State-sponsored cyber operations are increasingly targeting defence companies by focusing on individual employees, including through recruitment and hiring processes, according to newly released findings ahead of the Munich Security Conference.
The activity forms part of wider cyber-espionage campaigns directed at industrial supply chains across Europe and the United States. Targets include defence contractors as well as companies operating in adjacent sectors, such as aerospace manufacturing and automotive production.
Employees targeted outside corporate networks
The campaigns include attempts to compromise personal devices and accounts belonging to employees, rather than corporate systems alone. This includes activity directed at people working in defence firms, suppliers, and organisations connected to military or security projects.
Google’s threat intelligence team said the targeting of individuals has become more direct, with attacks designed to operate beyond monitored corporate networks. This has included tailored messages, impersonation, and recruitment-related approaches.
Spoofed sites and impersonation tactics
One documented campaign linked to Russian intelligence involved the spoofing of websites associated with defence contractors across multiple countries, including the UK, the US, Germany, France, Sweden, Norway, Ukraine, Turkey and South Korea. The aim was to collect information from individuals connected to those organisations.
The findings also describe techniques used to compromise accounts on encrypted messaging platforms, including Signal and Telegram, used by Ukrainian military personnel, journalists and public officials.
In Ukraine, cyber operations have included attacks against frontline drone units, where attackers impersonated domestic drone manufacturers or training providers.
Rise in recorded cyber incidents in Ukraine
Dr Ilona Khmeleva, secretary of Ukraine’s Economic Security Council, said cyber operations against Ukrainian military personnel were often individualised, with some targets monitored for extended periods before an attack. Ukrainian authorities recorded a 37 per cent increase in cyber incidents between 2024 and 2025, she said.
Khmeleva said that as western technology and investment are integrated into Ukraine through military assistance and joint industrial projects, individuals outside Ukraine may also be exposed to similar targeting.
Recruitment-based cyber operations
The findings also outline activity by other state-linked groups targeting defence suppliers through hiring processes.
North Korean-linked hackers have impersonated recruiters and job candidates, using artificial intelligence tools to profile employees and applicants. In 2025, the United States Department of Justice said individuals linked to North Korea had obtained remote IT roles at more than 100 US companies, with authorities alleging the income was used to support the North Korean government.
Iranian state-linked groups have been associated with fake job portals and employment offers designed to obtain login credentials from defence and drone companies.
A China-linked group known as APT5 has targeted employees of aerospace and defence firms using messages tailored to personal circumstances, geographic location and professional roles. These included impersonation of schools, civic organisations, and humanitarian groups such as the International Red Cross.
What this means
The reported activity shows that cyber-espionage campaigns linked to state actors are not limited to corporate networks or defence contractors themselves. Individuals connected to defence, aerospace and related industries may be targeted through personal devices, recruitment processes and online communications, expanding the scope of cyber operations beyond traditional organisational boundaries.
When and where
The information was released by Google ahead of the Munich Security Conference and reported by The Guardian on 10 February 2026.
