Nation-States Are Already Inside Your Network. Google Just Proved It.

I live in London. I used to work in US government intelligence. I drink my coffee black, I like calm systems, clean data, and boring security controls that just work.

Yesterday, Google Threat Intelligence Group published a report titled "Beyond the Battlefield: Threats to the Defence Industrial Base." It runs to several thousand words and covers threat activity from China, Russia, Iran, and North Korea against defence sector organisations globally.

Most people will read the headline, skim the executive summary, and move on.

I read the whole thing. Twice. Then I started correlating it against other primary sources.

The reality is this: what Google documented is not a future threat. It is a current operational reality. And it affects your business whether you make missile systems or cardboard boxes.

Let me explain why.

What Google Actually Found

I want to be precise here because precision matters when we are discussing nation-state capabilities.

Google Threat Intelligence Group assessed with high confidence that since 2020, Chinese cyber espionage groups have exploited more than two dozen zero-day vulnerabilities in edge devices from ten different vendors. Edge devices are the equipment sitting at the boundary of your network: VPN appliances, firewalls, routers, and security appliances.

That is not a theoretical risk assessment. That is documented exploitation. Twenty-four-plus zero-days. Ten vendors. Over five years. Ongoing.

The report identifies two particularly capable Chinese threat groups, UNC3886 and UNC5221, whose operations have directly impacted the defence sector. UNC3886 deployed 17 distinct malware families against defence and aerospace targets. UNC5221 conducted the BRICKSTORM campaign, which had an average dwell time of 393 days.

I need you to sit with that number for a moment. 393 days. Over thirteen months inside compromised networks before detection.

In intelligence terms, that is not an intrusion. That is residency.

Why Edge Devices Specifically

This is where my former life becomes relevant.

When you design an intelligence collection operation, you optimise for three things: access, persistence, and stealth. You want to get in, you want to stay in, and you want to avoid being seen.

Edge devices satisfy all three requirements simultaneously. Here is why.

Access. These devices sit at the network boundary. Every connection entering or leaving your network passes through them. Compromising one device gives you visibility into the entire organisation's communications. In intelligence parlance, it is the equivalent of owning the postroom.

Persistence. Edge devices are not designed to be frequently replaced or reimaged. They run specialised operating systems with limited monitoring capabilities. Attackers who establish a presence on an edge device can maintain access for months or years. The Fortinet symlink backdoor, documented separately, survived firmware updates on over 16,000 devices. Patching did not remove the attacker.

Stealth. And this is the critical point. Edge devices typically do not support endpoint detection and response tools. Your EDR platform monitors your laptops, your servers, your workstations. It does not monitor your VPN appliance. Your firewall is, by design, outside the scope of most security monitoring.

The devices you trust most are the devices you watch least. Nation-states understood this years before the rest of us caught up.

The Mandiant M-Trends 2025 report corroborates this pattern. The most frequently exploited vulnerabilities in 2024 incident response investigations affected security devices at the network edge. Three of the four top vulnerabilities were first exploited as zero-days: Palo Alto Networks PAN-OS, Ivanti Connect Secure VPN, and Fortinet FortiClient EMS.

These are not obscure products from unknown vendors. These are the standard perimeter security devices deployed by tens of thousands of organisations globally, including across the UK.

The Scale Problem Nobody Wants to Discuss

The Verizon Data Breach Investigations Report 2025 documented an eightfold increase in edge and VPN device vulnerability exploitation. Zero-day exploits against VPN devices increased from 3% to 22% of all vulnerability exploitation incidents.

The IBM X-Force Threat Intelligence Index 2025 recorded an 84% increase in infostealers targeting VPN credentials specifically. The Zscaler ThreatLabz 2024 VPN Risk Report found 91% of enterprises now express concern about VPN security risks.

I want to be careful not to simply stack statistics for dramatic effect. Statistics without context are noise. So here is the context.

These numbers represent a strategic shift in how nation-state actors approach network intrusion. They are not attacking your users and hoping to get lucky. They are attacking your infrastructure and guaranteeing themselves access. The distinction matters because the defensive response is fundamentally different.

User-focused attacks can be mitigated with security awareness training, phishing filters, and multi-factor authentication. Infrastructure-focused attacks require vulnerability management, network monitoring, and architecture review that most organisations, particularly smaller ones, are not equipped to perform.

"I Am Not a Defence Contractor"

I have heard this sentence many times, usually from people who are about to learn something uncomfortable about their supply chain.

Google's report states that manufacturing has been the most represented sector on ransomware data leak sites since 2020. Not healthcare. Not financial services. Manufacturing. The sector that includes thousands of UK businesses making components they believe are entirely civilian.

The report documents a 2025 ransomware incident affecting a UK automotive manufacturer that also produces military vehicles. Production was disrupted for weeks. More than 5,000 additional organisations were impacted through the supply chain.

Here is the analytical point that matters: you do not need to know you are in a defence supply chain to be in one. Your widgets may end up inside a system, inside a platform, inside a programme that serves a defence application three tiers upstream. And the threat actors mapping these supply chains have better visibility into your position than you do.

The report also documents UNC5976, a suspected Russian espionage cluster, creating hundreds of domains spoofing defence contractors, including companies headquartered in the UK. This is not speculative. This is observed infrastructure. Credential harvesting pages are designed to capture the login details of employees at companies connected to the defence sector.

If your email domain has ever appeared in correspondence with a defence prime, a Tier 1 supplier, or a government procurement contact, your organisation exists in someone's targeting database. That is not paranoia. That is how collection operations work.

The Human Collection Problem

The Google report documents something that concerns me more than the edge device exploitation, and I say that as someone who spent years thinking about technical collection.

Chinese threat actor APT5 conducted spearphishing campaigns against current and former employees of major aerospace and defence contractors. They targeted personal email addresses. Not corporate email. Personal.

The lures were crafted using detailed personal intelligence. With invitations to industry events, the targets would genuinely attend. References to local schools near contractor headquarters. Alumni tickets for university sporting events targeting employees who attended those universities. Fake Boy Scouts of America correspondence targeting employees known to be parent volunteers.

This is human intelligence tradecraft adapted for the digital environment. The level of pre-operational research required to produce lures referencing a target's child's high school or their volunteer activities is significant. It indicates dedicated collection teams conducting sustained biographical research on individual targets.

For UK businesses, the implication is direct. Your corporate email security is irrelevant if the approach comes through your finance director's personal Gmail. Your endpoint protection is irrelevant if the target device is the employee's personal laptop at home.

We covered similar patterns in our analysis of Iranian social engineering operations, where state-sponsored actors demonstrated comparable sophistication in crafting personalised approaches. And the North Korean IT worker infiltration documented on this site demonstrates a further evolution: rather than attacking employees, some nation-states simply become employees.

Google's report confirms North Korean IT workers successfully infiltrated more than 100 US companies, including a California-based defence contractor developing AI technology. One facilitator was sentenced to prison for allowing a suspected DPRK operative to use his credentials on a US government defence programme.

These are not hypothetical scenarios from threat briefings. These are federal prosecutions.

What Competent Organisations Do About This

I am going to be direct. The standard advice of "patch your systems and train your users" is necessary but insufficient against the threat actors documented in this report. Here is what actually matters.

Understand your monitoring gaps. Contact your security provider or MSP this week and ask one specific question: "What visibility do we have into our edge devices?" If the answer does not include specific logging, alerting, and integrity monitoring for your VPN appliances and firewalls, you have a gap that nation-states are designed to exploit. Accept the gap exists. Then close it.

Assume compromise as a planning assumption. The 393-day dwell time means your edge devices may already be compromised. This is not alarmism. It is a probability assessment based on observed threat activity. Ask your security provider to conduct an integrity check on your perimeter devices against known indicators of compromise. The NCSC publishes advisories for the specific products being targeted.

Implement network segmentation that assumes perimeter failure. If an attacker controls your firewall, what can they access? If the answer is everything, your architecture is designed for a threat environment that no longer exists. Segment critical systems. Require separate authentication for sensitive resources. Make lateral movement operationally difficult even when the perimeter has failed.

Deploy phishing-resistant authentication. The M-Trends 2025 report explicitly recommends FIDO2 security keys for remote access. Traditional multi-factor authentication, including SMS codes and authenticator applications, can be intercepted by adversary-in-the-middle attacks. Hardware security keys cannot. This is not a luxury. It is a control that directly addresses documented threat actor capabilities. We covered why traditional MFA is no longer sufficient in our analysis of the stolen credentials crisis.

Brief your staff on personal targeting. The APT5 campaign targeting personal email accounts means your corporate security boundary is incomplete by design. Staff awareness must extend beyond "don't click suspicious links at work" to include personal digital hygiene, recognition of social engineering approaches, and clear reporting channels when employees receive unusual contact through personal channels.

Map your supply chain position. Understand where your products and services ultimately end up. If any path connects to defence, aerospace, critical infrastructure, or government procurement, your risk profile is higher than your current controls assume. Document this. Plan for it.

How to Turn This Into Competitive Advantage

There is a commercial reality embedded in this threat intelligence that most businesses will miss.

Supply chain verification is coming. The Google report makes clear that defence primes and their suppliers will face increasing pressure to demonstrate supply chain security. That pressure will cascade. It always does. If you can present documented evidence of edge device monitoring, network segmentation, and phishing-resistant authentication before customers require it, you eliminate a procurement barrier your competitors will hit.

Security maturity differentiates. When a prospective customer asks, "How do you manage your network perimeter?" and your answer includes specific reference to edge device hardening, integrity monitoring, and zero-trust architecture principles, you have communicated something beyond security. You have communicated operational competence. In my experience, that matters more in procurement decisions than most businesses realise.

Risk reduction has quantifiable value. Your customers carry risk from their supply chain. A supplier who can demonstrate a reduced risk profile is commercially worth more than one who cannot. This is not abstract. Cyber insurance claims are being denied based on exactly these security posture deficiencies. Demonstrating proactive controls reduces your insurance costs and increases your value to customers simultaneously.

First-mover advantage is real. Most UK SMBs will not read the Google report. Most will not act on it. The small number who do will be positioned ahead of regulatory and commercial requirements that are now clearly on the horizon.

How to Sell This to Your Board

I have given briefings in rooms where the audience held security clearances and in rooms where the audience held profit-and-loss responsibility. The technique is the same: be precise, be brief, and connect threat to consequence.

Opening statement: "Google Threat Intelligence published a report yesterday documenting Chinese state-sponsored hackers systematically exploiting VPN appliances and firewalls used by UK businesses. Average time inside networks before detection: over one year."

Risk framing: "Our perimeter devices are the exact product category being targeted. We currently have [limited/no] visibility into whether our edge devices have been compromised. Under UK GDPR, our maximum liability for a data breach is £17.5 million or 4% of global turnover."

Commercial framing: "Our supply chain customers will begin requiring evidence of perimeter security controls within 12 to 18 months. This investment positions us ahead of that requirement. Competitors who delay will face emergency procurement under deadline pressure."

Investment ask: "Edge device integrity monitoring, network segmentation review, and phishing-resistant MFA deployment. Estimated cost: £15,000 to £40,000, depending on current architecture. This prevents a breach scenario costing £200,000 or more in incident response, regulatory action, and commercial losses."

Closing: "The question for this board is whether we want to discover our perimeter has been compromised through our own monitoring, or through a regulator's notification. I would prefer we choose the first option."

The Analytical Summary

Google's report documents a threat landscape that is more sophisticated, more persistent, and more directly relevant to UK businesses than most will acknowledge.

Chinese groups have exploited more than two dozen zero-days in edge devices from ten vendors. Russian groups are spoofing UK defence contractor domains. North Korean operatives are infiltrating companies through their hiring processes. Iranian actors are building fake recruitment portals targeting defence sector employees. And manufacturing remains the single most targeted sector on ransomware data leak sites.

These are not projections. They are observations. Documented, attributed, and ongoing.

Your VPN appliance is not a security control. It is a collection target. Your firewall is not a barrier. It is an access point. Every edge device on your network that you are not actively monitoring is a door you have left open for some of the most capable intelligence services on the planet.

393 days. That is how long they stay before anyone notices.

I would suggest you find out whether anyone is inside your network before they find a reason to let you know.