Defence companies, their hiring processes and their employees have become a key target of state-sponsored cyber-espionage campaigns, according to a report from Google released before the Munich Security Conference.

The report catalogues a “relentless barrage of cyber operations”, most by state-sponsored groups, against EU and US industrial supply chains. It suggests the range of targets for these hackers has grown to encompass the broader industrial base of the US and Europe –from German aerospace firms to UK carmakers.

State-linked hackers have long targeted the global defence industry, but Luke McNamara, an analyst for Google’s threat intelligence group, said they had seen more “personalised” and “direct to individual” targeting of employees.

“It’s harder to detect these threats when it’s happening on an employee’s personal system, right? It’s outside a corporate network,” he said. “The whole personnel piece has become one of the major themes.”

Google had also noticed more extortion attacks targeting smaller players not directly in the defence supply chain, he said, such as companies making cars or ball bearings.

A recent attack by a group linked to Russian intelligence indicates how broad the net has become. Hackers appeared to try to steal information by spoofing the websites of hundreds of leading defence contractors from the UK, the US, Germany, France, Sweden, Norway, Ukraine, Turkey, and South Korea.

Russia has also developed specific hacks to compromise the Signal and Telegram accounts of Ukrainian military personnel, as well as journalists and public officials, using methods and vulnerabilities that Google says other attackers could adopt.

Hackers have also mounted extremely targeted attacks against Ukraine’s frontline drone units by impersonating Ukrainian drone builders or drone training courses.

Dr Ilona Khmeleva, the secretary of the Economic Security Council of Ukraine, said that many cyber-attacks against Ukrainian military personnel were individualised, with some potential targets monitored for weeks before an attack.

Ukrainian authorities have recorded a 37% increase in cyber incidents from 2024 to 2025, she said.

Beyond Europe, other groups are using similar tactics to target defence suppliers. More and more, these efforts focus on people who are trying to get jobs in defence, or vulnerabilities in the hiring processes of large companies.

North Korean hackers have impersonated corporate recruiters in campaigns against leading defence contractors, using AI to extensively profile employees, their roles and their potential salaries to “identify potential targets for initial compromise”.

Many of these campaigns have been extremely successful. Last summer, the US justice department found that North Koreans had managed to obtain jobs as “remote IT workers” for more than 100 US companies. US authorities alleged they were doing this to fund the North Korean government by collecting salaries and, in some cases, stealing cryptocurrency.

Iranian state-sponsored groups have created spoof job portals and sent out fake job offers to obtain the credentials of defence firms and drone companies.

A group called APT5, linked to China, has targeted employees of aerospace and defence companies with emails and messaging tailored to their geographical location, personal life and professional roles.

For example, parents of young children received fake communications from the Boy Scouts of America, or from a nearby secondary school; residents of certain US states received fake information about the 2024 election. Employees of important companies were also sent fake invitations to events including Red Cross training courses and a national security conference in Canada.

Khmeleva said: “As western technologies and investments are integrated into Ukraine – including through military aid and joint industrial projects – the pool of potential victims expands beyond Ukrainian citizens.

“Employees of foreign companies, contractors, engineers, and consultants involved in Ukraine-related projects may also become targets, making this a transnational security issue, not a purely national one.”