The Fresh Front Line: How State-Sponsored Hackers Are Targeting People, Not Just Systems
The cybersecurity landscape is shifting. It’s no longer enough to fortify networks and install the latest firewalls. A new Google report, released ahead of the Munich Security Conference, reveals a disturbing trend: state-sponsored hackers are increasingly focusing on the human element – specifically, the employees of defense companies and their broader supply chains.
From Networks to Individuals: A Personalized Approach
For years, state-linked hackers have targeted the defense industry. However, the approach is becoming more “personalized” and “direct to individual” employees, according to Luke McNamara, an analyst for Google’s threat intelligence group. Which means attackers are moving beyond broad network intrusions and focusing on exploiting individuals, often through their personal systems – a far harder environment for corporate security to monitor.
This shift is driven by the increased difficulty of penetrating well-defended corporate networks. Targeting individuals offers a potentially easier path, especially as employees increasingly work remotely and use personal devices for work-related tasks.
The Expanding Target: Beyond Prime Contractors
The scope of these attacks is also widening. While major defense contractors remain targets, hackers are now actively targeting smaller players in the supply chain – companies making components like car parts or even ball bearings. This demonstrates a sophisticated understanding of the interconnectedness of modern industrial production.
A recent example highlighted in the report involved hackers spoofing the websites of hundreds of defense contractors across multiple countries – the UK, US, Germany, France, Sweden, Norway, Ukraine, Turkey, and South Korea – in an attempt to steal information.
Weaponizing the Hiring Process
Perhaps the most alarming trend is the exploitation of the hiring process. Hackers are impersonating corporate recruiters, creating fake job portals, and sending out fraudulent job offers to gain access to credentials and information. North Korean hackers have even successfully secured remote IT positions within over 100 US companies, allegedly to fund the North Korean government and steal cryptocurrency.
Iranian state-sponsored groups are employing similar tactics, creating spoof job portals to target defense firms and drone companies. APT5, a group linked to China, is tailoring emails and messaging to employees based on their location, personal life, and professional roles, using seemingly innocuous lures like invitations to events or communications from organizations like the Boy Scouts of America.
Ukraine: A Testing Ground for New Tactics
Ukraine has become a focal point for these attacks. Cyber incidents have increased by 37% from 2024 to 2025, with many attacks being highly individualized, involving weeks of monitoring potential targets. Hackers are specifically targeting frontline drone units, impersonating drone builders or training courses.
Russia has also developed specific hacks to compromise Signal and Telegram accounts of Ukrainian military personnel, journalists, and public officials, techniques Google warns could be adopted by other attackers.
The Blurring Lines Between Cybercrime and Nation-State Actors
Google’s Threat Intelligence Group (GTIG) emphasizes a critical shift: the increasing overlap between financially motivated cybercriminals and state-sponsored hackers. Nations are co-opting criminals for state activities and purchasing criminal capabilities, blurring the lines of attribution and complicating defense strategies. Iran and North Korea, for example, are using state-backed operatives to conduct financially motivated crimes to fund their regimes.
What Does This Indicate for the Future?
The trend towards personalized attacks and supply chain exploitation is likely to continue. As western technologies and investments integrate into countries like Ukraine, the pool of potential victims expands beyond national borders.
Pro Tip:
Be extremely cautious of unsolicited job offers or communications requesting personal information, even if they appear legitimate. Verify the sender’s identity through official channels before responding.
Did you know?
The Russian-linked Sandworm (APT44) group has been observed using malware from cybercrime communities to conduct espionage and disruptive operations.
FAQ
Q: Who is being targeted?
A: Employees of defense companies, their suppliers, and even those applying for jobs within the industry.
Q: What tactics are hackers using?
A: Phishing, spoofing websites, impersonating recruiters, and exploiting vulnerabilities in the hiring process.
Q: Is this a global threat?
A: Yes, attacks have been observed targeting organizations in the US, Europe, and Asia.
Q: What can individuals do to protect themselves?
A: Be vigilant about phishing attempts, verify the authenticity of job offers, and practice good cybersecurity hygiene on personal devices.
Want to learn more about protecting your organization from advanced cyber threats? Explore SecurityWeek’s latest insights.
