Defence firms developing next-generation battlefield technologies are increasingly being targeted by state-backed hackers and cybercriminal groups, according to a new report warning that the defence industrial base is under sustained, multifaceted cyber pressure.
The report, produced by Google Threat Intelligence Group (GTIG) and shared with Resilience Media ahead of publication, found that firms developing new defence technologies are attracting growing attention from cyber spies.
The activity ranges from attempts to steal sensitive research to efforts to disrupt manufacturing and to learn how emerging weapons systems are designed and used.
It highlights unmanned aircraft systems (UAS) as a particular focus, reflecting the central role drones have played in the Russia-Ukraine war and their growing importance in future conflict planning.
Russian state-linked actors are actively targeting organisations involved in drone production and related battlefield technologies, the report says, with operations extending beyond military users to include defence contractors and suppliers.
Threat groups have been observed impersonating legitimate defence companies and military systems to deliver malware or harvest credentials, indicating a shift toward supply-side targeting to undermine or monitor weapons development pipelines.
European defence suppliers are among those in the crosshairs.
The report identifies a suspected Russian espionage cluster, UNC5976, that has been running phishing operations since January 2025, using domains and infrastructure that impersonate defence contractors and telecom providers across the UK, Germany, France, Sweden, and Norway. The campaigns relied on fake domains and defence-themed lures to capture credentials and gain footholds within organisations connected to defence production and military communications.
Alongside direct targeting of companies, the report warns that employees themselves have become a major attack surface. Adversaries are increasingly exploiting recruitment processes, personal email accounts, and remote working arrangements to bypass corporate security controls.
The report also points to campaigns linked to several state actors, including North Korea, Iran, and China, which use fake job offers, compromised recruitment platforms, and insider-style tactics to gain access to defence networks and sensitive data. Much of this activity occurs outside company security monitoring, according to GTIG, making it harder to detect.
China-linked espionage activity represents the most persistent and highest-volume state threat identified in the report. Over the past two years, China-nexus groups have carried out more cyber intrusions targeting defence and aerospace organisations than any other nation-state actor tracked by the researchers. Their campaigns frequently exploit vulnerabilities in edge infrastructure, such as VPN appliances, routers, and network security devices, which often lack endpoint monitoring capabilities.
Since 2020, Chinese espionage groups have been assessed as having exploited more than two dozen previously unknown vulnerabilities in such systems to establish stealthy, long-term access to high-value targets, according to the report.
Luke McNamara, deputy chief analyst at GTIG, said the findings highlight how rapidly cyber threats are evolving alongside innovation in defence technology.
“The defense industry remains a primary target for sophisticated cyber operations. From the frontline targeting of drone developers in Ukraine to stealthy espionage campaigns by China-nexus threat actors, the threat landscape is shifting rapidly. As global investment in defense continues to grow, the expanding range of adversary tactics makes building resilience across the entire ecosystem an urgent priority.”
The report also highlights persistent cyber risk across the wider defence supply chain. While dedicated aerospace and defence organisations account for only a small proportion of ransomware victims listed on dark web leak sites, the broader manufacturing sector — which includes companies producing dual-use components for defence programmes — remains heavily targeted. Researchers warn that disruption to these suppliers could hinder nations’ ability to scale defence production during crises, even when attacks are limited to corporate IT environments rather than operational technology.
The report also points to growing hacktivist involvement. Pro-Russia groups have increasingly targeted Ukraine’s drone operations, claiming attacks intended to disrupt airspace monitoring and using stolen information to map manufacturing sites.
Google’s findings suggest the defence industrial base is facing constant pressure from espionage campaigns, cybercrime, and politically motivated attacks. The report notes that as militaries invest more heavily in autonomous and software-driven systems, securing the companies and supply chains behind those technologies is becoming just as important as protecting the weapons themselves.
