The role of the digital domain in national security continues to expand, with information operations and unauthorized access campaigns frequently supporting broader military objectives. For the Defense Industrial Base (DIB), this reality necessitates a shift in security posture. Moving including reactive incident response to continuous monitoring of perimeter and identity systems.
Recent analysis by Google’s Threat Intelligence Group (GTIG) indicates that state-sponsored actors are refining their methods to maintain long-term access and sensitive networks. China-linked groups have demonstrated a consistent focus on defense firms and military contractors, often leveraging zero-day vulnerabilities in edge devices to bypass traditional defenses. Simultaneously, Russian actors associated with intelligence agencies have focused on communication security, targeting messaging applications used by military personnel and conducting reconnaissance on drone operators.
Luke McNamara, deputy chief analyst at GTIG, notes that these operations often aim to establish a persistent presence rather than cause immediate disruption. Organizations should recognize that geopolitical neutrality does not guarantee immunity from these reconnaissance efforts.
"Pre-positioning is now the baseline — organizations should assume continuous access-building attempts," McNamara explains. He emphasizes that perimeter security is intrinsically linked to identity and cloud security. "If an unauthorized party gains a foothold at the edge and can move quickly to privileged identity systems, the potential impact increases dramatically."
According to Recorded Future, gaining covert access through zero-day vulnerabilities in edge network devices has become a standard procedure for these groups. Levi Gundert, chief security and intelligence officer at Recorded Future, suggests the modern strategy prioritizes immediate utilization of vulnerabilities to secure strategic access points.
"Leading state actors are investing in the covert accumulation of access to identities, networks, and edge infrastructure," Gundert says. "This enables persistent intelligence collection during peacetime and preserves options for disruption during a crisis."
Securing Edge Infrastructure
Edge devices, including VPN appliances and security gateways from vendors such as Cisco, Citrix, Fortinet, Ivanti, Juniper, Palo Alto Networks, and SonicWall—represent a critical control point for network defenders. The US Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) Catalog records significant activity in this area, noting 26 vulnerabilities across 14 edge vendors leveraged in 2025, and 35 in 2024.
The focus on these devices is logical from a technical perspective. By compromising network gateways, threat actors can bypass rigorous endpoint monitoring. Gundert notes that this access allows actors to move laterally and compromise identity systems without triggering standard alarms.
"We consistently see edge compromise as a repeatable and reliable initial access vector," Gundert says. "These devices are often slower to patch and less closely monitored than endpoints, making them attractive targets for long-term access."
Google Threat Intelligence Group data shows that edge devices are statistically more likely to be targeted by zero-day vulnerabilities compared to other infrastructure. ESET threat researchers corroborate this risk, noting that the public exposure of these devices makes them a primary entry point.
"Numerous vulnerabilities have been discovered that allow for initial entry into a network," the ESET team stated. "Since these devices are publicly exposed to the Internet, they provide a direct surface for compromising the environment once a weakness is found."
Protecting Personnel from Social Engineering
While technical infrastructure remains a priority, the human element is equally critical. State-sponsored groups frequently target individuals to gain access to DIB networks. North Korean groups, such as APT43, have been observed mimicking German and US defense companies to harvest credentials. Another group, UNC2970, focuses on collecting intelligence on defense firms and cybersecurity organizations.
This pattern extends to other regions. Iran-linked actors, including UNC1549 and UNC6446, have utilized job portals and malicious résumé-builder applications to engage workers in the aerospace and defense sectors. Similarly, China-linked groups conducted campaigns in early 2025 targeting employees in these sectors with tailored emails containing personal details sourced from professional networks. Data related to drone manufacturing and operations remains a high-priority collection target.
Gundert assesses that these campaigns mirror national strategic priorities. "Geopolitical conditions directly shape cyber behavior," he says.
Data from ESET’s "APT Activity Report" confirms that defense-related organizations are frequent targets. In Europe, the government, technology, and defense sectors ranked as the top three most-targeted industries. Similar patterns appear in the Americas and Asia-Pacific regions, where these sectors consistently rank among the most affected.
Broadening the Defense Strategy
The techniques developed to target the DIB often migrate to other sectors. ESET’s threat research group advises enterprise defenders across all industries to secure their edge devices with the same rigor as national security organizations.
"They are just as exposed to this initial access vector as organizations in the Defense Industrial Base," the ESET team noted. "We consistently observe public‑facing applications being leveraged for initial access across numerous intrusion campaigns."
While the DIB faces specific geopolitical risks, the technical methodology. Using zero-days on perimeter devices—is sector-agnostic. McNamara points out that the return on investment for these operations is high, driving their adoption against a wider range of targets.
"Edge devices and appliances do not require social engineering of a target, and, if successful, can go undetected for long periods of time," McNamara says. "There clearly is a level of investment and interest in strategically leveraging this category of technologies that has now come to define much of what we see with modern intrusions."