The cyber domain has become increasingly important in national defense, with cyber espionage supporting military operations in regional conflicts and cyberattacks increasingly being used against defense firms and other members of the defense industrial base (DIB), experts say.
In a recent analysis of cyberattack trends related to military operations and defense support, Google found that China-linked attackers have continued to aggressively target defense firms and military contractors, rolling out zero-day exploits against edge devices to gain initial access. In addition, Russian threat actors tied to Russian intelligence agencies have targeted secure messaging applications used by Ukrainian military and have conducted online campaigns to identify drone operators.
Overall, nation-states have fully embrace cyberattacks and cyber espionage as a continuous effort to establish beachheads among adversaries and potential rivals, and companies should not assume that they are safe because the nations with which they do business are not in conflict, says Luke McNamara, deputy chief analyst at Google’s Threat Intelligence Group (GTIG).
“Pre-positioning is now the baseline — organizations should assume continuous access-building attempts, not just headline-grabbing, destructive events,” he says, adding that attackers are focused on the network edge. “Perimeter security cannot be separated from identity and cloud security. If an attacker gains a foothold at the edge and can move quickly to privileged identity systems, the blast radius increases dramatically.”
With a handful of regional conflicts and cyber-offensive operations shifting to the earlier compromise of networks through pre-positioning, gaining covert access through zero-day vulnerabilities in edge network devices has become standard operating procedure, threat intelligence firm Recorded Future stated in its own report.
Rather than stockpile vulnerabilities, the modern strategy is to use them to establish access in strategically important networks, says Levi Gundert, chief security and intelligence officer at Recorded Future.
“Leading state actors are investing in the covert accumulation of access to identities, networks, and edge infrastructure,” he says. “This enables persistent intelligence collection during peacetime and preserves options for disruption during a crisis.”
Living on the Edge (Device)
Edge devices include VPN appliances and security gateways from companies such as Cisco, Citrix, Fortinet, Ivanti, Juniper, Palo Alto Networks, and SonicWall. A list of 14 vendors typically associated with edge devices had 26 vulnerabilities exploited by attackers in 2025 and 35 in 2024, according to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog.
The focus on the edge is not surprising. By controlling network gateway and access points, attackers gain the ability to covertly compromise infrastructure and establish persistent access, moving laterally to expand their presence in identity systems, Gundert says.
“We consistently see edge exploitation as a repeatable and reliable initial access vector,” he says. “These devices are often slower to patch and less closely monitored than endpoints, making them attractive targets for long-term access.”
Edge devices (in blue) are more likely to be the target of zero-day vulnerabilities. Source: Google Threat Intelligence Group (GTIG)
Additionally, in the past four years more than a 100 vulnerabilities have been found in edge devices and exploited by attackers, according to the KEV Catalog. The advantages of compromising edge devices make them a top target, according to threat researchers at cybersecurity firm ESET.
“Numerous vulnerabilities have been discovered that attackers can exploit as an initial entry point into a network,” the ESET threat researcher team stated in response to question from Dark Reading. “Since these devices are publicly exposed to the Internet, they provide a direct surface for attackers to compromise the environment and gain immediate access once a weakness is found.”
Targeting Defense Workers
Edge devices are not the only targets of nation-state groups attempting to compromise DIB networks. North Korean IT fraud has also targeted military agencies and defense companies. The APT43 group mimicked German and US companies related to defense and attempted to steal credentials and install backdoors in DIB networks. Another group, UNC2970, has collected information on both defense firms and cybersecurity companies.
North Korea is not alone. Iran-linked threat actors, such as UNC1549 and UNC6446, have used job portals and malicious résumé-builder applications to target workers in the aerospace and defense sectors, according to Google’s analysis. And China-linked threat groups conducted at least two campaigns in early 2025 with attacks that targeted employees at the same sectors with tailored emails using personal details culled from job and technical sites. Of particular interest is data on drone manufacturers and operators.
The targeting mirrors national priorities, says GTIG’s Gundert.
“We assess that geopolitical conditions directly shape cyber behavior,” he says. “As tensions rise and norms weaken, incentives for restraint diminish, and cyber operations become tools of coercion, signaling, and preparation.”
Overall, defense-related organizations rate highly as attack targets, according to cybersecurity firm ESET’s “APT Activity Report.” Government, technology and defense sectors ranked as the first-, third-, and fifth-most-targeted sectors in Europe, the first-, second-, and third-most targeted in the Americas, and first-, second-, and sixth-most-targeted in the Asia-Pacific region, respectively.
Beyond the DIB
Enterprise defenders should also take note of the techniques used against defense firms and national-security organizations and lock down their edge devices, said ESET’s threat research group.
“They are just as exposed to this initial access vector as organizations in the Defense Industrial Base,” they said. “We consistently observe public‑facing applications being exploited for initial access across numerous intrusion campaigns.”
The targeting of edge devices is especially of concern to a wide swath of enterprises. While zero-days attacks on edge devices is a defining characteristic of attacks on the DIB, a variety of groups are using the same techniques against non-defenses sectors, says Google’s McNamara.
In the end, the return on investment is just too attractive for attempts to exploit perimeter infrastructure, he says.
“Edge devices and appliances do not require social engineering of a target, and, if successful, can go undetected for long periods of time,” he says, adding, “There clearly is a level of investment and interest in strategically exploiting this category of technologies that has now come to define much of what we see with modern … intrusions.”
