One cybersecurity firm’s metrics indicate that defense contractors and personnel and supply chains will be even more heavily targeted this year.

Cybercriminals and state-sponsored actor are extending far beyond the cyber space, into the networks, employees, and supply chains that sustain national defense.

The defense industrial base (DIB) — comprising defense contractors, aerospace firms, and manufacturers that provide dual‑use components — has been targeted for their intellectual property, defense secrets and military readiness.

According to the internal metrics of Google Threat Intelligence Group (GTIG), several key trends have been observed in its DIB customer base:

• Persistent Russian‑nexus targeting of defense technologies used in Ukraine that
  • Target both individuals and organizations
  • Use secure messaging apps, battlefield management systems, and drone related infrastructure
  • Deploy malware via phishing lures themed around drones and battlefield apps
  • Compromise military communications
  • Exploit mobile and desktop endpoints
  • Pro Russia hacktivists claim attacks on drones and map drone production facilities using leaked data
  • Aim to degrade Ukraine’s situational awareness and strike capabilities
• A growing focus on attack the “human layer” (personnel and hiring processes)
  • North Korean operations shift from classic intrusions to infiltration via remote “IT workers”
  • Sometimes steal sensitive data
  • Sometimes work under stolen identities
  • North Korean groups use:
    • Job themed lures
    • Fake recruiters
    • Tailored phishing against defense sector employees
  • Iranian linked actors:
    • Spoof recruitment portals and resume builder apps
    • Deliver malware to aerospace and defense personnel
  • China nexus group:
    • Sends highly personalized spear phishing emails
    • Targets both work and personal accounts
    • Uses lures tied to industry events, training, and local community activities
• China‑nexus cyber espionage campaigns that exploit edge devices (over the past two years)
  • Repeatedly exploit zero day vulnerabilities in edge devices (VPNs, routers, firewalls, security appliances)
  • Gain initial access while often evading endpoint detection tools
  • Deploy multiple malware families
  • Maintain long term access to high value organizations
    • Including managed service providers
    • Including central nodes in the global technology supply chain
• Ransomware and hacktivist attacks that threaten the broader manufacturing supply chain
  • Manufacturing firms make up the largest share of victims on data leak sites, according to the firm, and many supply components for defense production.
  • Ransomware incidents at firms that also produce military vehicles or critical systems can disrupt defense‑sector supply chains and reduce wartime production capacity
• Said GTIG’s Deputy Chief Analyst, Luke McNamara: “From the frontline targeting of drone developers in Ukraine to the stealthy espionage campaigns by China-nexus threat actors, the threat landscape is shifting rapidly. As global investment in defense continues to grow, the expanding range of adversary tactics makes building resilience across the entire ecosystem an urgent priority.”