Google Exposes Relentless State-Sponsored Cyber-Espionage Targeting Defence Sector
Google has issued a stark warning ahead of the Munich Security Conference, revealing that defence companies, their employees, and hiring processes have become prime targets for state-sponsored cyber-espionage campaigns. The report, compiled by Google's threat intelligence group, details a "relentless barrage of cyber operations" predominantly orchestrated by state-linked hacking groups against industrial supply chains in the EU and US.
Expanding Target Range and Personalised Attacks
The scope of these cyber-attacks has broadened significantly, now encompassing a wider industrial base across Europe and the United States. Targets range from German aerospace firms to UK car manufacturers, indicating a strategic shift beyond traditional defence contractors. Luke McNamara, an analyst at Google, highlighted a concerning trend towards more "personalised" and "direct to individual" targeting of employees.
"It's harder to detect these threats when it's happening on an employee's personal system, right? It's outside a corporate network," McNamara explained. "The whole personnel piece has become one of the major themes." This approach allows hackers to bypass corporate security measures by exploiting personal devices and accounts.
Google has also observed an increase in extortion attacks aimed at smaller players not directly involved in the defence supply chain. Examples include companies manufacturing automobiles or ball bearings, demonstrating how cyber threats are permeating broader industrial sectors.
Global Campaigns and Sophisticated Tactics
A recent attack linked to Russian intelligence operatives illustrates the extensive reach of these campaigns. Hackers attempted to steal sensitive information by spoofing the websites of hundreds of leading defence contractors from multiple countries, including the UK, US, Germany, France, Sweden, Norway, Ukraine, Turkey, and South Korea.
In Ukraine, specific hacks have been developed to compromise the Signal and Telegram accounts of military personnel, journalists, and public officials. Google notes that the methods and vulnerabilities exploited in these attacks could be adopted by other malicious actors. Additionally, highly targeted attacks have been mounted against Ukraine's frontline drone units by impersonating legitimate drone builders or training courses.
Dr Ilona Khmeleva, Secretary of the Economic Security Council of Ukraine, reported that many cyber-attacks against Ukrainian military personnel are individualised, with potential targets monitored for weeks before an assault. Ukrainian authorities have recorded a 37% increase in cyber incidents from 2024 to 2025, underscoring the escalating threat.
Exploitation of Hiring Processes and AI Profiling
Beyond Europe, similar tactics are being employed to target defence suppliers globally. There is a growing focus on individuals seeking employment in the defence sector and vulnerabilities within corporate hiring processes. North Korean hackers, for instance, have impersonated corporate recruiters in campaigns against leading defence contractors.
These groups utilise artificial intelligence to extensively profile employees, analysing their roles, potential salaries, and personal details to "identify potential targets for initial compromise." Many of these campaigns have proven highly successful; last summer, the US Justice Department discovered that North Koreans had secured remote IT positions at over 100 US companies, allegedly to fund the North Korean government through salaries and cryptocurrency theft.
Iranian state-sponsored groups have created spoof job portals and distributed fake job offers to obtain credentials from defence firms and drone companies. Meanwhile, APT5, a group linked to China, has targeted aerospace and defence employees with tailored emails and messages based on their geographical location, personal life, and professional roles.
For example, parents of young children received deceptive communications purportedly from the Boy Scouts of America or local secondary schools. Residents of specific US states were sent fake information about the 2024 election, and employees of key companies received fraudulent invitations to events such as Red Cross training courses and a national security conference in Canada.
A Transnational Security Issue
Dr Khmeleva emphasised the transnational nature of this security challenge: "As western technologies and investments are integrated into Ukraine – including through military aid and joint industrial projects – the pool of potential victims expands beyond Ukrainian citizens."
She added that employees of foreign companies, contractors, engineers, and consultants involved in Ukraine-related projects are also at risk, transforming cyber-espionage into a global security concern rather than a purely national one. This report underscores the urgent need for enhanced cybersecurity measures and international cooperation to combat the evolving threat landscape.
