Data Poisoning, Adversarial ML, and the Silent Attack Against Every AI System on the Battlefield
In January 2025, the National Institute of Standards and Technology published NIST AI 100-2e2025 — the first formal U.S. government taxonomy of adversarial machine learning attacks.[1] The document categorizes the attack surface of AI systems into four classes: poisoning attacks (corrupting training data), evasion attacks (fooling deployed models), privacy attacks (extracting training data from models), and model extraction attacks (stealing the model architecture itself).[1]
The publication was not academic exercise. It was a formal acknowledgment that every AI system deployed by the U.S. government — including those running military targeting, intelligence analysis, and autonomous weapons — can be systematically corrupted by an adversary who understands how the model was trained. The attack surface is not the network. It is the data.
By covertly introducing manipulated data during the training phase, adversarial AI systems can be rendered ineffective, misclassifying U.S. assets or misinterpreting battlefield conditions.
Data poisoning attacks inject malicious data into a model's training set before or during training. The corrupted model appears to function normally on standard inputs but behaves predictably wrong when it encounters specific trigger patterns — patterns chosen by the attacker.[1]
The military implications are catastrophic. Consider a targeting AI trained on satellite imagery to identify enemy vehicles. If an adversary poisons the training data — subtly mislabeling a fraction of images so that vehicles in a specific configuration are classified as civilian — the model will systematically miss those targets in the field. The AI performs perfectly in testing. It fails precisely when it matters.[4]
The West Point Lieber Institute analysis is blunt: poisoned military AI systems could "misclassify U.S. assets or misinterpret battlefield conditions" — causing friendly fire, missed threats, or strategic miscalculation. The attack is invisible to operators who trust the model's outputs because every standard validation metric shows the model is working correctly.[4]
Backdoor poisoning is the most dangerous variant. The attacker inserts a hidden "trigger" — a specific pixel pattern, metadata tag, or input feature — that activates malicious behavior only when present. In all other cases, the model performs normally. The backdoor survives retraining, fine-tuning, and standard security audits because it is encoded in the model's weights, not in the code.[1]
Evasion attacks target models already in deployment, crafting inputs that cause misclassification without modifying the model itself. UC Irvine's FlyTrap demonstrated this in the physical world: a printed pattern on an umbrella caused autonomous drone tracking AI to misidentify and physically chase the decoy, flying into a capture device.[3]
FlyTrap is the $20 proof of concept. But the principle scales. Adversarial patches applied to military vehicles can cause image-recognition AI to misclassify them — a tank becomes a truck, a mobile launcher becomes a civilian bus. Adversarial perturbations in radar returns can cause signal-processing AI to misidentify friend from foe. Adversarial inputs to natural language AI can cause intelligence analysis systems to draw incorrect conclusions from intercepted communications.[1]
The critical vulnerability: military AI systems — Maven's targeting engine, Pulsar's signal classification, autonomous drone navigation — all use the same fundamental neural network architectures that are susceptible to adversarial evasion. The mathematical vulnerability is inherent to how neural networks learn to classify. No currently deployed defense completely eliminates adversarial evasion attacks.[1]
Gartner projects that by 2028, 30% of all AI-related cyberattacks will leverage training-data poisoning, adversarial samples, or model theft — shifting the attack surface from networks and endpoints to the AI models themselves.[2] The battleground is no longer the firewall. It is the training pipeline.
Modern military AI is not built from scratch. It is built on top of open-source foundations: PyTorch, TensorFlow, Hugging Face model repositories, pre-trained weights from public datasets. Each dependency is a potential attack surface.
A supply chain poisoning attack targets the shared infrastructure of AI development: pre-trained models downloaded thousands of times, popular training datasets used as benchmarks, open-source libraries embedded in military AI pipelines. Compromising a widely-used pre-trained model or dataset can propagate poisoned weights into every downstream system that fine-tunes from that base.[1]
The parallel to the Shadow Brokers leak is direct. The Leak demonstrated that offensive cyber tools, once built, eventually proliferate beyond their creators' control. The Poisoned Well demonstrates the inverse: defensive AI tools, once deployed, can be corrupted from their foundations without anyone touching the deployed system. The attack travels through the supply chain, not the network.
The Pentagon's AI supply chain depends on commercial models and datasets. Claude runs inside Palantir's Maven Smart System. OpenAI models are being integrated into classified networks. The foundation models themselves are trained on internet-scale datasets that no human has fully audited. The question is not whether military AI training data has been compromised. It is whether anyone would know if it had been.
VentureBeat reported in December 2025 that nation-states are shifting from traditional network intrusions to adversarial ML attacks: "Disrupting entire networks with adversarial ML attacks is the stealth attack strategy nation-states are adopting."[2] The logic is straightforward: hacking a network leaves forensic traces. Poisoning a training dataset leaves no trace in the deployed system's code — only in its behavior, and only under specific conditions the attacker controls.
China has published extensively on adversarial ML in military contexts. PLA-affiliated researchers have authored papers on adversarial attacks against image recognition, radar signal processing, and autonomous navigation systems. This research is dual-use: understanding adversarial attacks is necessary for both offense (poisoning adversary AI) and defense (hardening your own).[5]
Russia's electronic warfare doctrine — the same doctrine that produced the Moscow Signal and the Havana Syndrome lineage — naturally extends to adversarial ML. If the electromagnetic spectrum is a contested domain, and AI systems are the primary consumers of spectrum data (radar, signals intelligence, communications), then attacking the AI's perception of the spectrum is the logical evolution of electronic warfare.
The convergence is clear: adversarial ML is the cyber-electromagnetic equivalent of poisoning a well. You don't attack the water. You attack the source. And everyone who drinks from it is compromised.
The United States has committed to AI-driven warfare. Operation Epic Fury generated 1,000 targets in 24 hours using Maven's AI. Pulsar learns to jam signals autonomously. Autonomous drones navigate without human control. Every one of these systems depends on neural networks that are mathematically vulnerable to adversarial manipulation.[1]
Data poisoning is the most dangerous vector because it is invisible. A poisoned model passes every standard test. It performs correctly on every benchmark. It fails only when the attacker's trigger is present — on the battlefield, at the moment of maximum consequence. West Point has warned that this could cause U.S. military AI to misclassify friendly assets or misread battlefield conditions.[4]
FlyTrap proved the principle with a $20 umbrella. The question is what a nation-state can do with the same mathematical insight, applied to the training data of models running inside classified networks. The AI kill chain is only as trustworthy as the data it was trained on — and no currently deployed audit can guarantee that data hasn't been compromised.
The Poisoned Well is the quiet counterpart to the visible arms race in autonomous weapons. While the Pentagon builds AI that fights, adversaries are learning to corrupt the AI before it reaches the battlefield. The next war may not be won by whoever has the best AI — but by whoever best understands the other side's training data.
Disrupting entire networks with adversarial ML attacks is the stealth attack strategy nation-states are adopting.