State-sponsored hacking groups are increasingly bypassing corporate firewalls to target defence sector employees directly, exploiting hiring processes and personal devices as part of widening cyber-espionage operations across Europe and the United States, Google has warned in a new threat intelligence report released ahead of the Munich Security Conference.
The report documents what Google describes as a “relentless barrage” of cyber operations against industrial supply chains, with attackers broadening their focus beyond traditional defence contractors to include automotive firms, aerospace suppliers and small manufacturing companies.
Analysts said hackers are shifting towards highly personalised tactics, engaging individuals rather than organisations to gain access to sensitive systems.
“It’s harder to detect these threats when activity happens on personal devices outside corporate networks,” said Luke McNamara, an analyst with Google’s Threat Intelligence Group. He added that personnel-related targeting has emerged as a dominant trend in recent campaigns.
According to Google, state-linked groups have intensified efforts to compromise employees through fake job offers, spoofed recruitment portals and tailored phishing messages. In several cases, attackers posed as recruiters or training providers to extract credentials from defence workers and job seekers.
One campaign attributed to actors linked to Russian intelligence involved spoofing the websites of hundreds of defence contractors across the UK, US, Germany, France, Sweden, Norway, Ukraine, Turkey and South Korea in an apparent attempt to harvest confidential data.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Google also reported that Russia has developed techniques to compromise Signal and Telegram accounts used by Ukrainian military personnel, journalists and public officials. Separate operations targeted frontline Ukrainian drone units by impersonating drone manufacturers and training programmes.
Ukrainian authorities recorded a 37% rise in cyber incidents between 2024 and 2025, according to Ilona Khmeleva, secretary of Ukraine’s Economic Security Council. She said many attacks were highly individualised, with targets monitored for weeks before hackers launched operations.
Beyond Europe, similar tactics are being deployed globally. North Korean groups have impersonated corporate recruiters and used artificial intelligence tools to profile employees, assess roles and estimate salaries in order to identify potential entry points into defence firms.
Last year, US authorities revealed that North Korean operatives had secured remote IT jobs at more than 100 American companies, allegedly using salaries and stolen cryptocurrency to fund the regime in Pyongyang.
Iran-linked groups have set up fake job portals and circulated fraudulent employment offers to obtain login credentials from defence and drone technology companies. Meanwhile, a China-linked hacking group known as APT5 has targeted aerospace and defence employees using messages customised to recipients’ locations, personal circumstances and professional responsibilities.
Examples cited in the report include fake communications from schools and youth organisations sent to parents, fabricated election information aimed at US residents, and counterfeit invitations to Red Cross training sessions and international security conferences.
Khmeleva warned that as Western technology and investment become increasingly embedded in Ukraine through military aid and joint industrial projects, the pool of potential victims is expanding rapidly.
“Employees of foreign companies, contractors, engineers and consultants connected to Ukraine-related work are now at risk,” she said, calling the threat a transnational security challenge rather than a purely national one.
Google cautioned that the growing focus on individuals represents a strategic evolution in cyber warfare, allowing hostile states to penetrate critical industries through human vulnerabilities rather than technical flaws alone.
Security experts urged defence firms and suppliers to strengthen identity verification, tighten recruitment safeguards and expand cybersecurity training for staff, particularly those working remotely or on personal devices.
The report concludes that as geopolitical tensions rise, cyber-espionage campaigns are likely to become more targeted, more personal and harder to detect — placing employees at the frontline of a rapidly intensifying digital conflict.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
