The Pentagon is integrating AI into military operations, transforming cybersecurity, targeting, and command systems into a unified warfare architecture.

May 2026 marks a turning point in the evolution of modern warfare: the convergence of artificial intelligence, cybersecurity, and conventional military power is no longer theoretical. It is becoming an operational reality.

The Pentagon has signed agreements with major technology companies, including OpenAI, Google, Microsoft, Amazon, and SpaceX to integrate advanced AI models into classified military networks. The stated goal is clear: transform the United States into an “AI-first” military force capable of maintaining decision superiority across every battlefield domain.

Under this strategy, AI is no longer treated as a laboratory tool or analytical assistant. It is moving directly into the military chain of command, intelligence analysis, logistics, targeting, and operational planning. More than 1.3 million Department of Defense employees are already using the GenAI.mil platform, dramatically reducing processes that once took months to just days.

The Pentagon’s doctrine reflects a major cultural shift: code and combat are no longer separate domains. Cybersecurity itself is now considered a combat capability. The ability to deploy, secure, update, and operate AI models inside classified environments has become part of national defense infrastructure.

The contracts signed with technology providers include “lawful operational use” clauses, requiring vendors to accept any use considered legitimate by the Pentagon, including autonomous weapons systems and intelligence operations. This raises profound ethical and geopolitical questions.

At the same time, the U.S. military is pushing for deep integration across defense systems. Through the Army’s new “Right to Integrate” initiative, manufacturers of missiles, drones, radars, and sensors are being asked to open their software interfaces so AI agents can connect systems in real time. The inspiration comes largely from Ukraine, where open APIs allowed rapid battlefield integration between drones, sensors, and fire-control systems.

However, this transformation creates a dangerous paradox: the same openness that enables speed and flexibility also expands the attack surface. Every API, cloud platform, and AI integration point can potentially become an entry point for sophisticated adversaries such as China, Russia, or state-sponsored APT groups.

A compromised AI-enabled military ecosystem could allow attackers to inject false sensor data, manipulate targeting systems, degrade drone communications, study operational decision patterns, or even hijack autonomous weapons platforms. In this context, software vulnerabilities and supply-chain weaknesses are no longer merely IT problems, they become military objectives.

Washington is also increasingly concerned about the cyber risks posed by advanced AI models themselves. According to reports, the White House is considering new oversight mechanisms for frontier AI systems capable of autonomously discovering software vulnerabilities or automating cyberattacks at scale. Officials fear that uncontrolled deployment of such models could lead to mass exploitation of critical infrastructure, financial systems, or global supply chains.

The strategic implications extend beyond military technology. Major cloud providers such as Amazon, Microsoft, and Google are gradually becoming part of the American defense architecture. Civilian digital infrastructure is evolving into a structural extension of military power.

This raises difficult questions for Europe and Italy. In a world where most cloud, AI, and cybersecurity infrastructures are controlled by American companies, what does technological sovereignty really mean? Sovereignty is no longer just about producing chips or funding startups. It is about controlling the digital infrastructure that supports national defense, determining who can update AI systems operating on classified networks, and deciding who sets the operational rules of software during crises.

The United States, Israel, and China are already integrating AI into military doctrine at high speed. Europe risks remaining trapped between regulation and technological dependence unless it develops its own industrial capabilities, operational autonomy, and independent evaluation frameworks.

The message coming from Washington is unmistakable: the future of strategic power will depend on who controls AI models, data, interfaces, and software-driven operational systems. In modern warfare, software has become a battlefield domain, and the speed of code deployment increasingly matters as much as firepower itself.

A more detailed analysis is available in Italian here.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AI)

Fast16 is a pre-Stuxnet malware that tampered with precision software and spread itself. Evidence suggests links to U.S. operations during early cyber tensions.

SentinelOne uncovered Fast16, a sabotage malware used in 2005, years before Stuxnet. The malicious code is written in Lua and targeted high-precision calculation software, altering results and spreading across systems. The malware appeared in the ShadowBrokers leak of NSA tools, and evidence suggests it may have been developed by the United States, highlighting early cyber operations linked to tensions with Iran.

Researchers traced early advanced malware design by searching for the first use of embedded Lua engines, a feature later seen in tools like Flame and Project Sauron. Lua enables modular, flexible malware without recompilation. The analysis led to a 2005 sample, svcmgmt.exe, which contained an embedded Lua VM and encrypted bytecode. Though it looked like a simple service binary, deeper analysis revealed a sophisticated implant with encryption, Windows API access, and modular design. A debug path linked it to the fast16.sys driver, tying it to the early Fast16 framework.

The carrier svcmgmt.exe acts as a modular loader, using encrypted Lua payloads and “wormlets” to spread across Windows systems via network shares, while avoiding detection by checking for security tools. It can also deploy the kernel driver for deeper control.

The fast16.sys driver loads at boot and intercepts filesystem operations, modifying executable files in memory. It targets specific programs, especially precision calculation software compiled with Intel tools, and applies rule-based patches that subtly alter results using floating-point manipulation.

“The FPU patch in fast16.sys was written to corrupt these routines in a controlled way, producing alternative outputs. This moves fast16 out of the realm of generic espionage tooling and into the category of strategic sabotage.” continues the report. “By introducing small but systematic errors into physical‑world calculations, the framework could undermine or slow scientific research programs, degrade engineered systems over time or even contribute to catastrophic damage.”

This suggests a sabotage goal rather than simple espionage, aiming to corrupt scientific or engineering outputs while remaining stealthy and persistent across infected systems.

“A sabotage operation of this kind would be foiled by verifying calculations on a separate system. In an environment where multiple systems shared the same network and security posture, the wormable carrier would deploy the malicious driver module to those systems as well, reducing the chance that an independent calculation would diverge from the corrupted output.” reads the report published by SentinelOne. “At this time, we’ve been unable to identify all of the target binaries in order to understand the nature of the intended sabotage.”

Fast16 most likely targeted high-precision engineering and simulation software used in the mid-2000s, based on pattern matching of its patching rules. The strongest candidates include LS-DYNA 970 (used for crash, explosion, and structural simulations, including sensitive defense-related research), PKPM (a widely used Chinese structural design and seismic analysis suite), and MOHID (a hydrodynamic modeling platform for coastal and environmental simulations).

Analysis of compiler artifacts inside the malware suggests it came from an older, security-focused Unix engineering culture, with traces of SCCS/RCS versioning conventions unusual in Windows malware of that era. This points to a long-running, well-resourced development effort rather than opportunistic tooling.

The overall design of fast16 combines a Lua-based carrier, a kernel-level filesystem driver, and rule-based code patching. This structure enables controlled corruption of numerical outputs in specialized simulation software, potentially altering results in fields like structural engineering, physics modeling, and environmental analysis.

“This 2005 attack is a harbinger for sabotage operations targeting ultra expensive high-precision computing workloads of national importance like advanced physics, cryptographic, and nuclear research workloads.” concludes the report. “fast16 predates Stuxnet by at least five years, and stands as the first operation of its kind. The use of an embedded customized Lua virtual machine predates the earliest Flame samples by three years.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

Sweden says a pro-Russian group attacked a heating plant in 2025. The failed cyberattack highlights growing threats to Europe’s energy infrastructure.

Sweden has blamed a pro-Russian group linked to Russian intelligence for a failed cyberattack on a heating plant in 2025. Officials say the incident is part of a broader wave of attacks targeting critical infrastructure across Europe. Similar operations have been reported in Poland, affecting energy systems serving hundreds of thousands of people, raising concerns over escalating cyber threats tied to Russia.

Sweden has publicly confirmed for the first time a failed cyberattack on a heating plant in the west, according to Civil Defense Minister Carl-Oskar Bohlin. The Minister linked the incident to a wave of similar attacks that targeted Poland, where energy facilities serving 500,000 people were hit, with evidence pointing to Russian-linked hackers.

“The attacks are among more than 150 incidents of sabotage and malign activity across Europe tracked by The Associated Press and linked to Russia by Western officials since Moscow’s full-scale invasion of Ukraine in February 2022.” reported the report published by Associated Press. “Officials say a goal of the attacks is to undermine support for Ukraine, spread fear and discord in European societies and drain investigative resources.

Cyberattacks linked to Russia have increasingly targeted European countries and their critical infrastructure, often seen as retaliation for support to Ukraine. Energy grids, water systems, and transport networks have been disrupted or probed in coordinated campaigns. These operations combine cyber sabotage, espionage, and influence tactics, aiming to create instability and test resilience. While often limited in immediate impact, they signal a broader strategy of hybrid warfare, where digital attacks complement geopolitical pressure across Europe.

The Kremlin has denied any role in sabotage across Europe, despite multiple incidents blamed on pro-Russian actors. In 2024, cyberattacks in Denmark disrupted a water utility, leaving homes without supply. Norwegian authorities reported hackers remotely opening a dam valve, while Latvia linked arson attacks on rail infrastructure to individuals acting in Russia’s interests, highlighting a pattern of hybrid threats.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Sweden)

Explore how advancements in surveillance infrastructure and the democratization of intelligence have transformed espionage.

The post The Worm Turns – When the Hunter Becomes the Hunted Mass Surveillance and the Weaponization of the Data We Voluntarily Create appeared first on Security Boulevard.