Your Business Is Already a Wartime Target. Here Is What to Do About It.

Nation-states attacking private companies is not a future risk. It happened at scale in 2017 and the conditions that made it possible have only grown more complicated since.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial photograph, 16:9 framing, full-frame edge-to-edge composition
Share

Key points

  • Russian military hackers planted a hidden backdoor in a Ukrainian tax-software update in 2017, and the resulting attack caused an estimated tens of billions of dollars in damage to thousands of companies worldwide.
  • Analysts and international-law experts say ordinary businesses, not just defence contractors, can qualify as military targets under the rules of war.
  • The Trump administration's March 2026 "Cyber Strategy for America" document signals an expansion of US offensive hacking operations, which experts warn could push other nations to hit private-sector companies harder in retaliation.
  • Practical steps exist that companies of all sizes can take to lower their profile as a target.

In 2017, a Ukrainian company called Intellect Services sold accounting software called M.E.Doc to businesses across the country. Unremarkable in every way that matters. Then Russian foreign military intelligence, through a hacking group known as Sandworm, buried a hidden backdoor (a secret entry point into a computer system) inside a routine M.E.Doc software update.

The result was NotPetya, malicious software that wiped data from any machine it touched. It escaped Ukraine almost immediately. Shipping giant Maersk, pharmaceutical company Merck, and hundreds of other firms with no interest in Eastern European politics found their systems destroyed. Damage estimates reached tens of billions of dollars.

Intellect Services never signed up for a war.

Why would any nation-state come after your company?

Because you might not need a government contract to look like a target. Jonathan Horowitz, a legal adviser at the International Committee of the Red Cross, points to the 1977 Geneva Conventions, which define a military objective as anything that makes "an effective contribution to military action" and whose destruction offers "a definite military advantage." That definition is broader than most business owners realise.

Allie Mellen, an analyst at Forrester Research and author of "Code War," spelled this out at the Zenith Live 2026 conference in Las Vegas. If your company supplies goods or services to a military, you are a named target. But even suppliers with no defence connection can find themselves in the line of fire.

Medical equipment firm Stryker, which sells supplies to several US military branches, was targeted by Handala, an Iranian hacking group linked to Iran's Ministry of Intelligence and Security. Stryker does not build weapons. It does not run intelligence operations. It sells hospital equipment.

The Trump administration's March 2026 "Cyber Strategy for America" raises the stakes further. The document commits the US government to deploying "offensive cyber operations," a phrase that experts say will prompt other nations to ask how hard they can hit American private-sector companies before it triggers a response.

The good news is that concrete steps exist. Mellen recommends that companies avoid publicly listing military or government clients on their websites, which reduces their visibility as a high-value target. Horowitz suggests that technology providers separate the systems serving civilian customers from those serving public-sector clients, and keep data centres physically away from military sites. For smaller businesses, partnering with a managed security vendor that provides threat monitoring adds a layer of visibility that is otherwise unaffordable in-house.

The underlying point is simple: geopolitical shifts create new targets. A company that was invisible to foreign governments last year may not be this year. Reviewing that exposure regularly, and honestly, is now basic operational sense.

© 2026 Threat Vectr