For years, security professionals have warned employees about suspicious LinkedIn messages, fake recruiters, and unsolicited consulting offers. But according the Defense Counterintelligence and Security Agency (DCSA), foreign adversaries have found an even more effective way to get inside U.S. organizations: applying for jobs.
The latest Targeting U.S. Technologies: A Report of Threats to Cleared Industry reveals a troubling shift in foreign intelligence collection efforts. Instead of relying primarily on cyber intrusions or technical exploitation, adversaries are increasingly targeting people and business processes. And the most common tactic reported by cleared industry wasn’t a sophisticated cyberattack, it was résumé submission. According to DCSA, résumé submissions accounted for 28% of all reported collection attempts, making it the single most frequently observed method used by foreign intelligence entities.
That statistic should be a wake-up call for recruiters, hiring managers, security teams, and anyone working inside the defense industrial base.
The Hiring Process Has Become a Collection Platform
Hiring is built on trust. Organizations want to move quickly to identify talent. Candidates are encouraged to showcase their experience, credentials, technical expertise, and professional networks. Recruiters are trained to engage with applicants, answer questions, and build relationships. Foreign intelligence services understand this.
The DCSA report highlights how adversaries are exploiting academic and professional hiring processes to gain access to sensitive information, establish relationships with cleared personnel, and identify opportunities for future collection efforts.
In some cases, a fake applicant may simply be gathering information about a company’s projects, technologies, facilities, or workforce. In others, the objective may be far more ambitious: obtaining employment, gaining insider access, or developing long-term relationships with employees who possess valuable knowledge.
For security-conscious organizations, every résumé should be viewed as more than a potential hire. It may also be a potential intelligence collection attempt.
Why Fake Applications Work
The effectiveness of résumé-based targeting comes down to one simple fact: applying for a job is normal.
Security awareness training teaches employees to be skeptical of suspicious emails, phishing attempts, and unexpected requests. But when a candidate submits an application through a legitimate hiring portal, they are following an expected business process. That normalcy lowers defenses.
A résumé often provides an adversary with a legitimate reason to communicate with recruiters, hiring managers, technical leaders, and even senior executives. Interviews can become opportunities to ask probing questions about programs, technologies, customers, or organizational structures. Even a rejected applicant may walk away with valuable information.
As DCSA notes, today’s adversaries are increasingly “hiding in plain sight,” leveraging routine business activities rather than relying solely on traditional espionage tradecraft.
The Cleared Workforce Is a High-Value Target
The report identifies aeronautic systems, software, advanced manufacturing capabilities, and other defense-related technologies as top collection priorities for foreign adversaries. Entities from East Asia and the Pacific accounted for the largest share of reported incidents. But the technology itself is only part of the story.
Adversaries increasingly recognize that people are often the fastest route to understanding sensitive programs. Cleared professionals possess institutional knowledge, technical expertise, and access that can be difficult to obtain through cyber means alone.
A fake job applicant can help adversaries identify who works on a program, what skills are in demand, which technologies are receiving investment, and where critical vulnerabilities may exist.
What Recruiters Should Watch For
Not every unusual application represents a threat. But organizations should be alert to indicators that an applicant may be more interested in gathering information than obtaining employment.
Potential red flags include:
- Résumés that appear tailored to gain access to sensitive programs rather than match legitimate qualifications.
- Applicants who ask detailed questions about technologies, customers, classified programs, or facility operations early in the hiring process.
- Candidates whose employment history cannot be independently verified.
- Applications linked to foreign institutions, organizations, or entities known to have connections to foreign governments.
- Repeated applications targeting multiple sensitive positions within the same organization.
- Attempts to move communications off official hiring channels.
Security teams should also remember that modern intelligence operations are often patient. The goal may not be immediate access but relationship-building over months or even years.
What Cleared Candidates Should Pay Attention To
While cleared companies and technologies are the target, candidates are often the bait. Social media is increasingly being used to solicit resumes of cleared professionals, and ‘national security’ and ‘security cleared’ resume farms are being used to collect data in mass—which can then be used to target companies.
Candidates should follow similar advice as cleared recruiters and be wary of job opportunities that are good to be true, unverified careers sites, and employers who appear more interested in your classified work than your work experience.
HR Is Now Part of the Security Team
One of the most important takeaways from the DCSA report is that counterintelligence is no longer confined to security offices and SCIFs. Human resources professionals, recruiters, talent acquisition teams, and hiring managers are increasingly on the front lines of national security.
Organizations that treat hiring solely as a business function may miss critical warning signs. Recruiters should be trained to recognize suspicious behaviors, understand reporting requirements, and coordinate with security personnel when concerns arise.
The report also reinforces the importance of Suspicious Contact Reports and robust insider threat programs. Security teams cannot investigate what they never hear about.
Trust, But Verify
The defense industrial base depends on attracting talented people. Companies cannot stop hiring, nor should they. But the latest DCSA findings underscore an uncomfortable reality: adversaries have adapted to our defenses. Rather than attacking hardened networks, they are exploiting the human processes organizations rely on every day.
The next foreign intelligence collection effort may not arrive through malware, phishing, or a cyber intrusion. It may arrive as a PDF attached to a job application.
