State-sponsored hackers are increasingly setting their sights on employees in the defense sector, according to a recent report by Google released just ahead of the Munich Security Conference. This report unveils a continuous and aggressive series of cyber operations primarily orchestrated by state-sponsored entities, targeting the industrial supply chains of both the EU and the US.
The scope of these cyber-attacks has expanded significantly, now including various sectors within the broader industrial landscape of Europe and the United States. Notably, this encompasses everything from German aerospace manufacturers to car production companies in the United Kingdom.
While it’s well-known that state-affiliated hackers have historically focused on the global defense industry, Luke McNamara, an analyst from Google's threat intelligence division, highlights a troubling trend: there is a marked increase in "personalized" attacks that directly target individual employees.
"Detecting these threats can be particularly challenging when they penetrate an employee's personal devices," said McNamara. "These breaches often occur outside of a secure corporate network, making the protection of personnel data a critical focus area."
Furthermore, Google has observed a rise in extortion attempts aimed at smaller enterprises that aren't directly linked to defense but play a supporting role, such as manufacturers of automotive parts or ball bearings.
A recent incident connected to Russian intelligence illustrates how expansive these threats have become. Hackers attempted to gather sensitive information by mimicking the websites of numerous major defense contractors across countries including the UK, US, Germany, France, Sweden, Norway, Ukraine, Turkey, and South Korea.
Additionally, Russia has devised particular hacking strategies to infiltrate the Signal and Telegram accounts of Ukrainian military personnel, journalists, and public officials. Google warns that the techniques employed in these attacks could easily be replicated by other malicious actors.
Highly targeted operations have been launched against frontline drone units in Ukraine, with attackers posing as legitimate Ukrainian drone manufacturers or training providers. Dr. Ilona Khmeleva, Secretary of the Economic Security Council of Ukraine, pointed out that many cyber-attacks on Ukrainian military personnel are tailor-made, with some individuals being surveilled for weeks prior to an attack. According to her, Ukrainian authorities noted a staggering 37% rise in cyber incidents from 2024 to 2025.
But the threat isn’t confined to Europe alone; similar tactics are being employed by hacker groups around the world to target defense suppliers. A significant emphasis is now placed on individuals seeking employment in the defense sector, as well as identifying vulnerabilities within the hiring processes of major companies.
For instance, North Korean hackers have impersonated corporate recruiters to execute sophisticated campaigns against prominent defense contractors. They leverage artificial intelligence to meticulously analyze employee profiles, roles, and potential salaries in order to identify suitable targets for initial infiltration.
These campaigns have proven to be alarmingly effective. Last summer, the US Department of Justice revealed that North Korean operatives had successfully secured positions as "remote IT workers" at over 100 American companies. Authorities allege that these hackers intended to fund the North Korean regime by pocketing salaries and, in some instances, pilfering cryptocurrency.
Iranian state-sponsored groups have been equally crafty, creating fake job websites and issuing fraudulent job offers to collect sensitive credentials from defense and drone firms.
Moreover, a group known as APT5, linked to China, has specifically targeted employees within aerospace and defense sectors with communications tailored to their unique geographical, personal, and professional contexts. For example, parents of young children received misleading messages purportedly from the Boy Scouts of America or local secondary schools, while residents of certain states were bombarded with false information regarding the upcoming 2024 elections. Additionally, employees from key companies received deceptive invites to events, including training courses hosted by the Red Cross and a national security conference in Canada.
Dr. Khmeleva emphasized the expanding pool of potential victims as Western technologies and investments increasingly integrate into Ukraine, whether through military assistance or collaborative industrial projects. "This means that not only Ukrainian citizens but also foreign company employees, contractors, engineers, and consultants involved in Ukraine-related projects may find themselves in the crosshairs. Thus, this issue transcends national borders and must be viewed as a transnational security challenge."
As we navigate these complex and evolving cyber threats, what steps do you think should be taken to protect individuals in the defense sector? Do you believe that current measures are sufficient to combat these state-sponsored attacks? Share your thoughts in the comments!
