Hackers linked to state governments are increasingly focusing on employees within the defense sector, as highlighted by a recent Google report that emerged ahead of the Munich Security Conference. This report outlines a continuous wave of cyber operations primarily orchestrated by state-sponsored groups targeting the industrial supply chains of both the European Union and the United States. Notably, the scope of these cybercriminals has expanded, now including a wide range of industries across the US and Europe, from aerospace companies in Germany to automotive manufacturers in the UK.
While state-affiliated hackers have historically zeroed in on the global defense industry, Luke McNamara, a threat intelligence analyst at Google, pointed out that there has been a shift towards more personalized attacks aimed directly at individuals. "Detecting such threats can be particularly challenging when they infiltrate personal systems outside of corporate networks," he explained. "The focus on personnel has become a significant trend."
Furthermore, Google reported a rise in extortion attempts targeting smaller firms not directly involved in the defense supply chain, such as manufacturers of vehicles and ball bearings. A notable incident involving a group associated with Russian intelligence underscores the widening net of these attacks. Hackers attempted to gather sensitive information by impersonating the websites of numerous major defense contractors located in countries like the UK, US, Germany, France, Sweden, Norway, Ukraine, Turkey, and South Korea.
In addition, Russia has implemented specific hacking techniques designed to compromise Signal and Telegram accounts used by Ukrainian military personnel, journalists, and public officials—methods that, according to Google, could easily be adopted by other malicious actors. Highly targeted assaults have been launched against frontline drone units in Ukraine, where attackers masqueraded as either drone manufacturers or training programs.
Dr. Ilona Khmeleva, secretary of the Economic Security Council of Ukraine, remarked that many cyber assaults against military figures are highly individualized, with some targets being under surveillance for extended periods before the attack occurs. She noted that Ukrainian authorities have documented a staggering 37% increase in cyber incidents from 2024 to 2025.
Beyond Europe, similar tactics are being employed by other groups to target defense suppliers. There is a growing emphasis on individuals seeking employment in defense-related roles and vulnerabilities within the hiring processes of major corporations. For instance, North Korean hackers have posed as corporate recruiters, leveraging artificial intelligence to extensively profile potential employees, assessing their roles and salaries to pinpoint likely targets for initial breaches.
These campaigns have proven remarkably effective; last summer, the US Justice Department revealed that North Korean operatives had secured jobs as "remote IT workers" at over 100 US companies. Authorities suspect that these positions were used to financially support the North Korean regime through salary collection and, in certain instances, cryptocurrency theft.
Iranian state-sponsored entities have also resorted to creating fake job portals and sending out bogus job offers to acquire sensitive credentials from defense firms and drone manufacturers. Meanwhile, a group known as APT5, which is associated with China, has attacked employees in the aerospace and defense sectors with emails and messages specifically crafted to resonate with their geographic locations, personal lives, and professional responsibilities.
For example, parents of young children received fraudulent communications allegedly from the Boy Scouts of America or local schools, while residents of specific US states encountered misleading information about the 2024 elections. Furthermore, employees at significant companies were sent counterfeit invitations to events such as Red Cross training sessions and a national security conference in Canada.
Dr. Khmeleva emphasized, "As Western technologies and investments flow into Ukraine—through military assistance and collaborative industrial projects—the pool of potential victims expands beyond just Ukrainian citizens. Employees from foreign companies, contractors, engineers, and consultants engaged in Ukraine-related initiatives are also at risk, transforming this into a transnational security concern rather than a solely national issue."
