ACCORDING to Team Cymru, the US defence industrial base has become a prime target for nation-state hacking groups, yet small defence contractors critically lack network telemetry to detect these threats.
In an article published on 29 April, Stephen Campbell, senior threat intelligence advisor at Team Cymru, highlighted that state-backed groups have started investing more in reconnaissance and pre-positioning operations than in the past, with China’s Volt and Salt Typhoon, Russia’s Fancy Bear (aka GRU Unit 26165) and Iran’s UNC1549 named among those involved.
The analyst said these groups rely heavily on edge infrastructure—internet routers, firewalls and VPN gateways—which can be difficult to monitor effectively, and noted that in 2025 over 14 zero-day vulnerabilities were observed in these devices. Volt Typhoon is described as maintaining access to US critical infrastructure for more than five years before disclosure, a tactic Campbell calls intelligence preparation of the battlefield carried out in cyberspace.
Campbell argues this edge-device focus helps certain campaigns succeed, while small and mid-size contractors, making up around 80% of the DIB, often lack endpoint detection capabilities and stringent patching policies for edge devices. To address the gap, he recommends prioritising network telemetry, patching and segmentation, and mapping infrastructure to detect pre-positioning and anomalous DNS, arguing these steps are essential to counter nation-state threats.