A pro-Iranian hacktivist collective operating under the name APT Iran has claimed responsibility for a massive data breach targeting Lockheed Martin, one of the world’s largest defense contractors. The group alleges it has exfiltrated approximately 375 terabytes of data from Lockheed Martin’s systems, including what it claims are blueprints for the F-35 Lightning II fighter jet, internal source code, and sensitive operational documents. The data has been listed for an exclusive buyout price of $598.5 million on the Threat Market dark web marketplace, while the group simultaneously demands over $400 million in ransom from Lockheed Martin directly.
Scope of the Alleged Breach
According to intelligence gathered by threat research firms including Flashpoint and Check Point Software, APT Iran claims the stolen dataset encompasses a wide range of sensitive materials:
- Blueprints and technical specifications for the F-35 Lightning II, America’s most advanced fifth-generation fighter aircraft
- Internal proprietary source code and software repositories
- Sensitive corporate documents, communications, and operational data
- Personnel records and other confidential internal information
If verified, a breach of this scale and sensitivity would represent one of the most significant defense-sector cyber intrusions in recent memory, potentially compromising classified and export-controlled technical data related to active U.S. military programs.
Dark Web Listing and Ransom Demands
APT Iran has posted the alleged dataset on Threat Market, a dark web marketplace used by cybercriminals to advertise stolen data for sale. The group is offering an exclusive buyout — meaning it claims to sell the entire dataset to a single buyer without further distribution — for $598.5 million. In parallel, the group has separately demanded that Lockheed Martin pay more than $400 million in ransom to prevent the data from being sold to adversaries of the United States.
This dual-track approach — demanding ransom directly from the victim while simultaneously advertising the data for sale — is consistent with modern double-extortion tactics that have become standard practice among both financially motivated and politically motivated threat actors.
Lockheed Martin’s Response
Lockheed Martin has not confirmed or denied the breach. A company spokesperson told Cybersecurity Dive: “We are aware of the reports and have policies and procedures in place to mitigate cyber threats to our business.” This cautious, non-committal response is typical of organizations under active investigation and is unlikely to represent the company’s final statement on the matter.
As of the time of reporting, the authenticity and full scope of the alleged stolen data remain unverified. Security researchers and government agencies are actively analyzing the claims. Lockheed Martin would face significant legal and national security reporting obligations if classified or export-controlled technical data was confirmed to have been compromised.
Who is APT Iran?
APT Iran is a pro-Iranian hacktivist collective that has escalated its operations significantly in recent months. Unlike traditional espionage-focused Iranian APT groups such as APT33 (Elfin) or APT34 (OilRig), APT Iran appears to blend financially motivated cybercrime with ideologically driven hacktivism, targeting U.S. defense and critical infrastructure entities. The group has been linked to multiple intrusion campaigns and has previously claimed attacks on other high-profile U.S. organizations.
The Lockheed Martin claim comes amid a broader escalation in Iranian cyber activity, including a recent CISA advisory (AA26-097A) warning of Iranian-affiliated actors targeting programmable logic controllers (PLCs) in U.S. critical infrastructure — a pattern suggesting a coordinated, multi-front offensive posture from Tehran-linked cyber actors.
National Security Implications
If even a fraction of the claimed data is authentic, the national security implications are severe. The F-35 program is central to U.S. and allied air power strategy, deployed by numerous NATO member states. Technical data from the program, if obtained by adversarial nation-states, could enable the development of countermeasures, radar signatures, or electronic warfare systems designed to defeat the aircraft.
U.S. defense contractors handling classified data are subject to the Cybersecurity Maturity Model Certification (CMMC) framework and other federal cybersecurity mandates. A breach of this magnitude would likely trigger mandatory notifications to the Department of Defense and potentially Congress.
What to Watch
Security researchers, government agencies, and defense industry stakeholders should monitor the following developments closely in the coming days and weeks:
- Independent verification of sample data released by APT Iran to substantiate its claims
- Official statements from Lockheed Martin and the U.S. Department of Defense
- Attribution analysis from U.S. intelligence community and cybersecurity firms
- Potential regulatory or congressional response if breach is confirmed
This story is developing. Secure Bulletin will continue to monitor and report on confirmed findings as they emerge.