Lockheed Martin Data Breach: What is APT Iran Claiming?

In late March 2026, Lockheed Martin, a major aerospace and defense industry company, was reported by media outlet Cybersecurity Dive to have been targeted by an alleged pro-Iranian hacktivist group tracked as APT Iran. The group, which has been linked to a wider Iranian threat cluster, claims to have exfiltrated up to 375TB of sensitive data and is threatening to sell it via dark web forums.

According to the group, the dataset includes F-35 aircraft blueprints, alongside other corporate and potentially sensitive operational information. At the time of writing, these claims remain unverified and should be treated with caution.

APT Iran had previously indicated it was seeking to negotiate a reported US$400 million ransom with Lockheed Martin. Since then, the alleged dataset has been listed for sale on an underground forum branded “Threat Market” and promoted through the group’s Telegram channels.

APT Iran’s data advertisements on Threat Market

The advertised dataset is structured into thematic categories such as “Confidential Videos,” “Confidential Images,” “Office CCTV Backup,” “Source Codes,” and “Security & Access”. This structure is designed to present the alleged breach as both extensive and operationally impactful, reinforcing the perception of deep access across corporate systems.

From a pricing perspective, the current price tag aligns with patterns observed across similar threat actor activity, where listed valuations often exceed realistic market demand. Rather than reflecting genuine sale expectations, these figures are better understood as part of an influence strategy designed to amplify perceived impact and apply reputational pressure.

In cases involving ideologically motivated groups such as APT Iran, data exposure claims are frequently leveraged for geopolitical signaling and psychological effect, with financial gain playing a secondary role.

Advert attributed to APT Iran on Threat Market claiming to sell Lockheed Martin dataset

APT Iran threat profile: What we know so far

APT Iran presents as a hacktivist entity targeting Israel and aligned nations. However, its activity and positioning suggest it is more likely an auxiliary persona within a broader ecosystem of Iranian state-linked cyber operations. Rather than operating independently, the group fits a pattern in which threat clusters adopt ideologically framed “hacktivist” identities to obscure attribution while advancing state-aligned objectives.

Operationally, the group has focused on incidents involving the exposure of personally identifiable information and disruptive attacks against critical infrastructure sectors, including fuel distribution, chemical storage, food supply chains, and water management systems.

The tactics, targeting, and narrative alignment observed across these activities have led to associations with the Cyber Av3ngers cluster, reinforcing the assessment that APT Iran is not a standalone group but part of a broader, state-aligned cyber influence and disruption strategy.

Telegram post attributed to APT Iran showing leaked login data, June 2025

Telegram post attributed to APT Iran showing alleged water control system impact, February 2026

Despite maintaining a hacktivist façade, the group has also claimed responsibility for ransomware-style operations, including the alleged targeting of Lockheed Martin. While presented as financially motivated, this framing is likely intended to obscure underlying strategic objectives.

The selection of high-profile, defense-related targets suggests that financial gain is secondary to broader goals such as signaling capability, exerting geopolitical pressure, and supporting state-aligned influence operations.

Telegram post attributed to APT Iran referencing ransomware activity, June 2025

Consistent with similar actors in this space, the group uses Telegram as its primary communication channel, frequently cycling through accounts that are suspended or deleted. Despite this churn, its activity can be traced back to at least mid-2025 through multiple channels used to amplify its messaging.

While operating under its current branding for some time, the group’s tempo and visibility have increased markedly since the escalation of regional conflict. This pattern aligns with other ideologically driven entities, including Handala, where heightened activity is closely tied to geopolitical developments and information operations.

What this means for defenders

While the initial access vector in this incident remains unconfirmed, it highlights the importance of strengthening core defences. A critical first step is securing access, identity, and authentication controls to reduce the risk of credential compromise and account takeover.

Credential-based attacks remain an increasingly common route for attackers to silently infiltrate organisations. By leveraging compromised credentials obtained through infostealer malware, data breaches, or password reuse, attackers can bypass traditional perimeter controls and access systems without triggering immediate alerts. This low-noise approach allows them to establish a foothold, move laterally, and escalate privileges before detection.

Specops Password Policy with Breached Password Protection continuously blocks over 5.8 billion breached passwords. This includes passwords from our real-time attack monitoring system and human-led threat intelligence team. Users are prompted to securely reset if their password is identified as compromised, closing the window of opportunity for attackers to abuse those credentials. Dynamic feedback during resets encourages users to create strong passwords they will actually remember.

Specops Secure Service Desk then helps teams enforce user verification to protect agents against social engineering during service desk calls. Easy integration with existing authentication services like Duo, Okta and PingID reduce friction while maintaining security during high-risk calls like password resets.

For the highest level of assurance, Specops Verified ID enables agents to verify users with government-issued ID and biometric liveness checks. This protects critical processes like onboarding and recovery from sophisticated impersonation and phishing attempts.

If you’re interested in seeing how Specops can support your identity security strategy, book a demo to see our solutions in action.