A new report from Google says that Western defense firms, their hiring processes, and their employees have become a key target of state-sponsored cyber-espionage campaigns. In fact, there’s now a “relentless barrage of cyber operations.”
According to Google, espionage campaigns are expanding across Europe’s defense industrial base. Drone developers and advanced weapons suppliers are becoming prime cyber targets.
“Today, the defense sector faces a relentless barrage of cyber operations conducted by state-sponsored actors and criminal groups alike,” says the report, adding that the threat actors are targeting a broad industrial base, from German aerospace firms to British carmakers.
Indeed, Google had noticed more extortion attacks targeting smaller players not directly in the defence supply chain, such as companies making cars or ball bearings.
However, the criminals are most aggressively probing defense firms developing next-generation battlefield technologies. They’re attempting to steal sensitive research, disrupt manufacturing, and, of course, learn how emerging weapons systems are designed and used, Google’s Threat Intelligence Group claims.
Russia, fighting its war in Ukraine, is the usual suspect. Moscow-linked actors are actively targeting organizations involved in drone production and related tech, the report says, with operations extending beyond military users to include defense contractors and suppliers.
“Consistent effort has been dedicated to targeting defense entities fielding technologies on the battlefield in the Russia-Ukraine War,” says the report.
“As next-generation capabilities are being operationalized in this environment, Russia-nexus threat actors and hacktivists are seeking to compromise defense contractors alongside military assets and systems, with a focus on organizations involved with unmanned aircraft systems.”
The Russian government has long viewed the conflict as an extension of a broader campaign against alleged Western encroachment into its sphere of influence, and has accordingly targeted both Ukrainian and Western military and defense-related entities.
Cyber operations are a part of this campaign against both Ukraine and its allies in the West.
For example, starting in January 2025, the suspected Russian espionage cluster UNC5976 launched a phishing campaign that delivered malicious RDP (Remote Desktop Protocol) connection files. These files were configured to communicate with actor-controlled domains spoofing a Ukrainian telecommunications entity.
Additional infrastructure likely used by UNC5976 included hundreds of domains spoofing defense contractors, including companies headquartered in the UK, the US, Germany, France, Sweden, Norway, Ukraine, Turkey, and South Korea.
All this indicates a shift toward supply-side targeting to undermine or monitor weapons development pipelines.
Moscow-linked actors are actively targeting organizations involved in drone production and related tech with operations extending beyond military users to include defense contractors and suppliers.
According to the researchers, employees of defense companies are even targeted directly and individually on personal devices since it’s then harder to detect the threat.
Adversaries – Russia but also Iran, China, and North Korea – are increasingly exploiting recruitment processes, personal email accounts, and remote working arrangements to bypass corporate security controls, Google says.
For example, parents of young children received fake communications from the Boy Scouts of America, or from a nearby secondary school, and people living in certain US states received fake information about the 2024 election.
Google’s conclusion is rather grim: “The broader trend is clear: the defense industrial base is under a state of constant, multi-vector siege.”
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked