State actors target defence suppliers in long game

Team Cymru has published research on how nation-state actors target the Defence Industrial Base through long-term reconnaissance and pre-positioning. The analysis was written by Senior Threat Intelligence Advisor Stephen Campbell.

It argues that cyber operations against defence suppliers often begin long before any disruptive attack becomes visible. Adversaries map networks, develop access routes and identify weak points across supply chains, activity that is often missed by organisations focused mainly on endpoint detection.

Campbell describes the Defence Industrial Base as a prime target not only because contractors hold valuable intellectual property, but because supplier access can create strategic leverage in a crisis. The objective, he argues, is often to gain a foothold that can later be used to disrupt or degrade production, logistics or communications at a critical moment.

Much of that exposure lies with smaller firms. The analysis says about 80% of the Defence Industrial Base is made up of small and medium-sized contractors that hold sensitive technical and personnel data but often lack the resources of larger prime contractors.

Actor tactics

The report sets out differing approaches among several state-linked groups. Chinese actors, including Volt Typhoon and Salt Typhoon, are described as favouring persistence and concealment, often using existing administrative tools inside target environments rather than deploying malware that might trigger alerts.

Volt Typhoon is cited as an example of long-term access, having maintained a presence in US critical infrastructure for more than five years before public disclosure. Salt Typhoon is described as compromising the US Army National Guard network and retaining access for nine months while collecting network diagrams and administrator credentials.

Russian operators are presented as taking a more infrastructure-focused approach. The analysis points to GRU Unit 26165 exploiting vulnerable edge routers at scale and using them as relay nodes, with traffic redirected through attacker-controlled DNS infrastructure to enable interception and possible manipulation of communications.

Iranian activity relies more heavily on human targeting, according to Campbell. He says groups such as UNC1549 use fake job postings and malicious applications to reach staff inside aerospace and defence organisations, then draw on information from CVs and job boards to build tailored spear-phishing campaigns.

North Korean group Lazarus is described as combining cyber tactics with physical workforce infiltration. The analysis cites US indictments involving individuals linked to North Korea who allegedly placed IT workers inside more than 100 US companies, including Fortune 500 businesses, both to generate revenue and gain direct corporate access.

Perimeter gaps

A central argument in the research is that the most exposed parts of many defence contractors' networks are also the least monitored. Routers, firewalls and VPN concentrators are highlighted as common entry points because they sit at the edge of enterprise networks, are not always patched consistently and often fall outside regular endpoint monitoring programmes.

The paper says more than 14 zero-day vulnerabilities were observed affecting edge infrastructure in 2025, and nearly half of all exploited zero-days that year affected this category of enterprise technology. These devices, it adds, often communicate with previously unseen or short-lived external infrastructure before those destinations are publicly identified as malicious.

That creates a blind spot for defenders, especially when attackers use living-off-the-land techniques. By relying on tools such as PowerShell and WMI that are already present in a target environment, intruders can blend into normal administrative activity and leave few of the traces that endpoint-based products are designed to catch.

Campbell argues that the more telling signals appear at the network level. Traffic flows, DNS activity, TLS fingerprints and timing patterns can reveal command-and-control infrastructure even when traffic is encrypted or routed through otherwise legitimate cloud and hosting services.

Network view

The analysis says passive DNS, NetFlow pattern recognition and infrastructure mapping can expose pre-positioning activity that would otherwise remain hidden. A single indicator can also help investigators identify broader parts of an adversary's infrastructure, including preferred hosting providers, recurring ASN use and domain registration patterns.

One example in the research concerns suspected North Korean remote worker infrastructure. Team Cymru says network telemetry linked geographically separate infrastructure in the US and the UK through shared ASN data and an unusual AnyDesk certificate signature that endpoint tools would not have connected on their own.

Campbell also argues that artificial intelligence is shifting the balance by reducing the time needed for reconnaissance, vulnerability discovery and exploitation. That, he says, allows a single operator to do work that previously required a larger team over a longer period, making attacker behaviour harder to track through static signatures alone.

Collective defence

Beyond technical detection, the research calls for a shift in how the Defence Industrial Base uses threat intelligence. Rather than acting only as consumers of government or industry advisories, contractors should contribute observations from their own networks so those signals can be aggregated into a broader picture across the supply chain.

An isolated indicator at one contractor, such as unusual DNS activity, may have limited value on its own but could become significant when shared across a wider defence ecosystem, the analysis says. It cites joint Five Eyes guidance emphasising shared indicators and coordinated visibility between public and private sector organisations.

"The battlefield is already prepared. The remaining question is whether defenders have the visibility to recognize it," said Campbell.