The U.S. defense industrial base (DIB) has increasingly become a target for nation-state hacking groups, with small defense contractors notably lacking the necessary network telemetry to effectively detect these burgeoning threats, as emphasized by security expert Stephen Campbell, a senior threat intelligence advisor at Team Cymru.
In a detailed article released on April 29, Campbell shed light on a troubling trend: some of the world’s most infamous state-sponsored cyber espionage groups have substantially ramped up their reconnaissance and pre-positioning efforts. This observation raises alarm bells not just for the major defense corporations—commonly associated with the DIB—but also for the myriad smaller contractors that play crucial roles within this ecosystem.
Among the groups identified by Campbell are notorious cyber units such as China’s Volt Typhoon and Salt Typhoon, Russia’s Fancy Bear (also known as GRU Unit 26165), and Iran’s UNC1549. These state-backed actors are not just operating with reckless abandon; they are becoming increasingly strategic in their methods. Campbell noted that these hacking units depend heavily on vulnerabilities within edge infrastructure, which includes common devices like internet routers, firewalls, and VPN gateways.
In a rather alarming statistic, Campbell pointed out that more than 14 zero-day vulnerabilities were reported in these devices in 2025 alone. Such vulnerabilities create ideal conditions for cyber intrusions. He pointed to Volt Typhoon, which managed to maintain covert access to U.S. critical infrastructure for over five years before any breach was publicly acknowledged. “This is not a mere attack; it reflects a methodical approach to intelligence preparation of the battlefield, conducted in cyberspace,” Campbell stated.
This focus on edge devices is a primary reason behind the success of numerous espionage campaigns, Campbell argued. Interestingly, while many may envision the U.S. defense industrial base as dominated by giants like Raytheon or Northrop Grumman, a staggering 80% of this landscape comprises small and mid-sized contractors. These entities are entrusted with highly sensitive information, including contracts, technical specifications, and personnel data linked to security clearances.
Despite their critical importance, many of these smaller defense firms find themselves ill-equipped to defend their systems at the levels comparable to larger primes. Campbell highlighted the significant “mismatch” between the sensitive data these companies handle and their overall capability to protect it. For instance, many small DIB contractors lack essential endpoint detection capabilities and stringent patching policies for edge devices. This oversight means that such assets often fall outside of regular security surveillance, exposing them to greater risks.
The vulnerabilities inherent in edge infrastructure are further emphasized by Campbell’s observation that these devices regularly engage in communications with previously unknown or transient external networks, often before those endpoints are recognized as malicious. This kind of unmonitored activity poses considerable risks to national security.
In a notable evolution of their tactics, nation-state groups like Volt Typhoon have begun to utilize “native system tools,” which allows them to avoid deploying traditional malware. Dubbed a ‘living-off-the-land’ (LOTL) approach, this method enables actors to operate without triggering customary alerts, thus making consistent network-level monitoring essential. Campbell asserts that the only observable indicators of these intrusions frequently reside at the network level, reinforcing the need for vigilance in monitoring.
Moreover, these adversarial groups are increasingly turning to legitimate online services—such as cloud platforms, code repositories, and commercial virtual private server (VPS) providers—thereby normalizing their traffic patterns to mimic regular enterprise usage. This shift significantly complicates detection efforts, blending malicious activity with everyday operations and making it even more challenging for small contractors to identify unauthorized access.
To address these vulnerabilities and to effectively fill what Campbell describes as a “structural gap,” he strongly advises small DIB contractors to enhance their focus on network telemetry. He recommends integrating NetFlow pattern recognition on edge devices and employing infrastructure mapping to identify potential threats posed by nation-state actors. Immediate actions should include hardening systems through prompt patching and network segmentation and actively engaging in threat hunting—particularly by monitoring for anomalous DNS communications and lateral movements across networks.
By adopting these strategies, smaller defense contractors may bolster their defenses and better position themselves against the increasing sophistication of nation-state cyber threats, thereby safeguarding sensitive data and contributing to the overall security landscape of the U.S. defense industrial base.