Targeting the Defense Industrial Base: What Network Telemetry Reveals About Nation-State Pre-Positioning

Intelligence drives operations. It provides commanders with options across time and space and enables them to shape the battlefield on their terms. This concept is not new. What has changed is the domain. Nation states are applying the same intelligence playbook in cyberspace, with the Defense Industrial Base as a primary target. What is being observed is not limited to intrusion activity, it is reconnaissance and pre positioning. Analysis of large-scale network telemetry reinforces this, showing sustained patterns of infrastructure mapping and access development long before disruptive activity occurs. In MITRE ATT&CK terms, this maps directly to reconnaissance and resource development. Adversaries are identifying targets, mapping infrastructure, and preparing access long before anything disruptive happens. Volt Typhoon is a clear example. They maintained access to US critical infrastructure for over five years before it was publicly disclosed. This is not an attack. It is intelligence preparation of the battlefield, carried out in cyberspace.

Why the DIB is the Target

The Defense Industrial Base is one of the most targeted sectors out there, and it is not just about stealing data. Yes, intellectual property matters. Weapons systems, propulsion, and communications technology are all high value targets. Stealing that information shortens the development and learning curve. It lets adversaries bypass years of research and development and move faster than they should be able to. But the real objective is access. If you can disrupt or degrade a supply chain at the right moment, that creates strategic impact. In a crisis, that is far more valuable than large volumes of stolen data.

When most people think about the Defense Industrial Base, they picture large primes like Raytheon or Northrop Grumman. The reality is very different. Around 80 percent of the DIB is made up of small and mid-size contractors. These companies hold sensitive data. Contracts, technical specifications, and personnel information tied to clearances. But many of them are not resourced to defend at the same level as the primes. There is a mismatch between what they hold and what they can protect. That gap is what adversaries exploit. In military terms, you avoid the strongest point and look for the gap. The seam. The place where defenses are thin, and access still gets you where you need to go. In cyber, that seam is often a smaller contractor with real access and limited defenses.

Four Actors, Four Approaches

Understanding who is targeting the DIB and how they operate is key to building any effective defense.

China operates with patience and persistence. Groups like Volt Typhoon and Salt Typhoon are not built for speed. They are built to remain hidden. Volt Typhoon relies heavily on living off the land techniques. That means using tools that already exist inside the environment, like PowerShell and WMI, instead of deploying custom malware. Nothing new gets dropped, nothing obvious gets flagged. Their activity blends into normal system operations, which makes detection extremely difficult. Salt Typhoon showed how far this approach can go. In 2024, they compromised the US Army National Guard network and maintained access for nine months. During that time, they collected network diagrams and administrator credentials. This is not random collection. It is deliberate. They are mapping the environment, understanding how it is built, and identifying where they can move next or come back later. It is about positioning, not immediate impact.

Russia takes a more aggressive infrastructure-focused approach. GRU Unit 26165 has been exploiting vulnerable edge routers at scale. Instead of just gaining access to one network, they turn these devices into relay nodes. Traffic is redirected through attacker controlled DNS infrastructure, enabling interception and potential manipulation of communications. The objective is not just to collect data. It is to gain visibility and control over how data moves.

Iran leans heavily into human targeting. Groups like UNC1549 go after individuals inside aerospace and defense organizations. They use fake job postings and malicious applications to lure targets in. Then they harvest personal information from resumes and job boards to build highly tailored spear phishing campaigns. This is targeted, patient, and designed to feel legitimate to the person on the receiving end.

North Korea blends cyber operations with real world access. Lazarus is still running fake job campaigns, but they have gone further by placing actual personnel inside companies. In 2025, the DOJ indicted individuals tied to North Korea for placing IT workers inside over 100 US firms, including Fortune 500 companies. This serves two purposes. It generates revenue to bypass sanctions, and it provides direct access into corporate environments. At that point, it is not just a cyber problem. It is a hybrid operation.

The Infrastructure Blind Spot

What makes the Defense Industrial Base particularly difficult to defend is not just the scale of the problem, but where adversaries choose to operate. The entry points most frequently targeted by nation state actors are the same areas that traditional security controls have the least visibility into.

In 2025, more than 14 zero day vulnerabilities were observed targeting edge infrastructure, including routers, firewalls, and VPN concentrators. These systems sit at the perimeter of enterprise networks, including those operated by small and mid size DIB contractors. Despite their critical role, they are less likely to host endpoint detection capabilities, are often patched less consistently, and can fall outside the scope of regular security monitoring. Nearly half of all exploited zero day vulnerabilities that year impacted this class of enterprise technology. Telemetry from edge infrastructure further shows these devices frequently communicating with previously unseen or short lived external infrastructure, often before those endpoints are publicly identified as malicious. The operational approach of groups such as Volt Typhoon reinforces this challenge. By relying on native system tools rather than deploying custom malware, these actors are able to operate without generating traditional endpoint alerts. Their activity does not manifest in ways that most endpoint centric defenses are designed to detect. Instead, the only observable indicators are present at the network level, in traffic flows, DNS activity, and subtle behavioral patterns that require dedicated telemetry and analysis to identify.

For many organizations within the DIB, this creates a structural gap. The resources required to achieve consistent, high fidelity network visibility are often out of reach, yet the data and access these networks provide remain highly valuable to adversaries. The rapid advancement of AI enabled capabilities is further accelerating this dynamic. Emerging tools are compressing the time required for reconnaissance, vulnerability discovery, and exploitation. Tasks that previously required coordinated teams over extended periods can now be executed by a single operator at significantly greater speed and scale.

This shift not only increases the pace of adversary operations, but also introduces greater variability in behavior, reducing the effectiveness of traditional detection approaches that rely on known signatures or static patterns. The result is an increasingly asymmetric environment, where adversaries are able to expand access and capability faster than defenders can adapt their visibility and response.

What the Network Data Tells Us

One of the most effective ways to detect the presence of threat actors is through network telemetry. Passive DNS analysis, NetFlow pattern recognition, and infrastructure mapping can surface pre positioning activity that endpoint based tools are unlikely to detect. Nation state actors have adapted how they build and operate command and control infrastructure. Rather than relying on clearly malicious servers, they increasingly leverage legitimate services such as cloud platforms, code repositories, and commercial VPS providers. At a glance, this activity appears benign. Domains resolve as expected, and traffic patterns can resemble normal enterprise usage.

However, the underlying behavior still leaves observable signals at the network level. Timing of connections, TLS fingerprints, and patterns of DNS resolution often diverge from legitimate use. Analysis of Team Cymru telemetry highlights consistent deviations in connection patterns associated with this infrastructure, even when it is hosted on otherwise legitimate services. These differences are subtle, but consistent enough to be identified through large scale telemetry and analysis. JA4 plus fingerprinting is one example of how this can be applied. It enables identification of characteristic TLS handshakes associated with command and control activity, even when that traffic is encrypted and hosted on otherwise trusted infrastructure. While the content of the communication is obscured, the structure and behavior of the connection remain visible.

This is where infrastructure intelligence becomes particularly valuable for DIB defense. A single known indicator can often be used to expand outward, revealing broader elements of an adversary's operational footprint. This includes preferred hosting providers, recurring ASN usage, and domain registration patterns that link infrastructure over time. By the time an adversary initiates an operation against a specific target, that supporting infrastructure is frequently already in place. For organizations with access to the right telemetry, those patterns can be identified well before activity escalates to a disruptive event. Team Cymru's work uncovering DPRK remote worker infrastructure is one concrete example of this approach.

From Intelligence Consumer to Intelligence Producer

For much of the Defense Industrial Base, threat intelligence still flows in a single direction. Advisories are published, organizations review them, some actions are taken, and the adversary adapts. This model is no longer sufficient.

Effective intelligence environments do not operate this way. In military contexts, intelligence gains value when it moves in all directions. Observations at the edge are reported, aggregated, and used to inform a broader operational picture.

The same principle applies to DIB network defense. An individual contractor who identifies anomalous DNS activity or unusual network behavior may be observing an early indicator of a broader campaign. In isolation, that signal has limited value. Shared, it can provide visibility across an entire supply chain. This shift toward collective defense has already been recognized at the national level. Joint guidance from the Five Eyes in 2025 emphasized the importance of shared indicators and coordinated visibility across both government and private sector partners.

Organizations that are best positioned to manage sustained nation state targeting are not necessarily those with the largest security budgets. They are those who recognize they operate within a shared intelligence environment and actively contribute to it.

The Battlefield Is Already Prepared

The adversary is always operating. The question is not whether they are present in an environment, but whether there is sufficient visibility to identify that presence before it can be operationalized.

For the Defense Industrial Base, that visibility begins at the network layer. It requires moving beyond an endpoint centric model and investing in infrastructure level intelligence capable of exposing pre positioning activity well in advance of disruptive events. It also requires visibility derived from large scale network telemetry and infrastructure intelligence. It requires treating threat intelligence not simply as a feed to consume, but as a discipline to practice and a contribution to a broader ecosystem.

The battlefield is already prepared. The remaining question is whether defenders have the visibility to recognize it.

Sources

CISA Advisory AA24-038A — Volt Typhoon persistent access disclosure: cisa.gov/news-events/cybersecurity-advisories/aa24-038a

NSA / Nextgov — Small DIB firms as tempting targets (August 2025): nextgov.com

CISA AA23-144A — Living off the land techniques: cisa.gov/news-events/cybersecurity-advisories/aa23-144a

Dark Reading — Salt Typhoon US National Guard breach: darkreading.com

Euronews — GRU Unit 26165 router exploitation (April 2026): euronews.com

SecurityWeek — Iranian UNC1549 targeting US DIB: securityweek.com

The Hacker News — North Korean Lazarus targeting defense engineers (October 2025): thehackernews.com

Google — 2025 Zero-Day Review: cloud.google.com

CISA — Living Off the Land Joint Guidance: cisa.gov (PDF)

Team Cymru — Protecting Critical National Infrastructure: ORB Networks: team-cymru.com

Team Cymru — JA4+ Primer: team-cymru.com

Team Cymru — Uncovering DPRK Remote Workers: team-cymru.com

Team Cymru — External Threat Hunting: team-cymru.com

Team Cymru — Supply Chain CTI: team-cymru.com

Industrial Cyber — Five Eyes Critical 5 joint guidance (2025): industrialcyber.co