The US defense industrial base (DIB) has become a prime target for nation-state hacking groups, yet small defense contractors critically lack network telemetry to detect these threats, a Team Cymru security analyst has argued.
In an article published on April 29, Stephen Campbell, senior threat intelligence advisor at Team Cymru, highlighted that recently some of the most notorious state-backed cyber espionage groups have started investing significantly more time in reconnaissance and pre-positioning operations than in the past.
The groups described by Campbell include China’s Volt and Salt Typhoon, Russia’s Fancy Bear (aka GRU Unit 26165) and Iran’s UNC1549.
According to the analyst, these hacking units heavily rely on one type of entry point: edge infrastructure, which includes internet routers, firewalls and VPN gateways.
The analyst noted that in 2025, over 14 zero-day vulnerabilities were observed in these types of devices.
“Volt Typhoon is a clear example. They maintained access to US critical infrastructure for over five years before it was publicly disclosed. This is not an attack. It is intelligence preparation of the battlefield, carried out in cyberspace,” Campbell wrote.
This targeting of edge devices, he argued, is the main reason some of these cyber espionage campaigns are successful.
While the common image people may have of the US defense industrial base includes powerhouses like Raytheon or Northrop Grumman, Campbell noted that around 80% of the DIB is made up of small and mid-size contractors.
“These companies hold sensitive data. Contracts, technical specifications and personnel information tied to clearances,” he said.
Despite how critical these small defense firms may be for the US DIB, Campbell noted that many of them “are not resourced to defend at the same level as the primes,” resulting in “a mismatch” between what they hold and what they can protect.
Specifically, the analyst argued that small DIB contractors are less likely to have endpoint detection capabilities and to have strict edge device patching policies, meaning these assets “can fall outside the scope of regular security monitoring.”
“Telemetry from edge infrastructure further shows these devices frequently communicating with previously unseen or short-lived external infrastructure, often before those endpoints are publicly identified as malicious,” he wrote.
Additionally, Campbell said nation-state groups like Volt Typhoon increasingly rely on “native system tools” instead of deploying custom malware. This ‘living-off-the-land’ (LOTL) approach allows these actors to operate without generating traditional endpoint alerts, making it critical to monitor the network level, where usually lie the “only observable indicators.”
Nation-state actors also increasingly leverage legitimate services such as cloud platforms, code repositories and commercial virtual private server (VPS) providers, rather than relying on malicious servers, meaning traffic patterns resemble normal enterprise usage and thus rendering detection even more difficult.
To fill this “structural gap,” Campbell recommended small DIB contractors to prioritize network telemetry by deploying NetFlow pattern recognition on edge devices and infrastructure mapping to detect nation-state threats, harden infrastructure through immediate patching and segmentation, hunt for pre-positioning by tracking anomalous DNS and lateral movement.
