# 🎯 **TARGET LOCKED:** Current Threats Targeting the Defense Industrial Base (DiB) – 2025 ![[DiBThreatsHeader3.png]] ## intro The United States Defense Industrial Base (DiB) remains one of the most heavily targeted sectors in the country, drawing sustained attention from state-sponsored threat actors. China, Russia, North Korea, and others view defense contractors and related industries as high-value sources of intelligence, intellectual property, and opportunities of disruption. The various threat actors associated with each nation rely on tactics ranging from Living-off-the-Land (LoL) techniques, to the exploitation of unpatched vulnerabilities, often blending stealth with persistence. In my post I will attempt to examine the current threat landscape in regard to the United States DiB, highlighting what defenders need to know about each threat actor/nation state and where to focus their priorities both now and in the future. ## china ![[chinathreat2.png]] ### overview: China continues to pose a persistent and serious threat to vital U.S. sectors, including telecommunications, the electrical grid, government agencies, the U.S. military, and Defense Industrial Base. In addition to the familiar patterns of espionage and intellectual property theft, Chinese threat actors are now [targeting critical infrastructure](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a), likely with the goal of strategically positioning themselves in areas that could hinder a U.S. response to a potential Chinese invasion of Taiwan. Even if China’s more specific objectives - such as disabling parts of the U.S. power grid to slow a response or reverse engineering U.S. military technology for strategic advantage - remain uncertain, it is clear that security professionals working within the targeted industries must stay vigilant and maintain a strong understanding of the TTPs and behaviors these actors employ. The good news is that years of research into China’s state-sponsored operations have revealed their playbook: that they [depend heavily on Living-off-the-Land (LoL) techniques](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a). The bad news is that LoL activity is a bit harder to detect, as it can often bypass traditional antivirus and EDR controls, and depending on the environment you work in, can be much harder to tune out what is normal behavior and what is malicious. In order to counter this, defenders must prioritize behavioral and context-driven detections built on patterns seen in past campaigns. The prospect of a Chinese invasion of Taiwan within the next decade is also becoming increasingly plausible. In 2024, a [single Chinese shipbuilder](https://www.defensenews.com/global/asia-pacific/2025/03/11/chinas-shipbuilding-dominance-a-national-security-risk-for-us-report/) produced more commercial vessels by tonnage than the entire U.S. shipbuilding industry has built since World War II. As of June 2024, China also fields the world’s largest naval force on paper, with 234 operational warships compared to the U.S. Navy’s 219. Beijing’s continued “[military drills](https://news.usni.org/2025/04/02/chinese-military-wraps-intimidation-drills-off-taiwan)” near Taiwan underscore its strategy of intimidation and highlight its readiness to leverage a rapidly expanding commercial and military fleet. **Threat Actors:** - *Volt Typhoon* A.K.A VANGUARD PANDA, BRONZE SILHOUETTE, Redfly, Insidious Taurus, Dev-0391, Storm-0391, UNC3236, or VOLTZITE - *Salt Typhoon* A.K.A OPERATOR PANDA, Earth Estrie, Ghost Emperor, FamousSparrow, UNC2286 **Motivations:** IP theft, strategic espionage, reconnaissance of U.S. critical infrastructure. **Recent Example Activity:** - https://www.nytimes.com/2023/07/29/us/politics/china-malware-us-military-bases-taiwan.html - https://web.archive.org/web/20250405033914/https://www.washingtonpost.com/technology/2023/12/11/china-hacking-hawaii-pacific-taiwan-conflict/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a - https://www.itpro.com/security/cyber-attacks/all-us-forces-must-now-assume-their-networks-are-compromised-after-salt-typhoon-breach - https://www.documentcloud.org/documents/25998809-20250611-dhs-salt-typhoon/ **Combined TTPs:** [Valid Accounts (T1078)](https://attack.mitre.org/techniques/T1078/) - [Unsecured Credentials (T1552)](https://attack.mitre.org/techniques/T1552/) - [System Binary Proxy Execution (T1218)](https://attack.mitre.org/techniques/T1218/) - [External Remote Services (T1133)](https://attack.mitre.org/techniques/T1133/) - [Exploit Public Facing Application (T1190)](https://attack.mitre.org/techniques/T1190/) - **MITRE ATT&CK Navigator: Combined Techniques** ![[dib_nav.png]] ### detections: `- Detection 1 - Environment Enumeration` ``` index=wineventlog (ParentImageFileName="cmd.exe" AND ImageFileName="wmic.exe") AND (ProcessCommandLine="*path win32_logicaldisk get caption,filesystem,freespace,size,volumename*") | table _time, ComputerName, UserName ParentImageFileName, ImageFileName, ProcessCommandLine ``` ``` index=wineventlog (ParentImageFileName="cmd.exe") AND (ImageFileName="net.exe" OR ImageFileName="net1.exe") AND (ProcessCommandLine="net group" AND ProcessCommandLine="*Domain Admins*") | table _time, ComputerName, UserName ParentImageFileName, ImageFileName, ProcessCommandLine ``` `- Detection 2 - Possible Tampering of ntds.dit Using Full Commands or Notations` ``` index=wineventlog (ImageFileName="wmic.exe" AND ProcessCommandLine="*ac i ntds*") | table _time, ComputerName, UserName ParentImageFileName, ImageFileName, ProcessCommandLine ``` ``` index=wineventlog (ParentImageFileName="cmd.exe" AND ImageFileName="wmic.exe" AND (ProcessCommandLine="*ntdsutil*" OR ProcessCommandLine="*ac i ntds*") AND ProcessCommandLine="*\\Windows\\Temp*") | table _time, ComputerName, UserName, ParentImageFileName, ImageFileName, ProcessCommandLine ``` ``` index=wineventlog ImageFileName="ntdsutil.exe" AND (ProcessCommandLine="*ac i ntds*" OR ProcessCommandLine="*activate instance ntds*" OR ProcessCommandLine=") | table _time, ComputerName, UserName ParentImageFileName, ImageFileName, ProcessCommandLine ``` `- Detection 3 - Possible Impacket (wmiexec.py) Usage` ``` index=wineventlog (ImageFileName=cmd.exe OR ImageFileName="wmic.exe") ( ProcessCommandLine="*dir*" AND ProcessCommandLine="*\\\\127.0.0.1\\ADMIN$*") | table _time, ComputerName, UserName ParentImageFileName, ImageFileName, ProcessCommandLine -- Scrutinize any log events for evidence of filenames with an epoch timestamp -- ``` `- Detection 4 - Audit Log Deletion` ``` index=wineventlog EventID=1102 | table _time, ComputerName, UserName ParentImageFileName, ImageFileName, ProcessCommandLine -- Any event with EventID 1102 should be scrutinized as it is uncommon to see this event in an environment -- ``` ### other takeaways: - **Botnet Capabilities** - Volt Typhoon has also been observed [operating botnets](https://www.cisecurity.org/insights/blog/critical-infrastructure-caught-botnet) built from compromised Cisco and Netgear routers. In September 2024, the group managed to compromise 30% of all internet-exposed Cisco RV320/325 routers within just 37 days. These operations appear consistent with Volt Typhoon’s broader strategy of embedding itself within U.S. critical infrastructure. - **Custom Malware** - While both Volt Typhoon and Salt Typhoon often rely on Living-off-the-Land techniques to evade detection, they are also capable of deploying highly sophisticated custom malware to achieve their objectives. For example, in 2022 Palo Alto Networks observed Volt Typhoon [deploying a custom backdoor called _SockDetour_](https://unit42.paloaltonetworks.com/sockdetour/) against U.S. defense contractors. Reflecting Volt Typhoon’s focus on stealth, _SockDetour_ hijacks existing network connections through a pre-existing socket, eliminating the need to establish a new connection that might be flagged by EDR tools or analysts. - **Exploitation of Vulnerabilities** - Both Volt Typhoon and Salt Typhoon regularly exploit known vulnerabilities to gain initial access into victim environments. According to the U.S. Department of Defense, Salt Typhoon [compromised and maintained persistent access](https://www.itpro.com/security/cyber-attacks/all-us-forces-must-now-assume-their-networks-are-compromised-after-salt-typhoon-breach) to an unnamed U.S. state’s Army National Guard network between March and December 2024, leveraging at least four separate CVEs to do so. **Exploited CVEs:** | **Vendor** | **CVE(s)** | **Product / Feature** | | ------------------------------------------- | ------------------------------------------------------------- | ---------------------------------------------------- | | **Cisco** | CVE-2018-0171, CVE-2023-20198, CVE-2023-20273, CVE-2024-20272 | IOS/IOS XE (Smart Install, Web UI), Unity Connection | | **Zoho (ManageEngine)** | CVE-2021-40539, CVE-2021-44077 | ADSelfService Plus, ServiceDesk Plus | | **FatPipe** | CVE-2021-27860 | WARP/IPVPN/MPVPN (web interface) | | **QNAP** | CVE-2021-28799 | HBS 3 (Hybrid Backup Sync) | | **Fortinet** | CVE-2022-42475, CVE-2023-27997 | FortiOS / FortiProxy SSL-VPN | | **Citrix (NetScaler / ADC / Gateway)** | CVE-2023-4966, CVE-2023-6548, CVE-2023-6549 | NetScaler ADC / Gateway | | **Ivanti (Connect Secure / Policy Secure)** | CVE-2023-46805, CVE-2024-21887 | Ivanti Connect Secure / Policy Secure | | **Versa Networks** | CVE-2024-39717 | Versa Director | ### defender priorities: - **Securing Accounts and Identities** - Both groups frequently abuse valid accounts to gain initial access or maintain persistence in victim environments. As detailed in [CISA’s advisory](https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf) on Volt Typhoon, it is common for the group to extract the `NTDS.dit` file, crack password hashes offline, and use legitimate elevated credentials to remain undetected. In some cases, Volt Typhoon maintained access for years by repeatedly extracting NTDS.dit to ensure they always had up-to-date valid credentials. - **Patching and Remediation of High-Impact Vulnerabilities** - While patching critical and high-severity vulnerabilities - especially on internet-exposed devices - should be standard practice, it remains one of the most neglected areas of security. Volt Typhoon, in particular, is known to rely almost exclusively on unpatched vulnerabilities to establish initial access. Every major report and advisory on their activity underscores this trend, with the compromise of a state’s Army National Guard network serving as a recent example. - **Baselining LoLBin Activity** - Organizations should establish a baseline for how Living-off-the-Land Binaries (LoLBins) are normally used in their environment. This is especially challenging for defense contractors, where large numbers of engineers regularly rely on LoLBins such as PowerShell or WMI to streamline their work. Security teams should understand what commands are executed day to day and by whom, so that deviations from this baseline immediately stand out. Tracking which users employ which tools is equally important, for example, a non-engineer running PowerShell commands should trigger more concern than an engineer doing the same. - **Understanding & Identifying "Low & Slow" Activity** - Nation-state actors are known for their patience, often remaining in victim environments for extended periods in order to avoid detection for as long as possible. Defenders must treat any anomaly as worthy of scrutiny so as to avoid missing what might be a critical detection opportunity. The Chinese threat actor currently sitting inside of your environment is well aware of the tools that you are using, what EDR, what AM solution, what SIEM, etc. and they WILL tailor their TTPs to evade them and to evade YOU. This makes proactive threat hunting and continuous identification of monitoring gaps in the security stack essential. ### closing thoughts: If there's one takeaway in regard to Chinese threat actors, its that they are deliberate and they patient, often choosing to remain in victim environments for extended periods to maintain access, gather intelligence, and prepare for what might end up being a mass sabotage attempt of U.S. critical infrastructure. They are well aware of the detection methods that most organizations rely on, and therefore adapt their techniques to remain hidden, which usually takes the form of an overreliance on LoLBins and other built-in tools. As a result this often makes traditional detection efforts insufficient and therefore a more proactive effort, often taking the form of proactive threat hunting, is critical in the pursuit of protecting your organization against China's ongoing campaigns. ## russia ![[russiathreat2.png]] ### overview: Russia remains a persistent threat to U.S. government agencies, the U.S. Military, and the Defense Industrial Base through a wide range of cyber campaigns. These operations are driven by a diverse range of motivations, including espionage, sabotage, and influence efforts, many of which are tied directly to the ongoing war in Ukraine. In May 2025, CISA [issued an advisory](https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a) warning of Russian campaigns against Western logistics and technology companies involved in the coordination, transport, and delivery of foreign assistance to Ukraine. The advisory highlighted GRU Unit 26165, better known as _APT28_ or _Fancy Bear_, as the primary actor behind these operations. CISA noted that APT28 has targeted five key industries supporting aid efforts: - **Defense Industry** - **Transportation and Transportation Hubs (ports, airports, etc.)** - **Maritime** - **Air Traffic Management** - **IT Services** Going back to 2024, another Russian group known as GRU Unit 29155 also known as _Ember Bear_ (coined by CrowdStrike) was reported by CISA, the FBI, and the NSA to be actively probing critical infrastructure across multiple worldwide entities. Their objectives included espionage, sabotage, and reputational damage, with a strong focus on disrupting any ongoing aid/support to Ukraine. As a result of there being no clear end in sight to the war in Ukraine, campaigns are expected to continue and potentially even escalate, as Russia seeks to shape the outcome of the war in its favor, increasing the likelihood of more frequent and possibly more disruptive cyberattacks against NATO-aligned nations. **Threat Actors:** - *Fancy Bear* [A.K.A.](https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Sofacy%2C%20APT%2028%2C%20Fancy%20Bear%2C%20Sednit&n=1) - Sofacy / APT 28 / Fancy Bear / Sednit / Group 74 / TG-4127 / Pawn Storm / Tsar Team / Strontium / Swallowtail / SIG40 / Snakemackerel / Iron Twilight / ATK 5 / T-APT-12 / ITG05 / TAG-0700 / UAC-0028 / FROZENLAKE / Grey-Cloud / Grizzly Steppe / The Dukes / Forest Blizzard / GruesomeLarch / BlueDelta / TA422 / Fighting Ursa / Blue Athena / UAC-0063 / TAG-110 / G0007 - *Ember Bear* [A.K.A.](https://apt.etda.or.th/cgi-bin/showcard.cgi?g=SaintBear%2C%20Lorec53&n=1) - SaintBear / TA471 / UNC2589 / Lorec53 / UAC-0056 / Nodaria / FROZENVISTA / Storm-0587 / Nascent Ursa / G1003 **Motivations:** Sabotage, influence operations, strategic espionage, reconnaissance of U.S. critical infrastructure, reputational harm. **Recent Example Activity:** - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a - https://www.bleepingcomputer.com/news/security/france-ties-russian-apt28-hackers-to-12-cyberattacks-on-french-orgs/ **Combined TTPs:** [Brute Force: Password Guessing (T1110.001)](https://attack.mitre.org/versions/v17/techniques/T1110/001/) - [Proxy: Multi-hop Proxy (T1090.003)](https://attack.mitre.org/versions/v17/techniques/T1090/003/) - [Encrypted Channel (T1573)](https://attack.mitre.org/versions/v17/techniques/T1573/) - [Phishing: Spearphishing Link (T1566.002)](https://attack.mitre.org/versions/v17/techniques/T1566/002/) - [Compromise Accounts: Email Accounts (T1586.002)](https://attack.mitre.org/versions/v17/techniques/T1586/002/) - [Compromise Accounts: Cloud Accounts (T1586.003)](https://attack.mitre.org/versions/v17/techniques/T1586/003/) - [Multi-Stage Channels (T1104)](https://attack.mitre.org/versions/v17/techniques/T1104/) - [Execution Guardrails: Geofencing (T1627.001)](https://attack.mitre.org/versions/v17/a/T1627/001/) - [Input Capture (T1056)](https://attack.mitre.org/a/v17/techniques/T1056/) ![[emberbearapt28combined.png]] ### detections: `Detection 1 - Possible NTDS.dit Tampering` ``` index=wineventlog ImageFileName="ntdsutil.exe" AND ProcessCommandLine="*activate instance ntds*" OR ProcessCommandLine="*create full C:\\temp*" --- Any instance of the ntdsutil utility containing command line arguments referencing a temp folder should be scrutinized heavily --- ``` `Detection 2 - Suspicious Command Lines` ``` index=wineventlog (ImageFileName="edge.exe" AND ProcessCommandLine="*headless-new -disable-gpu*") OR (ProcessCommandLine="*ssh -Nf*" OR ProcessCommandLine="*schtasks /create /xml*") ``` ### other takeaways: - **Use of Commonly Available Tools** - Both _Fancy Bear_ and _Ember Bear_ make heavy use of open-source hacking tools and frameworks such as Impacket and Metasploit. They also leverage publicly available OSINT platforms like Shodan and VirusTotal to collect intelligence on potential targets. This reliance on widely known hacking and reconnaissance tools distinguishes Russian operators from their Chinese counterparts and suggests a lower tolerance for stealth. Because these tools are more visible in network and endpoint telemetry, their use can provide defenders with valuable detection opportunities. **List of Tools:** ``` - Impacket - Get-PPPassword.py - secretsdump.py - ntlmrelayx.py - krbrelayx.py - PsExec - psexec.py - Certipy - ADExplorer - Nmap - ldap-dump.py - LinPEAS - Responder - BloodHound - CrackMapExec - ProxyChains - Metasploit ``` [YARA Signatures for Impacket Suite](https://github.com/Neo23x0/signature-base/blob/master/yara/gen_impacket_tools.yar) - **Use of Publicly Available CVE Exploit Scripts** - Both actors have also been observed downloading custom exploit scripts for various CVEs hosted on GitHub and deploying them directly against victim environments. These scripts are not limited to initial access, though they are often used to exploit internet-facing systems, but are also employed for privilege escalation and lateral movement once inside of a victim's environment. After establishing access, the groups have been observed scanning the internal network for additional vulnerabilities to exploit in order to strengthen their foothold. **Exploited CVEs:** | **Vendor** | **CVE(s)** | **Product / Feature** | | ------------------ | ---------------------------------------------- | ------------------------------------------------ | | **Dahua Security** | CVE-2021-33044, CVE-2021-33045 | Dahua IP Camera, Video Intercom, PTZ Dome Camera | | **Atlassian** | CVE-2022-26134, CVE-2022-26138 | Confluence Server & Data Center | | **Sophos** | CVE-2022-3236 | Sophos Firewall | | **Microsoft** | CVE-2023-23397 | Microsoft Outlook | | **Roundcube** | CVE-2020-12641, CVE-2020-35730, CVE-2021-44026 | Roundcube Webmail | | **RARLAB/WinRAR** | CVE-2023-38831 | WinRAR | ### defender priorities: - **Prioritize Remediation of Internal Vulnerabilities** - Russian state-sponsored actors consistently exploit known CVEs at multiple stages of their attacks. Patching critical and high-severity vulnerabilities on internet-facing systems is essential, but it is not sufficient. The same CVEs must also be remediated on internal systems, as leaving them unpatched provides attackers with easy paths for privilege escalation or lateral movement. Closing these gaps can often result in adversary being contained to limited access and eventually being forced into riskier activity that increases the chance of detection. - **End-User Phishing Education & Training** - Spearphishing remains one of the most frequently used tactics by Russian state-sponsored actors, and their campaigns are often highly sophisticated. Organizations must ensure employees are thoroughly trained to recognize and report these threats. A strong internal user-awareness program, supported by regular phishing simulations, provides a critical layer of defense. Pairing this with phishing-resistant MFA and robust identity and access management significantly reduces the likelihood of compromise. ### closing thoughts: While the ongoing war in Ukraine highlights Russia’s geopolitical objectives and sheds light on the intent behind much of its cyber activity, defenders must still focus on the tactics, techniques, and procedures that Russian state-sponsored actors employ. These groups are known for their sophistication, patience, and willingness to use any tool available—from Living-off-the-Land techniques and custom malware to CVE exploitation and spearphishing. Defenders should be prepared for this breadth of capability and ensure that technical controls and employee training work together to stop attacks before they escalate. ## references 1. CISA. _People’s Republic of China State-Sponsored Cyber Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure._ [AA24-038A](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a) 2. CISA. _People’s Republic of China State-Sponsored Cyber Actors Exploit Barracuda ESG Zero-Day Vulnerability._ [AA23-144A](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a) 3. Defense News. _China’s shipbuilding dominance a national security risk for US: report._ (March 11, 2025). [Link](https://www.defensenews.com/global/asia-pacific/2025/03/11/chinas-shipbuilding-dominance-a-national-security-risk-for-us-report/) 4. USNI News. _Chinese Military Wraps Intimidation Drills off Taiwan._ (April 2, 2025). [Link](https://news.usni.org/2025/04/02/chinese-military-wraps-intimidation-drills-off-taiwan) 5. The New York Times. _Chinese Malware Hits Systems on U.S. Military Bases in Taiwan Conflict Preparations._ (July 29, 2023). [Link](https://www.nytimes.com/2023/07/29/us/politics/china-malware-us-military-bases-taiwan.html) 6. The Washington Post (Archived). _China hacking Hawaii, Pacific targets in Taiwan conflict prep._ (Dec 11, 2023). [Archive Link](https://web.archive.org/web/20250405033914/https://www.washingtonpost.com/technology/2023/12/11/china-hacking-hawaii-pacific-taiwan-conflict/) 7. ITPro. _All US forces must now assume their networks are compromised after Salt Typhoon breach._ [Link](https://www.itpro.com/security/cyber-attacks/all-us-forces-must-now-assume-their-networks-are-compromised-after-salt-typhoon-breach) 8. DocumentCloud. _DHS Report on Salt Typhoon – 2025-06-11._ [Link](https://www.documentcloud.org/documents/25998809-20250611-dhs-salt-typhoon/) 9. MITRE ATT&CK. _Valid Accounts (T1078)._ [Link](https://attack.mitre.org/techniques/T1078/) 10. MITRE ATT&CK. _Unsecured Credentials (T1552)._ [Link](https://attack.mitre.org/techniques/T1552/) 11. MITRE ATT&CK. _System Binary Proxy Execution (T1218)._ [Link](https://attack.mitre.org/techniques/T1218/) 12. MITRE ATT&CK. _External Remote Services (T1133)._ [Link](https://attack.mitre.org/techniques/T1133/) 13. MITRE ATT&CK. _Exploit Public-Facing Application (T1190)._ [Link](https://attack.mitre.org/techniques/T1190/) 14. Center for Internet Security (CIS). _Critical Infrastructure Caught in Botnet Crossfire._ [Link](https://www.cisecurity.org/insights/blog/critical-infrastructure-caught-botnet) 15. Palo Alto Networks Unit 42. _SockDetour: Newly Discovered Malware Targeting Defense Contractors._ [Link](https://unit42.paloaltonetworks.com/sockdetour/) 16. CISA. _Iranian Cyber Actors May Target Vulnerable U.S. Networks and Entities of Interest._ [Link](https://www.cisa.gov/resources-tools/resources/iranian-cyber-actors-may-target-vulnerable-us-networks-and-entities-interest)