Chinese State Hackers Lived Inside Defence Networks for 393 Days: What Google's Report Means for Your 50-Person Business
Three hundred and ninety-three days. That's the average time Chinese state hackers spent living inside compromised networks before anyone noticed, according to Google's Threat Intelligence Group. Not three hundred and ninety-three minutes. Not three hundred and ninety-three hours. Three hundred and ninety-three days. Over a year of someone reading your emails, mapping your systems, and drinking your metaphorical coffee before you even knew they were in the building.
This week on The Small Business Cyber Security Guy podcast, I handed the reins to Mauven MacLeod and former US government intelligence analyst Dr Corrine Jefferson to tear apart Google's new report on threats to the defence industrial base. What started as a conversation about nation-state espionage turned into a wake-up call for every small business owner in the UK who has ever said, "We don't build missiles, this doesn't apply to us."
Spoiler: it absolutely does.
You Don't Need to Know You're in a Defence Supply Chain to Be in One
Let's get the most uncomfortable point out of the way first. When Google talks about the "defence industrial base," they don't mean the people bolting warheads together in secure facilities. They mean the entire ecosystem: software suppliers, logistics companies, component manufacturers, specialist engineering firms, and every other business in the chain that supports defence capability.
As Corrine put it in the episode, threat actors map supply chains professionally. They may understand your position in the ecosystem better than you do.
Picture this: you're running an 80-person precision engineering firm in the Midlands. You make a component that goes into a braking system that goes into a vehicle that sometimes has armour on it. Officially, you're "automotive." Unofficially, you're sitting in a defence supply chain whether your marketing materials say "defence" or not.
Google's report drives this home with hard data. Since 2020, manufacturing has been the most represented sector on ransomware data leak sites that Google tracks. Not healthcare. Not financial services. Manufacturing. And many of those firms provide dual-use components that end up in defence applications without the manufacturers necessarily even realising it.
The report references a UK automotive manufacturer that also produces military vehicles, where ransomware disrupted production for weeks and impacted more than five thousand organisations down the supply chain. Five thousand. That's not one unlucky company having a bad day. That's a blast radius that sends shockwaves through entire industries.
The Edge Device Problem: Your Front Door Is the One Thing Nobody's Watching
Here's where the Google report gets properly frightening for small businesses, and where the 393-day statistic comes from.
Since 2020, Chinese cyber espionage groups have exploited more than two dozen zero-day vulnerabilities in edge devices from ten different vendors. Edge devices are the kit sitting at the boundary of your network: your VPN appliance, your firewall, your security boxes. Think of them as your front door, your letterbox, and your CCTV all bolted together in one slightly dusty beige unit that nobody has logged into since the last office move.
The campaign by UNC5221, which Google calls BRICKSTORM, is the one that produced that 393-day average dwell time. The group deployed sophisticated backdoors on devices that don't support traditional endpoint detection and response (EDR) tools. In plain English: they hid in the one place your security software cannot see.
From an intelligence perspective, edge devices are perfect targets for three reasons. Access, because all your traffic passes through them. Persistence, because they're rarely rebuilt or replaced. And stealth, because your security monitoring mostly ignores them. As we discussed in the episode, it's like owning the postroom, the front desk, and the CCTV while everyone keeps investing in nicer desk chairs.
Another group, UNC3886, has used seventeen distinct malware families in operations against defence and aerospace targets. Seventeen. That's not a smash-and-grab operation. That's a well-resourced, patient, and deeply sophisticated adversary with the tools and the time to do whatever they want once they're inside.
If you run a small business and you're thinking "we'd definitely notice," consider this: that VPN box is probably in a cupboard next to the cleaning supplies. The firewall was configured by "a guy" six years ago. And nobody has logged into the admin interface since the last office move. Your big spend went on endpoint protection for laptops. Maybe some email security. And then a single VPN appliance that, if it falls over, takes the whole business offline, and yet nobody's monitoring it for compromise.
It's Not Just China: The Human Targeting Problem
The Google report covers threats from Russia, Iran, and North Korea as well, and the pattern across all of them is disturbingly similar: attackers are going after people, not just servers.
Russian groups like APT44 have targeted secure messaging apps used by Ukrainian military personnel, abusing device-linking features and fake group-invite pages on Signal and WhatsApp. For a UK SME, swap "battlefield apps" for your WhatsApp groups, Teams channels, and shared Google Drives. If your finance director is approving payments from her phone while half-watching the telly, that's part of your attack surface whether you've written it into the policy or not.
Chinese threat actor APT5 conducted campaigns specifically targeting the personal email addresses of defence contractor employees. Not their work accounts, which have enterprise security controls. Their personal Gmail and Hotmail accounts, where the security is whatever the individual bothered to set up. If this sounds familiar, it should. We covered exactly this kind of personal targeting in our stolen credentials deep-dive, and the threat hasn't diminished since.
Then there's the North Korean IT worker problem. Since at least 2019, North Korean operatives have been getting remote jobs inside companies, including more than one hundred US firms. One case involved a defence contractor developing AI technology. Another involved a US government defence programme where a North Korean operative used someone else's credentials to work on a contract. We covered this threat extensively in our earlier episode on North Korean IT worker infiltration, and the Google report adds even more detail to that picture.
And as we explored right back in Episode 1 on Iranian social engineering, Iranian-nexus actors continue to use fake recruitment portals, bogus job offers, and even "resume builder" apps to get malware onto machines. Groups like UNC1549 and UNC6446 spoof aerospace and drone companies, even specific conferences. They dangle what look like real roles in front of people who genuinely want those jobs.
The Job Offer Your Staff Can't Resist
One of the most uncomfortable sections in the podcast covers job-themed phishing. Multiple threat groups, including APT45, APT43, and UNC2970, are impersonating recruiters, spoofing defence and cyber companies, and using sophisticated reconnaissance to craft believable approaches. In one documented case, attackers used Google's own Gemini AI to profile target roles and salary bands so their fake job offers looked realistic.
Here's the hard truth every small business owner who says "we're like a family here" needs to hear: your "family" will absolutely click on a personalised job offer that pays ten grand more and lets them work from home in their pyjamas. Loyalty does not beat a believable LinkedIn DM at half-past three on a bad Tuesday.
This doesn't mean you should be paranoid about every recruiter email forever. But it does mean your brand, your careers page, and your HR tooling can be used as lures. If you're a niche supplier in an interesting sector, you're a perfect logo to steal for a phishing campaign. Hiring is now a collection vector. CVs, code tests, reference checks, contractor onboarding: all of it is data and access.
The Ransomware Reality for UK Manufacturers
Let's bring this back to where most UK SMEs actually feel the pain: ransomware.
Google's data confirms that while pure aerospace and defence firms represent only about 1% of victims on data leak sites, manufacturing organisations broadly sit at the top of the chart. Many of those firms provide dual-use components that can end up in defence applications. The line between "civilian manufacturer" and "defence supply chain participant" is far blurrier than most business owners realise.
Manufacturing environments are uniquely vulnerable because the "it's just IT" bits are the nervous system. As Mauven described in the episode, she's walked into factories where the production line literally stops if the label printer dies. Not the robot. Not the CNC machine. The label printer. You don't have to hit the robot to stop the robot. You just have to confuse it.
And small firms don't have the cash cushion for extended outages. A two-week production halt can be the difference between "annoying quarter" and "we're done." Which is why it's worth asking your MSP a very concrete question this week: "What can you actually see on our VPN and firewall? Show me." If the answer involves a lot of waffling and no screenshots, you've learned something important.
Your 90-Day Action Plan
Mauven laid out a simple three-phase plan in the episode that won't require a second mortgage. Here's the expanded version.
Phase One (Weeks 1-2): Edge Reality Check. Ask your MSP or IT person three questions. One: what logs and alerts do we have on our VPN, firewall, and any other edge devices? Two: who actually looks at those logs, and how often? Three: if you found signs of compromise tomorrow, what's the playbook? If the answers are "we're not sure," "the system keeps them somewhere," and "we'd raise a ticket with the vendor," that tells you this is a real project, not a footnote.
Phase Two (Weeks 3-6): Pick One Segmentation Win. Don't try to redesign your entire network. Just choose one line in the sand. For most SMEs, that's getting finance on its own network segment, or separating production from the general office network. Draw it, cost it, do it.
Phase Three (Weeks 7-12): Phishing-Resistant MFA for Key People. Start moving directors, finance staff, and IT administrators to phishing-resistant multi-factor authentication for remote and admin access. You don't need to boil the ocean. A small set of properly secured accounts dramatically reduces the value of stolen credentials for the roles that matter most.
How to Turn This Into a Competitive Advantage
If you sell into larger customers, particularly in manufacturing, aerospace, or any sector that touches government procurement, this is your opportunity to get ahead of a wave that's coming regardless.
Lead with supply chain assurance. Sooner or later, procurement teams are going to start asking awkward questions about your edge device monitoring, your network segmentation, and your MFA deployment. Being able to answer those questions calmly, with evidence, while your competitor sweats through the meeting, is very good for business.
Use Google's own data in sales conversations. "Google has documented nation-state actors exploiting VPNs and firewalls like the ones every business uses, with average dwell times over a year. We've taken specific steps to address this." That's a powerful differentiator when you're competing for contracts.
Position security investment as business insurance with commercial upside. You're not spending money because you're scared. You're investing because you understand the supply chain landscape better than your competition, and you can prove it.
How to Sell This to Your Board
When you take this to your directors, keep it tight and focused on numbers they understand.
The threat is documented and specific. Google's Threat Intelligence Group has published evidence of nation-state actors exploiting VPNs and firewalls identical to the ones most UK businesses use. Average dwell time: over a year undetected. This isn't theoretical.
Manufacturing is the primary target. Since 2020, manufacturing has been the most represented sector on ransomware data leak sites. If your business makes things, you're in the crosshairs whether you know it or not.
The cost comparison is stark. Spend five to fifteen thousand pounds now on hardening the perimeter and reducing blast radius. Or spend two hundred thousand plus later cleaning up a breach, assuming the business survives the downtime.
Commercial advantage is real. Procurement requirements are tightening across defence, government, and major enterprise supply chains. Investment now positions the business to win contracts that competitors can't.
What This Means for Your Business
The reality is, you are already part of someone's threat model. The only question is whether you acknowledge it and act, or wait for an incident to make the point for you.
This week, have the awkward conversation with your MSP. Ask what visibility they actually have on your edge devices. Get screenshots, not reassurances.
This month, identify your single biggest segmentation gap. Where could an attacker move laterally from a compromised device to your most valuable systems?
This quarter, deploy phishing-resistant MFA for your most exposed people. Directors, finance, IT. Start small, but start.
The businesses that treat this as an opportunity rather than a cost are the ones that will still be winning contracts in five years. The ones that dismiss it as "not relevant to us" are the ones whose supply chain position makes them exactly the kind of soft target that nation-state actors love.
Listen to the Full Discussion
This week's episode features Mauven MacLeod and Dr Corrine Jefferson going deep on the Google Threat Intelligence report, with specific examples of how each nation-state threat actor operates and what it means for UK businesses at every scale.
