Google has found that state-sponsored hackers are increasingly targeting defence sector employees and hiring processes with highly personalised cyber-espionage campaigns, warning that attacks on individuals now pose a growing risk to Western industrial and military supply chains.

According to a report released by Google’s Threat Intelligence Group ahead of the Munich Security Conference, cyber operations linked to Russia, China, North Korea and Iran have expanded beyond defence contractors to include employees’ personal devices, job applicants and smaller manufacturers supplying dual-use components. Google said this shift made attacks harder to detect because activity often occurs outside corporate networks.

Luke McNamara, an analyst at Google’s Threat Intelligence Group, told the Financial Times that recent campaigns showed a move towards “direct to individual” targeting, with attackers exploiting personal email accounts and messaging apps. “It’s harder to detect these threats when it’s happening on an employee’s personal system,” he said, adding that personnel had become “one of the major themes” in current espionage activity.

The Financial Times reported that Russian-linked groups have broadened their operations during the war in Ukraine by spoofing the websites of hundreds of defence contractors across Europe, the US and Asia, and by attempting to compromise Signal and Telegram accounts used by Ukrainian military personnel. Google said some attacks impersonated drone manufacturers or training programmes to steal credentials from frontline units.

Ukrainian officials have warned that such campaigns are becoming increasingly individualised. Dr Ilona Khmeleva, secretary of Ukraine’s Economic Security Council, said many attacks involved weeks of monitoring specific targets. “As western technologies and investments are integrated into Ukraine, the pool of potential victims expands beyond Ukrainian citizens,” she said, describing the threat as a transnational security issue.

North Korean actors have focused on recruitment as an entry point, according to Google’s findings. The US Department of Justice said last summer that North Korean operatives had obtained remote IT jobs at more than 100 US companies, in some cases stealing data or cryptocurrency to fund the regime, after posing as legitimate workers during hiring processes.

Google’s report said Iranian groups have used fake job portals and recruiter emails to harvest credentials from aerospace and drone companies, while a China-linked group known as APT5 has sent highly tailored phishing messages to defence employees’ personal email accounts. These lures have referenced local schools, charities and industry events to increase credibility.

Google warned that the trend reflected a wider shift towards targeting the “human layer” of defence supply chains, arguing that governments and companies would need to rethink security strategies that focus primarily on corporate networks.

---