Korea and Belarus.
Although Resecurity’s dealings with the data seller suggest that the seller is involved in cyberespionage, Resecurity does not rule out the possibility that is it just a mercenary or contracted hacker who decided to make some extra money by selling the data after they fulfilled their contract to provide the data to others.
“But if it is some contractor who was hired to obtain the data, he should be running fast,” the spokesperson commented.
Did Fortem Report This Incident to the Department of Defense?
The Fortem breach may be a useful example of what we should expect in 2025: more data breaches related to cyberespionage or UAS or C-UAS technology and purchasers of the technology but breaches that are not necessarily disclosed to the public by the vendors involved.
As DataBreaches understands it, according to the Defense Federal Acquisition Regulation Supplement (DFARS), contractors have to report breaches or cybersecurity incidents within 72 hours of discovery. Did Fortem comply with any notification requirements, or did the provisions of DFARS 252.204-7012 not apply?
DataBreaches sent an email inquiry yesterday to the Department of Defense to ask whether Fortem notified DoD of a potential breach within 72 hours of discovery. There has been no reply as of publication.
This post will be updated if more information is obtained.