Google Report: State Hackers Target Defence Sector Employees
Google: State Hackers Target Defence Employees

Google Warns of Escalating Cyber-Espionage Targeting Defence Industry Personnel

Google has issued a stark warning about the growing sophistication of state-sponsored cyber-espionage campaigns targeting defence sector employees. According to a comprehensive report released ahead of the Munich Security Conference, defence companies, their hiring processes, and individual staff members have become primary targets for these malicious operations.

Personalised Attacks on Individual Employees

The report documents what it describes as a "relentless barrage of cyber operations" against industrial supply chains in both the European Union and the United States. Luke McNamara, an analyst for Google's threat intelligence group, highlighted a significant shift towards more "personalised" and "direct to individual" targeting approaches.

"It's harder to detect these threats when it's happening on an employee's personal system, right? It's outside a corporate network," McNamara explained. "The whole personnel piece has become one of the major themes."

Expanding Target Range and Tactics

The scope of these cyber-attacks has broadened considerably beyond traditional defence contractors. The report indicates that hackers are now targeting:

  • German aerospace firms
  • UK car manufacturers
  • Smaller companies producing components like ball bearings
  • Companies not directly within defence supply chains

Google has observed an increase in extortion attacks against these smaller players, demonstrating how the threat landscape has expanded to encompass the broader industrial base of Western nations.

Global Campaigns and Specific Examples

The report provides detailed examples of how various state-sponsored groups are conducting these operations:

  1. Russian-linked groups have spoofed websites of hundreds of leading defence contractors across multiple countries including the UK, US, Germany, France, and South Korea
  2. North Korean hackers have impersonated corporate recruiters, using artificial intelligence to extensively profile employees, their roles, and potential salaries to identify targets
  3. Iranian state-sponsored groups have created fake job portals and sent fraudulent job offers to obtain credentials from defence firms and drone companies
  4. Chinese-linked group APT5 has targeted aerospace and defence employees with highly tailored communications based on their geographical location, personal life, and professional roles

Ukraine as a Case Study

The situation in Ukraine provides particularly concerning examples of these tactics. Dr Ilona Khmeleva, Secretary of the Economic Security Council of Ukraine, revealed that Ukrainian authorities have recorded a 37% increase in cyber incidents from 2024 to 2025.

"Many cyber-attacks against Ukrainian military personnel were individualised, with some potential targets monitored for weeks before an attack," Khmeleva stated.

Specific Ukrainian-focused attacks have included:

  • Development of specific hacks to compromise Signal and Telegram accounts of Ukrainian military personnel, journalists, and public officials
  • Extremely targeted attacks against Ukraine's frontline drone units through impersonation of Ukrainian drone builders or training courses

Transnational Security Implications

Khmeleva emphasised the transnational nature of this security challenge: "As western technologies and investments are integrated into Ukraine – including through military aid and joint industrial projects – the pool of potential victims expands beyond Ukrainian citizens."

She added that "employees of foreign companies, contractors, engineers, and consultants involved in Ukraine-related projects may also become targets, making this a transnational security issue, not a purely national one."

Successful Infiltration and Broader Consequences

The effectiveness of these campaigns is particularly alarming. Last summer, the US Justice Department discovered that North Korean operatives had successfully obtained positions as "remote IT workers" for more than 100 American companies. US authorities allege these individuals were collecting salaries and, in some cases, stealing cryptocurrency to fund the North Korean government.

These sophisticated attacks represent a significant evolution in cyber-espionage tactics, moving from broad network intrusions to highly personalised social engineering campaigns that exploit human vulnerabilities within defence sector organisations.