Abstract
The rapid integration of large language models and autonomous artificial intelligence (AI) systems into defense, critical infrastructure, and enterprise environments has created a fundamentally new attack surface—one that existing cybersecurity frameworks were not designed to address. This article examines the emerging threat of AI systems being leveraged to target AI infrastructure itself, with particular focus on four documented attack classes: sponge examples for resource exhaustion; neural trojan backdoor attacks; adversarial workload scheduling; and model extraction through black-box querying. Drawing on published academic research and documented adversary behavior from state-sponsored threat actors including Russia’s Sandworm unit and China’s People’s Liberation Army (PLA) Cyberspace Force, the article argues that AI infrastructure has become strategic infrastructure—requiring security treatment commensurate with that status. Defensive countermeasures exist for each attack class but remain largely unimplemented in operational environments.
The Attack That Looks Like Nothing
In October 2022, Russia’s Sandworm—GRU Unit 74455—timed a cyberattack against Ukrainian power infrastructure to coincide with a mass missile strike on Ukrainian cities. The attack did not breach the grid with brute force. Sandworm had spent months learning the decision logic of the industrial control systems governing Ukrainian substations. When the moment came, it used that logic against itself—tripping circuit breakers through the grid’s own management software while operators watched dashboards that showed nothing obviously wrong. The lights went out. The source of the disruption was concealed. By the time engineers understood what had happened, the missiles had already landed.
That operational template—patient study of a target system’s decision architecture, embedding within its management layer, weaponizing its own logic—did not end with Ukrainian power infrastructure.
It is coming for AI.
The AI systems now embedded in American defense logistics, military supply chains, and critical infrastructure are making consequential operational decisions around the clock. They are also largely undefended against an adversary who understands that the same methodology Sandworm applied to industrial control systems also applies with equal precision to the orchestration platforms, inference pipelines, and training data ecosystems that govern modern AI. The attack surface is different. The operational concept is identical.
What Makes AI Infrastructure a Target
Modern AI systems depend on extraordinarily complex ecosystems: vast networks of accelerators, storage arrays, orchestration platforms, cooling systems, power distribution systems, firmware layers, and cloud environments operating in synchronization. These are not servers in a rack. They are specialized computational ecosystems optimized for parallel processing and massive data movement.
AI clusters now represent some of the most valuable and resource-intensive infrastructure on the planet. In many organizations, AI compute resources are becoming as strategically important as financial systems, telecommunications infrastructure, or energy grids. These resources are being integrated into military logistics, intelligence analysis, and command support functions at a pace that has significantly outrun the security frameworks meant to protect them.
An adversary does not need to destroy an AI system to create catastrophic disruption. Simply degrading performance, exhausting resources, or manipulating outputs may be enough. A targeted operation against AI infrastructure could simultaneously compromise healthcare systems, financial models, logistics operations, intelligence analysis, and military planning without a single shot fired, without a ransom note appearing, without a network intrusion alert triggering.
This is what changes AI infrastructure from an IT asset into a national security concern.
The Adversaries
China’s PLA Cyberspace Force, formed in April 2024 from the network warfare components of the former Strategic Support Force, is one significant threat to American AI infrastructure. The Cyberspace Force’s is “systems destruction warfare”—a strategy prioritizing disabling an adversary’s decision-making networks before and during conflict. AI systems are decision-making networks. China’s Military-Civil Fusion strategy creates direct pipelines between civilian AI research, commercial technology firms, and PLA capability development, meaning adversarial research into the attack classes described below is not confined to academic labs. It is plausibly underway within an ecosystem with direct pathways to operational application.
Russia’s APT44—Sandworm—provides the operational proof of concept. Its decade-long progression from the 2015 Ukrainian power outages through Industroyer and Industroyer2 demonstrates a consistent and improving capability to learn target system architecture, embed within management layers, and manipulate operational logic to produce physical-world effects while concealing the source. Every element of that progression translates directly to AI infrastructure. The protocols are different. The methodology is the same.
In 2022, Sandworm used living-off-the-land techniques to trip substation circuit breakers in coordination with Russian missile strikes on Ukraine, timing the cyber effect to amplify the operational impact of kinetic action. The group did not defeat Ukrainian power infrastructure with brute force. It learned the decision logic of the systems governing that infrastructure and turned that logic against itself.
Iran rounds out the threat picture. Its Islamic Revolutionary Guards Corps (IRGC)-affiliated cyber program has demonstrated consistent willingness to target infrastructure systems other actors treat as off-limits, and its documented preference for disruption over espionage places it in this threat category even as its AI-specific capabilities lag China and Russia.
Four Ways the Attack Arrives
Understanding how Sandworm operated against Ukrainian power infrastructure makes the following four attack classes immediately recognizable—not as novel cyber threats, but as the same operational concept applied to a new target set.

Figure 1. The Sandworm operational template maps step-for-step onto adversarial AI attack techniques. The methodology is established. Only the target has changed. Sources: MITRE ATT&CK Campaign C0034; MITRE ATLAS adversarial AI framework.
The Training Phase: Poisoning What the AI Believes
Sandworm did not tamper with Ukrainian grid infrastructure in real time. It corrupted the operational environment the grid’s management systems depended on—so that when operators made decisions based on those systems, the decisions were wrong.
Data poisoning attacks against AI systems work identically. An adversary who gains access to training pipelines—through supply chain compromise, a third-party data annotation service, or a compromised model repository—introduces precisely engineered examples that teach the model something specific and false. The poisoned model performs normally on standard evaluation benchmarks. It passes every test. It earns operational trust. Then, under the specific conditions the attacker has engineered, it does exactly what the attacker intended: passing defective components, ignoring warning signals, misclassifying threats. Research by Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg in 2017 established that triggers can be embedded so precisely that the compromised behavior activates only in the presence of a specific input condition—invisible to operators, indistinguishable from normal operation in every other context.
When foundation models are shared across applications, a trojan embedded at the foundation level propagates to every downstream system built on top of it—simultaneously, without any of those organizations knowing the ground has shifted beneath them.
The Inference Phase: Fooling the Model at the Moment of Decision
If the training phase attack is the long game, adversarial input attacks are the tactical strike.
Small, precisely engineered modifications to inputs—invisible or nearly invisible to human observers—can cause a deployed AI system to misclassify what it is examining with complete confidence. A defective component carrying a specific surface modification passes quality inspection. A machine approaching failure generates sensor data that the maintenance AI categorizes as healthy. A suspicious pattern in logistics data presents itself in a form the monitoring system reads as routine. Detection techniques including Neural Cleanse and STRIP exist and are documented in the open-source literature. They are rarely implemented in operational environments.
These attacks require no access to training infrastructure. They require only understanding how the target model makes decisions—information that can often be inferred by systematically observing its responses. Any AI system whose inputs can be influenced by an adversary is structurally exposed.
The Orchestration Layer: Turning the System Against Itself
This is where the Sandworm parallel is most direct.
Sandworm did not overpower Ukrainian grid defenses. It learned the ICS protocols, embedded within the control layer, and used the grid’s own operational logic to trip circuit breakers—with the grid’s own management software executing the attack. Modern GPU clusters rely on scheduling systems—Kubernetes, SLURM, proprietary equivalents—that make placement decisions based on real-time utilization metrics and thermal telemetry. These schedulers are optimization algorithms. They are trying to keep the system efficient, balanced, and healthy.
An attacker with access to the orchestration layer can subvert that optimization by manipulating the metrics the scheduler consumes. Report falsely low utilization on thermally stressed nodes, and the scheduler’s own efficiency logic concentrates workloads onto those nodes rather than distributing them. Cooling systems face localized thermal loads they were not designed to handle while cluster-wide averages look normal. Balancing algorithms designed to protect the system begin amplifying the instability. The attack does not look like an attack. It looks like an engineering anomaly—which is exactly what Sandworm’s operations looked like to Ukrainian grid operators—until they did not.
The Query Interface: Stealing AI Without Breaking In
The final attack class requires no infrastructure access at all.
If an adversary can query a deployed model and observe its outputs, they can use those input-output pairs to train a surrogate that approximates the original’s behavior. Given a black-box model, an attacker builds a dataset of queries and responses and trains a surrogate to minimize divergence from the original. For many model classes, a surprisingly small number of queries produces a high-quality functional equivalent—effectively stealing a proprietary AI system without accessing underlying infrastructure, weights, or training data. LLM-powered automation can conduct this at a scale and speed that would take human operators weeks to match, while distributing queries across IP ranges and timing them to evade rate limiting. The theft leaves no obvious forensic signature.
Why This Is a Gray Zone Problem
Strip away the technical vocabulary and what remains is a gray zone operator’s checklist.
Deniable: A quality inspection AI that passes defective components produces no forensic signature distinguishable from a software defect or ordinary model drift. A scheduling system that creates thermal hotspots looks like an engineering problem. Attribution requires capabilities most organizations do not currently deploy against AI-specific threat signatures.
Persistent: Unlike ransomware, which announces itself, a poisoned model operates in a compromised state for months or years without triggering alerts. Damage accumulates silently across interconnected systems.
Scalable: A neural trojan in a widely used foundation model propagates to every downstream application built on top of it. One insertion point. Unlimited reach.
Below threshold: No kinetic action. No obvious breach. No clear act of war. Just a gradual, invisible erosion of the operational reliability of the systems an adversary depends on: the gray zone objective in its purest form.
Sandworm demonstrated that this operational concept works against industrial control systems. The AI layer of American defense infrastructure is the next logical target set, and it is currently more exposed than Ukrainian power grids were in 2014.
The Gap Between What Exists and What Is Being Used
MITRE’s Adversarial Threat Landscape for AI Systems catalogs the attack classes described above, maps real-world case studies, and identifies corresponding mitigations. The NIST AI Risk Management Framework provides structured guidance for AI risk governance. Both exist. Neither is being systematically implemented across operational defense AI environments.
The solutions are simple. AI systems with operational decision-making authority in defense-relevant contexts need adversarial testing before deployment. This is not just penetration testing of surrounding networks, but testing of the model itself against the attack classes above. AI models procured for use in defense need verifiable chain of custody for training data and model weights. Supply chain integrity requirements that govern hardware and software need to be extended explicitly to AI systems. Accelerator hardware entering defense environments needs firmware integrity verification. CISA’s current AI guidance does not adequately address adversarial workload scheduling or inference-layer attacks as distinct threat categories. That needs to change.
The workforce gap at the intersection of AI systems knowledge and advanced cybersecurity architecture needs to be treated as a national security priority. The organizations that build that workforce now will be far better positioned when adversaries who have already invested in these capabilities choose to employ them.
Conclusion: Before the Lights Go Out
In 2014, Sandworm was an unknown threat actor conducting early reconnaissance against Ukrainian infrastructure. By 2015, it had produced the world’s first confirmed malware-induced power outage. By 2022, it was coordinating cyberattacks with missile strikes.
The progression from capability to operational employment happened faster than defenders anticipated, through methods they had not fully prepared for, against infrastructure they believed was adequately protected.
The AI systems running inside American defense infrastructure were built to be accurate. They were not built to be resilient against an adversary who has read the same academic literature we have, observed the same operational templates we have documented, and is applying them to a target set that is currently undefended.
The doctrine, acquisition regulations, workforce pipelines, and defensive architectures required to operate securely in this environment need to be built now—by the people reading this—before an adversary demonstrates the capability operationally and takes that decision out of our hands.
The views expressed in this article are the author’s own and do not represent the official position of the United States Army, Army Reserve, or Department of Defense.

